Response to Weakness:

• Methodology
  1. We have added a line in section 4.3 under “Discussion” to clarify this. We apply our algorithm to all the linear layers in the transformer architecture. For an attention block, the linear layer weights updated are the Key Weights, Query Weights, Value Weights, and Output weights. We do not perform any unlearning of the normalization layers as the fraction of total parameters for these layers is insignificant and empirically is not seen to affect the performance of our algorithm.
  2. Samples from each class are necessary to ensure a good estimation of retain space and forget space. We chose $X\_r$ and $X\_f$ to be around 1000 to ensure we have at least 1 sample from each class (ImageNet). Empirically we observed that having 1000 samples was enough and we did not increase it to ensure the compute cost of Representation collection and SVD over $X\_r$/$X\_f$ is kept low.
  3. In our algorithm (line 14, Algorithm 1) we find $P\_{dis}$, which is the class discriminatory activation space. We want to find a class discriminatory space where forget samples have the ‘highest’ activations whereas retain samples have the 'lowest'. By removing this space (from the entire space) we perform our unlearning. To assign this connotation of ''highest/lowest' activation with the original $P\_f$/$P\_r$ space we need to assign importance - thus scaling was used. We agree this causes deformation of the space - which is a design choice.
  4. Our algorithm is gradient free algorithm and obtains the parameter update in a one-shot fashion. As we did not use gradient information it was not straightforward to come up with a learning scheme for $\alpha$. However, in the future training algorithms can be designed that could learn $\alpha$ to be used for unlearning if needed.
• Experiments
  1. For CIFAR100 we use [1, 11,21, … 91 ]. We update the paper stating “CIFAR10 dataset is accessed for unlearning on each class and CIFAR100 is evaluated for every 10th starting from the first class.”
  2. Yes, original refers to a well trained model which is trained on $D\_{train}$. The accuracy numbers in the previous version were the overall accuracy of the network on the samples of retain and forget class. We have updated these numbers to report retain class accuracy and forget class accuracy separately.
  3. To evaluate the unlearnt model we assume that the unlearning algorithm gives us the unlearnt model without changing the classifier output neurons similar to the baseline SoTA methods Tarun et al and Kurmanji et al.
  4. We thank the reviewer for pointing this out. We realized that the runtimes depend on the implementation of the algorithm and the background hardware it is running on. We analytically find the compute costs of different algorithms and plot them in Figure 5 and show the details in Appendix A.7. Our algorithm has at least 6.5x lower compute than other methods.
  5. We present the results for superclass unlearning on CIFAR100 in Figure 6 and have moved the results of CIFAR10 to Appendix A.8. Further, we have added a comparison with baselines in Table 6 in Appendix A8. We see our model performs better on MIA scores and retain accuracy over SoTA Tarun et al. NegGrad+ is seen to outperform our method on ResNet18. We saw Kurmanji et al to have extremely low retain accuracies and hence have not reported them in the table. There was a mistake in the plot of Figure 5b in the original submission (10b in updated). We did not plot the original model’s forget accuracy in the figure.

Response to Questions:

2. Class unlearning is important where entire user data belongs to a single class. Consider a scenario where we train a classification model for face recognition. In this case, an entire class belongs to a single person and we would be required to remove this class when on request. Further, in the cases where a collaborative multi-task model is shared by a few companies and one of the companies decides to withdraw its data the one-shot multi-class removal algorithm becomes relevant.
3. We have added membership inference attack evaluations in our experiments. The results show our method performs well across different datasets and architectures obtaining an average improvement of 7.8% in MIA accuracy over other baselines. Our MIA attack has access to the true confidence scores of the model on the correct class. Hence an algorithm that post hoc manipulates the output would fail to obtain good MIA scores.

Note: We have added a version of the paper with highlighted changes to supplementary material.

Dear Reviewer 8Shn,

We appreciate your valuable comments on our work. We have updated the paper as per your suggestion addressing the weaknesses and questions. We look forward to any additional feedback you have for improving the quality of our work further.

