Flexible, Efficient, and Stable Adversarial Attacks on Machine Unlearning

We would like to thank the reviewer for the helpful and constructive comments. We have tried our best to address your concerns. We will include all the analyses, duscussions, and experimental results in this rebuttal into the submission. Due to the limit of 5000 characters, if anything remains unclear, post-rebuttal comments are appreciated.

1. Scalability not fully tested (lacks large-scale datasets like ImageNet-1K).

As shown in Table 1 [ https://anonymous.4open.science/r/sup_materials ], we evaluate all methods on ResNet-18 with ImageNet-1K. Our method achieves the highest unlearning ASR (82.11 ± 1.42) with competitive runtime (22,561 seconds), demonstrating both effectiveness and scalability in large-scale settings.

2. Computational Efficiency (Claims And Evidence)

We break down the total runtime into poisoning, training, and unlearning stages for clarity. As shown in Table 2 [ https://anonymous.4open.science/r/sup_materials/timing_comparison_table.pdf ], DDPA consistently incurs lower cost across all three stages. This is because DDPA generates a single poisoned dataset that supports multiple attack targets, while baselines must create a new poisoned dataset for each target. As the number of requests increases, their cumulative training time grows rapidly, whereas DDPA remains low and stable.

3. Target-Agnostic Adaptability (Claims And Evidence)

We extend our DDPA method to the setting of federated learning (FL). As shown in Table 5 [ https://anonymous.4open.science/r/sup_materials/fed_comparison_table.pdf ], even in the FL environment, DDPA can still achieve very high attack performance. We will include these results in the submission.

In black-box settings, attackers can train a surrogate model using input-output pairs from public APIs. Once the surrogate mimics the target model, DDPA computes thrust vectors and crafts poisoned data. Since our approach guides model updates via data removal rather than relying on direct gradient manipulation, the poisoning strategy can transfer from the surrogate to the target model, making the attack applicable in black-box settings.

4. Intuitive explanation for some derivations (Theoretical Claims)

We include a concrete example to illustrate Theorems 3.1--3.4. Using a 2D regular simplex with centroid at the origin, we compute the inscribed radius as $r = \frac{\sqrt{3}}{6} \approx 0.2887$, with tangency points satisfying the barycentric condition (Theorem 3.1). The area from Theorem 3.2 yields $3\sqrt{3} \approx 5.196$, and the regularity measure in Theorem 3.3 evaluates to 1. In Theorem 3.4, equal edge lengths and centroid alignment yield an effective proportion $\rho = 0.866$.

This example grounds the abstract results in a clear geometric case. See [ https://anonymous.4open.science/r/sup_materials/Numerical%20Example.pdf ] for visualization. For a more detailed explanation, please refer to our response to Reviewer X4cj Q3.

5. The convex approximation approach is not always differentiable (Theoretical Claims)

The goal of our DDPA method is not to directly perform gradient-based optimization on the convex polyhedral envelope itself, but rather to identify thrust points (group centers) that lie in regions where the original non-convex loss is close to its convex approximation. Specifically, we optimize the objective in Eq.(17), which minimizes the maximum deviation between the original loss and its convex approximation over the convex polyhedron defined by the group centers. Since this objective involves selecting points rather than differentiating through the envelope, non-differentiability does not hinder the optimization in practice. Once the group centers are selected, the subsequent unlearning process operates directly on the original model and loss function, without relying on the convex envelope.

6. Algorithm 1 lacks a complexity analysis (Supplementary Material) The complexity of Algorithm 1 comes from two stages: optimizing the group centers $V = \{v_1, \dots, v_n\}$ by minimizing $L_t + L_s$, and generating poisoned data. As defined in Eq. (17), computing $L_t$ involves solving a constrained optimization (Eq. 16) for each $x \in G$, with cost $\mathcal{O}(g p d)$ per iteration. The structural loss $L_s$ (Eq. 12) includes $\phi(V)$ (Eq. 10), pairwise distances, and the centroid term. These are computed in a subspace of dimension $\mathcal{O}(\log n / \varepsilon^2)$ using a Johnson--Lindenstrauss projection, with per-iteration cost $\mathcal{O}(n \log n / \varepsilon^2)$. Sampling $k$ points from $\mathcal{N}(v_i, \sigma^2)$ for each $v_i \in V$ costs $\mathcal{O}(n k d)$. The overall complexity is $\mathcal{O}(T g p d + T n \log n / \varepsilon^2 + n k d).$ The procedure is efficient in practice, as $n$ is small, optimization is one-time, and all structural terms are computed in a low-dimensional subspace.

