Collaborative Research: SaTC: CORE: Small: Security and Privacy in Machine Unlearning

A number of privacy-related laws include a "right to be forgotten", in which people can demand that a company that collects personal data stop using their data. When the data has already been incorporated into machine learning (ML) models, companies are increasingly using a set of techniques called "machine unlearning" that adjust the models to remove the influence of that data.

Existing work on machine unlearning methods has mostly focused on their efficiency and effectiveness. However, unlearning methods provide attackers with two new capabilities: first, the ability to observe multiple versions of the model over time, and second, the potential to remove samples to modify the model. This project's goal is to better understand and defend against security and privacy risks that might arise around those capabilities.

The work is organized around three thrusts: (1) investigating backdoor and model stealing attacks that exploit the unlearning process, (2) designing enhanced privacy-centric attacks like membership inference and data reconstruction, and (3) strategies to detect malicious unlearning requests and improve model resilience for unlearning, especially concentrating on fortifying regions adjacent to decision boundaries. The broader significance and importance of the project include transferring technologies to industry, increasing the research involvement of members of groups historically underrepresented in computing, and disseminating outcomes through K-12 outreach and community services.

This project is jointly funded by Secure and Trustworthy Cyberspace (SaTC) and the Established Program to Stimulate Competitive Research (EPSCoR).

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.