Thanks Authors

Response to Weakness(Continued):

9. Transfomer Layers - We have added a line in section 4.3 under “Discussion” to clarify this. We apply our algorithm to all the linear layers in the transformer architecture. For an attention block, the linear layer weights are the Key Weights, Query Weights, Value Weights, and Output weights. We do not perform any unlearning of the normalization layers as the fraction of total parameters for these layers is insignificant and empirically is not seen to affect the performance of our algorithm.
10. typo- We updated the line to “ for both linear and convolutional layers, where $l$ is layer.”

Response to Questions:

1. Our method relies on SVD which analyzes the underlying statistics of the activation spaces. We believe our method would work on any unlearning problem where there are differences in the data distributions of the forget samples and the retain samples. Class Unlearning is one such case where there is a significant difference in the data distributions, which makes it easier for SVD to figure out distinct spaces. When we assign a random subset of training samples as forget set, SVD can not distinguish well between the activations of forget samples and retain samples. This is because Retain samples are also drawn similarly (Independently Identically Distributed) from the training set. This is why the SVD based method would need further modifications to be fully effective for random subset unlearning problems.
2. We thank the reviewer for pointing this out. We realized that the runtimes depend on the implementation of the algorithm and the background hardware it is running on. We analytically find the compute costs of different algorithms and plot them in Figure 5 and show the details in Appendix A.7. We see 7.3x lesser compute for our approach than the baseline.
3. The mean forget accuracy in Figure 5b in the original version (it has been moved to Figure 10 in the updated version) is less than 0.37 on average. In all the experiments we ran for 5 class unlearning the forget accuracy was 0 in 6 of the 10 experiments (the other experiments have forget accuracy of 0.32, 0.7, 0.74, 1.88). In the experiments for 2 class unlearning 9 of the 10 experiments have 0 forget accuracy while one experiment had a forget accuracy of 2.5. These experiments show very low forget accuracies on the model and hence we believe are significant.
4. Yes, it was computationally expensive to compute these numbers for ImageNet dataset. To address reviewer concern we have updated Section 6 with lines “Due to the training complexity of the experiments, we were not able to obtain retrained models for ImageNet. We observe that the results on CIFAR10 and CIFAR100 datasets consistently show $ACC_f$ to be 0 and the $MIA$ performance to be $100\%$. We, therefore, interpret the model with high $ACC_r$, $MIA$, and low $ACC_f$ as a better unlearnt model for these experiments.”

Response to Minor Issues and typos

• We thank the reviewer for pointing this out. We went over the document and corrected grammatical errors.

Response to Weakness:

