Unlearning's Blind Spots: Over-Unlearning and Prototypical Relearning Attack

Machine unlearning (MU) aims to expunge a designated forget set from a trained model without costly retraining, yet the existing techniques overlook two critical blind spots: “over-unlearning” that deteriorates retained data near the forget set, and post-hoc “relearning” attacks that aim to resurrect the forgotten knowledge. Focusing on class-level unlearning, we first derive an over-unlearning metric, OU@epsilon, which quantifies collateral damage in regions proximal to the forget set, where over-unlearning mainly appears. Next, we expose an unforeseen relearning threat on MU, i.e., the Prototypical Relearning Attack, which exploits the per-class prototype of the forget class with just a few samples, and easily restores the pre-unlearning performance. To counter both blind spots in class-level unlearning, we introduce Spotter, a plug-and-play objective that combines (i) a masked knowledge-distillation penalty on the nearby region of forget classes to suppress OU@epsilon, and (ii) an intra-class dispersion loss that scatters forget-class embeddings, neutralizing Prototypical Relearning Attacks. Spotter achieves state-of-the-art results across CIFAR, TinyImageNet, and CASIA-WebFace datasets, offering a practical remedy to unlearning’s blind spots.

💡 Research Summary

Machine unlearning (MU) promises to remove the influence of a designated forget set from a trained model without the prohibitive cost of full retraining. While recent work has demonstrated that MU can effectively erase target data, this paper uncovers two critical blind spots that have been largely ignored in class‑level unlearning.

1. Over‑unlearning.
When a model is unlearned, the decision boundary often shifts not only for the forget classes but also for retained samples that lie close to that boundary. This collateral damage—called over‑unlearning—degrades the performance of retained data, especially in the vicinity of the forget set. To quantify this effect, the authors introduce a novel metric OU@ε. They first construct a perturbed set Aε(Df) by applying ε‑bounded perturbations (e.g., PGD attacks) to each forget sample. For each perturbed example they compute a masked softmax that zeroes out the forget classes and renormalizes the probabilities over the retained classes. OU@ε is the expected divergence (KL or JS) between the original model’s masked distribution and the unlearned model’s distribution on Aε(Df). Because it relies solely on forget samples, OU@ε can be evaluated without any access to the retained dataset, making it practical for deployed services that expose only the model.

2. Prototypical Relearning Attack (PRA).
Even after a model has been “forgotten,” an adversary can often restore the erased knowledge with only a handful of examples from the forget class. The paper proposes PRA, which leverages the fact that many unlearning methods leave the latent class representations largely intact. By computing a class prototype p(c)θ as the average feature vector of a few forget samples (sometimes just one), the attacker can reconstruct a linear classifier: either using cosine similarity (ˆw_c = p(c)θ / ‖p(c)θ‖) or an L2‑based formulation (ˆw_c = 2 p(c)θ, ˆb_c = –‖p(c)θ‖²/2). This prototype‑based classifier can be plugged directly into the unlearned feature extractor, achieving near‑original forget‑class accuracy (Acc_f) after a single epoch of fine‑tuning, while causing negligible degradation to retained accuracy. Experiments on CIFAR‑10 show that PRA restores >90 % of the original forget‑class accuracy with less than a 1 % drop in overall accuracy, far outperforming generic fine‑tuning attacks.

3. Spotter: a plug‑and‑play remedy.
To simultaneously mitigate over‑unlearning and neutralize PRA, the authors design Spotter, which adds two complementary losses to any existing MU pipeline:

Masked Knowledge Distillation (MKD). For each perturbed sample in Aε(Df), Spotter penalizes the KL divergence between the original model’s masked softmax output and the unlearned model’s output. This directly minimizes OU@ε, encouraging the unlearned model to retain the original decision landscape for retained classes near the forget boundary.

Intra‑class Dispersion (ICD) loss. Spotter explicitly pushes the embeddings of forget‑class samples apart, maximizing intra‑class variance (e.g., by minimizing cosine similarity among them). By scattering these features, the class prototype becomes diffuse, rendering PRA ineffective because a prototype computed from a few samples no longer approximates the original class centroid.

Both components are lightweight and can be attached to a variety of MU methods (parameter masking, boundary shifting, existing KD‑based approaches).

4. Empirical evaluation.
The authors evaluate Spotter on three vision benchmarks: CIFAR‑10/100, TinyImageNet, and CASIA‑WebFace (a face‑recognition dataset where each forget class corresponds to an individual identity). Using ResNet‑18/34 and WideResNet backbones, they compare Spotter‑augmented MU against several baselines: raw unlearning, parameter reset, existing knowledge‑distillation MU, and the recent Boundary‑Shrink method.

Key findings:

• OU@ε is reduced by 30‑40 % on average when Spotter is applied, indicating substantially less collateral degradation in the forget‑adjacent region.
• PRA’s success rate drops dramatically: Acc_f after PRA falls below 5 % for Spotter‑protected models, whereas baseline MU methods still allow PRA to recover 30‑50 % of the original forget accuracy.
• Retained accuracy (Acc_r) is preserved within a 1 % margin, confirming that Spotter does not sacrifice utility for privacy.
• In the face‑recognition scenario, Spotter successfully prevents the reconstruction of a person’s identity from as few as two images, while maintaining overall verification performance.

5. Contributions and impact.
The paper makes three substantive contributions: (i) a data‑free, boundary‑focused metric OU@ε for measuring over‑unlearning; (ii) the identification and demonstration of a powerful few‑shot prototypical relearning attack in the vision domain; and (iii) Spotter, a simple yet effective plug‑in that simultaneously addresses both issues. By exposing these blind spots and offering a practical countermeasure, the work advances the reliability of MU for real‑world, privacy‑sensitive AI systems and sets a new benchmark for future research on secure and accountable model erasure.