We would like to thank the reviewer for the helpful and constructive comments. We have tried our best to address your concerns. We will include all the analyses, duscussions, and experimental results in this rebuttal into the submission. Due to the limit of 5000 characters, if anything remains unclear, post-rebuttal comments are appreciated.

1. Empirical results about flexibility (Other Strengths And Weaknesses)

We have included the flexibility test in Figure 5 in Page 8 in the main paper. We compare DDPA with all baselines under a target-agnostic setting (unknown attack target during poisoning). While other methods suffer significant ASR drops as the number of potential targets increases, DDPA maintains consistently high ASR. For example, DDPA achieves the highest ASR $91.6\%$, whereas the baselines obtain the ASR $6.3\%$. These results clearly demonstrate DDPA's flexibility in adapting to different attack targets during unlearning.

2. Parameter settings/choices (Other Strengths And Weaknesses)

Based on our observations, increasing the number of group centers (from 5 to 25) leads to higher ASR across all datasets, as it allows for more fine-grained control over parameter manipulation. Longer training epochs (e.g., from 30 to 150) significantly improve ASR, since models trained for more epochs become more sensitive to unlearning. For image classification tasks, higher learning rates help the model converge to exploitable optima more quickly, resulting in increased ASR. However, in large-scale models such as LLaMA-3b, overly high learning rates can destabilize optimization and reduce ASR. Higher unlearning rates also tend to improve ASR by amplifying the model’s sensitivity to data removal, though excessive rates may negatively affect accuracy. Similarly, increasing the unlearning ratio (e.g., from 5% to 20%) intensifies parameter disturbance, leading to further gains in ASR. The parameter settings are detailed in our response to Reviewer X4cj Q4.

3. Overlap with each other, font size, and careless expression errors (Other Strengths And Weaknesses) (Other Comments Or Suggestions:)

We will correct the overlapping lines in the appendix, unify terminology for algorithm names, increase font size, fix expression errors, and improve figure readability and formatting for clarity.

4. real-word scenarios

This work focuses on exploring the vulnerability of machine unlearning (MU) models under adversarial attacks, rather than using MU techniques to attack standard machine learning (ML) models.

In line with modern privacy regulations such as the EU’s GDPR and California’s CCPA, MU allows data holders to remove the influence of specific data points from a trained ML model. For example, Stable Diffusion 3.0 allows artists to remove their artwork in the training data, responding to the 'Right to be Forgotten' legislation by GDPR and attempting to respect artists' works [1]. However, recent studies [2–10] have shown that MU is vulnerable to malicious unlearning requests in adversarial settings. In such attacks, the adversary first injects carefully crafted samples that help maintain the model’s performance and remain indistinguishable from clean data. Once the model is trained, the attacker submits an MU request to remove those specific samples, which degrades the model’s performance only after unlearning.

The goal of our attack is to preserve the performance of the original ML model while impairing the MU model after the unlearning process. This objective is fundamentally different from that of traditional backdoor attacks.

[1] Stability AI will let artists opt out of Stable Diffusion 3.0 training. Ars Technica.

[2] Static and Sequential Malicious Attacks in the Context of Selective Forgetting. NeurIPS 2023.

[3] Releasing Malevolence from Benevolence: The Menace of Benign Data on Machine Unlearning. CoRR 2024.

[4] Hidden Poison: Machine Unlearning Enables Camouflaged Poisoning Attacks, NeurIPS 2023.

[5] Backdoor attacks via machine unlearning, AAAI 2024.

[6] Exploiting machine unlearning for backdoor attacks in deep learning system, arxiv 2023.

[7] UBA-Inf: Unlearning activated backdoor attack with Influence-Driven camouflage, USENIX 2024.

[8] Unlearn to relearn backdoors: Deferred backdoor functionality attacks on deep learning models, arxiv 2024.

[9] Rethinking adversarial robustness in the context of the right to be forgotten, ICML 2024.

