Adversarial Unlearning Bypass

Description: Large Language Models (LLMs) employing gradient-ascent based unlearning methods are vulnerable to a dynamic unlearning attack (DUA). DUA leverages optimized adversarial suffixes appended to prompts, reintroducing unlearned knowledge even without access to the unlearned model's parameters. This allows an attacker to recover sensitive information previously designated for removal.

Examples: See the paper for specific examples of adversarial suffixes and their impact on unlearning different knowledge targets across various scenarios. The paper demonstrates successful retrieval of unlearned knowledge in 55.2% of tested cases, even without access to the unlearned model.

Impact: Successful exploitation of this vulnerability leads to the unintended disclosure of sensitive information previously removed from an LLM through unlearning. This compromises data privacy and confidentiality, violating the "right to be forgotten." The recovered knowledge can be used for malicious purposes such as reputational damage, intellectual property theft, or identity theft.

Affected Systems: Large Language Models (LLMs) utilizing gradient-ascent-based unlearning techniques, specifically those vulnerable to adversarial prompt engineering. The paper shows vulnerability in Llama-3-8B-Instruct models.

Mitigation Steps:

• Implement the Latent Adversarial Unlearning (LAU) framework to enhance the robustness of the unlearning process.
• Integrate techniques like adversarial training during the unlearning phase to make the model more resistant to adversarial queries.
• Develop and deploy robust detection mechanisms to identify and filter malicious prompts attempting to recover unlearned knowledge. Monitor model behavior for unexpected outputs related to unlearned topics.
• Regularly update and retrain LLMs using improved unlearning methods to minimize vulnerabilities.