1. Motivation for Class Unlearning - Class unlearning is important where entire user data belongs to a single class. Consider a scenario where we train a classification model for face recognition[1]. In this case, an entire class belongs to a single person and we would be required to remove this class on request. Further, in the cases where a collaborative multi-task model is shared by a few companies where a task is classification over a group of classes and one of the companies decides to withdraw its data, the multi-class removal algorithm becomes relevant.
2. NegGrad+ baseline- We thank the reviewer for pointing this out. We have added the citation and updated the contributions. Further, we have renamed Naive Ascent as NegGrad and Stable Ascent as NegGrad+ to be consistent with the literature.
3. Comparisons- We add experiments on [kurmanji et al] (or reference [A] in the Reviewers list) as it is a more recent method in the list of suggestions. We have updated the “Comparisons” part in Section 5 mentioning this as a baseline and added the results in Table1 and Table2. We see our method has 13.6% better forget accuracy and 45.7% better MIA over [A] on average across all the datasets and networks in Table 1 and Table 2.
4. ablations are missing-
   • Proposed scaling: Without the proposed scaling the $\Lambda\_r$ and $\Lambda\_f$ in line 12 of Algorithm 1 become Identity. Now as $U$ matrix obtained through SVD is an orthonormal matrix, $P\_r$ and $P\_f$ in line 13 of Algorithm 1 become Identity when $\Lambda\_r$ and $\Lambda\_f$ are Identity. When $P\_r$ and $P\_f$ is Identity $P\_{dis} = P_f(I-P\_r)$ computed in line 15 becomes a zero matrix. Projection of weights on $I-P\_{dis}$ in line 15 would hence cause no change in the weight as $I-P\_{dis}$ is Identity essentially leading to no unlearning. This necessitates the scaling in line 12 of the algorithm. We have clarified this under the “Importance-base Space Scaling” in Section 4.2.
   • Impact of layer: We have added a section on “Layer-wise analysis” where our results show that later layers play a more significant role in unlearning. Further, in Figure 8 of Appendix A.6 we see that removing our algorithm from the first 4 layers has a very low impact on forget accuracy.
5. Scaling Motivation- In continual learning, scaling has been used to modulate the gradient descent steps during training so that old tasks are not forgotten and new tasks are learned with high accuracy. In this scenario, we apply one-shot scaling of the weights on a pre-trained model. Effectively, we apply scaling to restrict the layer-wise activation of the input samples (during inference) to remove activations belonging to class discriminatory space $P\_{dis}$. Further, we have added a few lines to explain the need for importance scaling under “Importance-base Space Scaling” in Section 4.2.
6. MIA attacks- As per reviewer’s suggestion, we have added membership inference attack evaluations in our experiments. The results show our method performs well across different datasets and architectures obtaining an average improvement of 7.8% in MIA accuracy over other baselines.
7. Class Unlearning goal in Introduction- We meant “The unlearning algorithm should produce model (parameters) that are functionally equivalent to those of a model trained without the target class.” by the statement and have updated this in the paper. We show such equivalence by our experiment using ACC_r, ACC_f, MIA, confusion matrix, and gradient based saliency maps.
8. Problem description in Section 3- Thanks for this suggestion. We have modified the writing to address reviewers concern. We clarify the definition in the following places in the updated paper. Class Unlearning ( Section 1 Introduction) “For a class unlearning setup, the primary goal of the unlearning algorithm is to eliminate information associated with a target class from a pretrained model. This target class is referred to as the forget class, while the other classes are called the retain classes.” Additionally, we have formally presented “class unlearning” in Section 3: “The parameters $\theta^*\_f$ must be functionally indistinguishable from a network with parameters $\theta^*$, which is retrained from scratch on the samples of $\mathcal{D}\_{train\_r}$ in the output space. In other words, these parameters must satisfy $f(x\_i, \theta^*) \simeq f(x\_i, \theta^*\_f)$ for $(x\_i, y\_i) \in D\_{test}$ or $D\_{train}$.”

Note: We have added a version of the paper with highlighted changes to supplementary material.

Reference: [1] Y. Sun, X. Wang, and X. Tang, "Deep learning face representation from predicting 10,000 classes." pp. 1891-1898.

Response to Weakness:

