Unlearning or Obfuscating? Jogging the Memory of Unlearned LLMs via Benign Relearning
This work highlights a critical security flaw in current unlearning techniques for LLMs, showing they only suppress outputs rather than robustly forget knowledge, which is a problem for AI safety and privacy applications.
The authors demonstrated that existing machine unlearning methods for LLMs are vulnerable to benign relearning attacks, where small, loosely related datasets can reverse unlearning effects, such as causing an unlearned model to output harmful bioweapons knowledge or verbatim memorized text.
Machine unlearning is a promising approach to mitigate undesirable memorization of training data in ML models. However, in this work we show that existing approaches for unlearning in LLMs are surprisingly susceptible to a simple set of $\textit{benign relearning attacks}$. With access to only a small and potentially loosely related set of data, we find that we can ''jog'' the memory of unlearned models to reverse the effects of unlearning. For example, we show that relearning on public medical articles can lead an unlearned LLM to output harmful knowledge about bioweapons, and relearning general wiki information about the book series Harry Potter can force the model to output verbatim memorized text. We formalize this unlearning-relearning pipeline, explore the attack across three popular unlearning benchmarks, and discuss future directions and guidelines that result from our study. Our work indicates that current approximate unlearning methods simply suppress the model outputs and fail to robustly forget target knowledge in the LLMs.