Visible to the public TWC: Medium: Collaborative: Efficient Repair of Learning Systems via Machine UnlearningConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 05, 2018 - Aug 31, 2020


Johns Hopkins University

Award Number

Today individuals and organizations leverage machine learning systems to adjust room temperature, provide recommendations, detect malware, predict earthquakes, forecast weather, maneuver vehicles, and turn Big Data into insights. Unfortunately, these systems are prone to a variety of malicious attacks with potentially disastrous consequences. For example, an attacker might trick an Intrusion Detection System into ignoring the warning signs of a future attack by injecting carefully crafted samples into the training set for the machine learning model (i.e., "polluting" the model). This project is creating an approach to machine unlearning and the necessary algorithms, techniques, and systems to efficiently and effectively repair a learning system after it has been compromised. Machine unlearning provides a last resort against various attacks on learning systems, and is complementary to other existing defenses.

The key insight in machine unlearning is that most learning systems can be converted into a form that can be updated incrementally without costly retraining from scratch. For instance, several common learning techniques (e.g., naive Bayesian classifier) can be converted to the non-adaptive statistical query learning form, which depends only on a constant number of summations, each of which is a sum of some efficiently computable transformation of the training data samples. To repair a compromised learning system in this form, operators add or remove the affected training sample and re-compute the trained model by updating a constant number of summations. This approach yields huge speedup -- the asymptotic speedup over retraining is equal to the size of the training set. With unlearning, operators can efficiently correct a polluted learning system by removing the injected sample from the training set, strengthen an evaded learning system by adding evasive samples to the training set, and prevent system inference attacks by forgetting samples stolen by the attacker so that no future attacks can infer anything about the samples.

Continuation of Award #: 1563843