1. Thanks for this suggestion. We have modified the writing to address this. We clarify the definition in the following places in the updated paper. Class Unlearning ( Section 1 Introduction) “For a class unlearning setup, the primary goal of the unlearning algorithm is to eliminate information associated with a target class from a pretrained model. This target class is referred to as the forget class, while the other classes are called the retain classes.” Additionally, we have formally presented “class unlearning” in Section 3: “The parameters $\theta^*\_f$ must be functionally indistinguishable from a network with parameters $\theta^*$, which is retrained from scratch on the samples of $\mathcal{D}\_{train\_r}$ in the output space. In other words, these parameters must satisfy $f(x\_i, \theta^*) \simeq f(x\_i, \theta^*\_f)$ for $(x\_i, y\_i) \in D\_{test}$ or $D\_{train}$.”
2. We pose our work as empirical and evaluate our work on large-scale experiments with various sized dataset (including ImageNet) and SoTA deep neural network models (e.g. ViTs etc’). The SoTA baselines we compare against [Tarun et al] and [kurmanji et al] are also empirically evaluated and the scale of their experiments is limited. Further, We have added experiments for Membership Inference Attacks to demonstrate the efficacy of forgetting.
3. We thank the reviewer for providing the reference. We have added reference to this work in our paper. We would like to point out the fundamental differences between this work and our work.
   • It uses synthetic data and gradient-based optimization/finetuning of the model on these data for unlearning. Whereas we do not use any synthetic data and we don’t need any gradient-based finetuning of the given pre-trained model.
   • The scale of experiments is very different. In particular, this work proposes data deletion with a particular focus on linear and logistic regression whereas we propose an unlearning method for deep learning models that give SoTA performance.
   • At its core this work relies on being able to calculate the logits of the retrained model without having access to the weights. Essentially calculating $f(x\_i,\theta^*)$ without knowing $\theta^*$, where $x\_i$ is a forgot sample and $\theta^*$ is retrained model weights. This is a challenging problem to solve in the case of deep learning models and datasets where data might not be very separable which limits the algorithm's application in deep networks. Our algorithm does not rely on the knowledge of logits of the retrained model and hence easily scales for challenging datasets and networks.
4. We add the results for applying our method to the top layer in Appendix A6. Figure 8 shows applying our approach to the last layer only (indicated by layer=10) has a forget accuracy 65% which indicates that removing information from other layers is also necessary.
5. We have added membership inference attack evaluations in our experiments. The results show our method performs well across different datasets and architectures obtaining an average improvement of 7.8% in MIA accuracy over other baselines.
6. Can the reviewer clarify this point e.g. what is linear perturbation of the network in the context of unlearning? Some reference would be helpful.
7. We have added this plot in Figure 4. We see that later layers are more affected by unlearning through our approach. This is expected as the later layers are expected to learn complex class discriminatory information while the initial layers learn edges and simple textures [1].

Note: We have added a version of the paper with highlighted changes to supplementary material.

Reference:

[1] Chris Olah, Alexander Mordvintsev, and Ludwig Schubert. Feature visualization. Distill, 2017

Dear Reviewer bRqF,

We appreciate your valuable comments on our work. We have updated the paper as per your suggestion addressing most of the weaknesses and questions. We look forward to any additional feedback you have for improving the quality of our work further.

Thanks Authors

Response to Weakness:

1. The reviewer is right to point out there are zero-shot unlearning works. However, here zero-shot does not mean that they don't use any samples for unlearning. It means the algorithm first generates a few synthetic samples and then unlearns with those [1], usually with SGD based training/finetuning steps. On the other hand, we propose a novel SVD-based approach where we use only a few samples from the training set to get the forget space and modify the weights, without any training, to forget the desired class. Generating synthetic samples from the trained model is a well-established idea. We believe our SVD-based space estimation can be used on these synthetic data to get the desired forget space. Hence would enable zero-shot unlearning. We leave this exploration for the future.

Response to Questions:

1. We have rewritten the definition in Section 3(Class Unlearning) as "The parameters $\theta^*\_f$ must be functionally indistinguishable from a network with parameters $\theta^*$, which is retrained from scratch on the samples of $\mathcal{D}\_{train\_r}$ in the output space. In other words, these parameters must satisfy $f(x\_i, \theta^*) \simeq f(x\_i, \theta^*\_f)$ for $(x\_i, y\_i) \in D\_{test}$ or $D\_{train}$." We thank the reviewer for pointing this out.

Note: We have added a version of the paper with highlighted changes to supplementary material.

Reference:

[1] Chundawat, Vikram S., et al. "Zero-shot machine unlearning." IEEE Transactions on Information Forensics and Security (2023)

Below are the changes made in the second update of the paper.

9. We have added the limitation of our method in Section 4 under “Discussion”
10. We have added details on MIA in Appendix A10 and clarified interpretation of MIA scores in Section 5 under “Evaluation”

Note : We have added a highlighted version of both the updates in supplementary material.

We thank all the reviewers for their feedback. We have made changes to our work as per their suggestions to improve our work.