[10] A duty to forget, a right to be assured? exposing vulnerabilities in machine unlearning services, arxiv 2024.

We would like to thank the reviewer for the helpful and constructive comments. We have tried our best to address your concerns. We will include all the analyses, duscussions, and experimental results in this rebuttal into the submission. Due to the limit of 5000 characters, if anything remains unclear, post-rebuttal comments are appreciated.

1. Ablation studies (Claims And Evidence)

We have included the ablation study in Figure 4 in Page 8 in the main paper and Tables 3-19 in Appendix F. DDPA-S utilizes only the simplex method to maximize and generate an effective operational space. DDPA-C employs only Convex Polyhedral Approximation to ensure stability in constructing thrust vectors (group centers). DDPA operates with the full support of both simplex method and convex polyhedral approximation. We have observed that the full DDPA method achieves the lowest BA and the highest ASR and TA in most experiments, consistently outperforming other versions and highlighting the advantages of simplex method and convex polyhedral approximation.

2. Necessity of the unlearning process in the attack (Methods And Evaluation Criteria)

This work focuses on exploring the vulnerability of machine unlearning (MU) models under adversarial attacks, rather than using MU techniques to attack standard machine learning (ML) models. The goal is to preserve the model's performance before MU while degrading its performance after MU, which is quite different from traditional backdoor attacks.

Traditional backdoor attacks require control over the training process and predefine the attack target, making them inflexible and inefficient. In contrast, our method exploits MU vulnerabilities without access to training and operates at the unlearning stage. The attack target can be determined or modified after training or during unlearning.

Injecting data during training is common in real-world settings such as online learning [1] and continual learning [2], where models are incrementally updated. For practical examples, please refer to our response to Reviewer TAX8 Q4.

As noted in our response to Reviewer qxUp Q3, our attack remains stealthy and effective under strong detection defenses, underscoring its practical impact.

[1] Online learning: A comprehensive survey, ACM, 2021.

[2] A comprehensive survey of continual learning: Theory, method and application, 2024.

3. Unable to fully assess the correctness of theoretical contributions (Theoretical Claims)

We have explained the physical meaning of these theorems in lines 179-192 in page 4 and lines 282-295 in page 6 in the submission. In addition, we have included the detailed proof of all theorems in pages 17-26 in Appendix C.

4. More detailed description of the hyperparameter settings, training procedures, and statistical significance measures. (Experimental Designs Or Analyses)

We have included the hyperparameter setting, implementation details, and training procedures in lines 306-317 on page 5 in the submission and in lines 1,442-1,480 and Table 2 in Appendix F. In addition, we have provided the details of poisoned dataset generation in Appendix D. For further information, please refer to our response to TAX8 Q2.

5. Recent studies on adaptive adversarial attacks (Essential References Not Discussed)

Adaptive adversarial attacks refer to attacks that are specifically designed to counteract or bypass known defense mechanisms [3,4]. Compared with standard adversarial attacks, adaptive adversarial attacks provide a more rigorous and realistic evaluation of defense methods, as they are crafted with knowledge of the defense and specifically designed to exploit its weaknesses. We will include the recent related works into the submission.

[3] On Adaptive Attacks to Adversarial Example Defenses. NeurIPS 2020.

[4] Adversarial examples are not bugs, they are features. NeurIPS, 2019.

6. Assumptions regarding the behavior of the loss function (Other Strengths And Weaknesses)

Our method does not rely on strong or global assumptions about the loss function. While our convex polyhedral approximation (Section 3.3) utilizes local properties of the loss surface, we do not assume that the entire loss function is convex. Instead, our approach identifies regions where the loss can be locally approximated by a convex function, and places group centers (thrust vectors) in those areas. This is achieved through the optimization objective in Eq.(17), which selects data samples whose loss behavior deviates minimally from convexity, ensuring stability during the MU. Moreover, our experiments span multiple domains, including image and text classification, demonstrating that the method remains effective across a variety of non-convex loss functions in practice. We would be glad to discuss extensions of our approach to even more complex domains in future work.

We would like to thank the reviewer for the helpful and constructive comments. We have tried our best to address your concerns. We will include all the analyses, duscussions, and experimental results in this rebuttal into the submission. Due to the limit of 5000 characters, if anything remains unclear, post-rebuttal comments are appreciated.

1. Loss landscape visualization (Claims And Evidence)

In DDPA, thrust vector control is achieved by selecting group centers near locally convex regions of the non-convex loss, identified via a convex polyhedral approximation that minimizes the gap to the original loss. Figure 1 (https://anonymous.4open.science/r/sup_materials/landscape.pdf) visualizes the loss landscape using a shared 2D projection. The region around the selected anchor is visibly smoother and more stable, showing that DDPA effectively locates well-conditioned areas for stable thrust vector updates.

2. Gaussian assumption for parameter space (Claims And Evidence)

We validate the Gaussian assumption using the Shapiro–Wilk, D’Agostino’s $K^2$, and Anderson–Darling tests. For VGG16 on CIFAR-100, the $p$-values are 0.55669 (Shapiro–Wilk) and 0.30275 ($K^2$), with an Anderson–Darling statistic of 0.24373. For ResNet18 on Tiny ImageNet, the values are 0.67146, 0.35562, and 0.35510, respectively. All results fall within standard thresholds for normality: $p > 0.05$ and Anderson–Darling statistic < 0.787. These consistent results across models and datasets support the Gaussian assumption.

3. No evaluation of attack stealthiness (Methods And Evaluation Criteria) and Essentail References

Zhang et al. focus on preventing recovery after unlearning, which is orthogonal to our setting. To assess stealthiness, we report anomaly indices from three standard detectors: Neural Cleanse (NC), Perceptual-Based (PB), and AEVA. These methods assign class-wise anomaly scores, with values below –2.0 commonly indicating a backdoor. As shown in Table 3 (https://anonymous.4open.science/r/sup_materials/stealthiness_evaluation_table.pdf), our method achieves scores of 0.322 (NC), 0.29 (PB), and 0.59 (AEVA), all above the detection threshold and generally higher than those of other methods. This indicates that our attack does not leave strong or easily detectable backdoor signatures.

4. No evaluation of computational cost (Methods And Evaluation Criteria)

We provide a detailed efficiency comparison of DDPA and all baselines, including AwoP and MUECPA, in Figure 2 (main paper) and Figures 6, 8, and 10 (Appendix F.1). DDPA significantly reduces total training time by generating a single poisoned dataset that supports multiple attack targets. In contrast, baselines such as AwoP and MUECPA require regenerating a new poisoned dataset for each target, leading to much higher cumulative cost. Additional timing details for the poisoning, training, and unlearning stages are discussed in our response to Reviewer twWJ Q2.

5. The edge length in Equation 13 (Theoretical Claims)

In practice, we estimate the edge length $l$ of the simplex by computing the average Euclidean distance between all pairs of group centers: $l = \frac{2}{n(n-1)}\sum_{1 \leq i < j \leq n}\|v_i - v_j\|_2,$ where $\\\\\\{v_1, v_2, \ldots, v_n\\\\\\}$ are the $n$ group centers used in the simplex construction. This provides a natural measure of the simplex’s spatial scale in the parameter space and is easy to compute.

6. MU gradients interact with simplex vertices (Theoretical Claims)

As detailed in Section 3.2 (lines 240–295), we sample group centers from clean data and use a convex polyhedral approximation to identify locally convex regions. Centers aligning with this structure are selected as thrust points and mapped to thrust vectors via a conjugate algorithm, forming a regular simplex in parameter space. During unlearning, removal gradients move the model along these simplex directions, enabling controlled updates and ensuring explicit interaction between MU gradients and the simplex.

7. Attackers can modify retained data (Other Comments Or Suggestions)

Our threat model only assume the attacker can inject malicious samples with no ability to alter retained training data.

8. Response to Concerns on Attack Assumptions, Algorithmic Complexity, Numerical Examples and Hyperparameter Sensitivity

Regarding the assumption that attackers can manipulate unlearning requests post-deployment, Algorithmic Complexity, Numerical Examples and Hyperparameter Sensitivity please see our detailed response to Reviewer X4cj Q2,Q4 and twWJ Q4, Q6 and Reviewer TAX8 Q4 respectively.

9. Reproducibility

Due to the link restrictions imposed by the ICML rebuttal policy (only figures and tables), we will release our code on GitHub along with a project page and full documentation once the paper is accepted.