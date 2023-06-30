



Posted by Fabian Pedregosa and Eleni Triantafillou, Google Research Scientists

Deep learning has recently brought remarkable progress in a wide range of applications, from realistic image generation and impressive search systems to language models capable of human-like conversation. While this progress is very interesting, the widespread use of deep neural network models is tricky. Based on Google’s AI Principles, we aim to develop AI technology responsibly by understanding and mitigating potential risks such as unfair bias propagation and amplification. User Privacy.

Permanently erasing the impact of data for which deletion has been requested involves not simply deleting the data from the database in which it is stored, but also the impact of that data on other artifacts such as trained machine learning models. It is difficult because it also needs to be erased. Also, in a recent study, [1, 2] showed that, in some cases, membership inference attacks (MIA) could be used to infer with high accuracy whether a sample was used to train a machine learning model. This can raise privacy concerns, as it means that even if an individual’s data has been removed from the database, it may still be possible to infer whether that individual’s data was used to train a model. .

Given the above, machine non-learning is an emerging subfield of machine learning that aims to remove the influence of a specific subset of training examples (the “forgetting set”) from a trained model. Moreover, an ideal non-learning algorithm removes the effects of specific examples while preserving other beneficial properties, such as rest train set accuracy and generalization to retained examples. A simple way to generate this untrained model is to retrain the model on an adjusted training set that excludes samples from the forgetting set. However, retraining a deep model can be computationally expensive, so this is not always a viable option. An ideal non-learning algorithm would instead use an already trained model as a starting point and efficiently make adjustments to remove the effects of the requested data.

Today, we are pleased to announce that we have collaborated with a broad group of academic and industrial researchers to host the first Machine Unlearning Challenge. The competition considers a realistic scenario where a certain subset of training images should be forgotten after training to protect the privacy and rights of the individuals involved. The contest is held on his Kaggle, and submissions are automatically scored in terms of both forgettable quality and model utility. We hope that this contest will help advance the state of the art in machine unlearning and promote the development of efficient, effective and ethical unlearning his algorithms.

Machine learning application

Machine unlearning has applications beyond protecting user privacy. For example, unlearning can be used to purge inaccurate or outdated information from a trained model (e.g., due to labeling errors or changes in the environment), or to remove harmful, manipulated, or outlier data. You can delete it.

Non-machine learning areas are related to other areas of machine learning such as differential privacy, lifelong learning, and fairness. Differential privacy aims to ensure that a given training example does not influence the trained model too much. This is a stronger goal compared to the unlearning goal, which only requires erasing the effects of a given forgetting set. Lifelong learning research aims to design models that enable continuous learning while maintaining previously acquired skills. As work on unlearning progresses, further ways to increase model fairness by correcting for unfair biases and unbalanced treatment of members belonging to different groups (e.g. demographics, age groups, etc.) will also open up. there is a possibility.

Unlearned anatomy. An unlearning algorithm takes as input a pretrained model and one or more samples from a training set to unlearn (the “forgotten set”). From the model, the forget set, and the retain set, an updated model is generated by an unlearning algorithm. An ideal non-learning algorithm produces a model that is indistinguishable from a model trained without a forgetting set.Machine unlearning challenges

The unlearned problem is complex and multifaceted as it involves several conflicting objectives, such as forgetting requested data, maintaining model utility (such as retention and accuracy of retained data), and efficiency. . This leads to various tradeoffs in existing non-learning algorithms. For example, full retraining succeeds in forgetting without compromising the utility of the model, but with lower efficiency, whereas adding noise to the weights achieves forgetting at the expense of usefulness.

Moreover, evaluations of forgetting algorithms in the literature are so far very inconsistent. Some studies report the classification accuracy of unlearning samples, others report the distance to a fully retrained model, and use the error rate of membership inference attacks as a measure of forgotten quality. There is also research. [4, 5, 6].

We believe that inconsistent evaluation criteria and lack of standardized protocols are significant impediments to progress in this field. A direct comparison of different non-learning methods in the literature is not possible. This leaves us with a shortsighted view of the relative advantages and disadvantages of different approaches and the open challenges and opportunities for developing improved algorithms. To address the problem of inconsistent assessment and advance the state of the art in the machine non-learning field, we are collaborating with a broad group of academic and industrial researchers to solve the first non-learning challenges. organized.

Announcing the First Machine Learning Challenge

We are excited to announce the first Machine Unlearning Challenge as part of the NeurIPS 2023 competition track. The competition has two goals. First, we hope to unify and standardize the unlearning metrics so that we can identify the strengths and weaknesses of different algorithms through identical comparisons. Second, by making this contest open to everyone, we hope to promote novel solutions and shed light on unsolved challenges and opportunities.

The competition will be held on Kaggle from mid-July 2023 to mid-September 2023. Today, as part of the contest, we are announcing the availability of starting kits. This starting kit provides a foundation for participants to build and test non-learning models on the toy dataset.

The competition considers a realistic scenario where an age predictor is trained on facial images and after training needs to forget certain subsets of the training images to protect the privacy and rights of the parties concerned. increase. For this reason, we provide synthetic face datasets (samples below) as part of our starting kit, and also use several real face datasets to evaluate submissions. Participants are asked to submit code that takes as input the forgetting and retaining sets of trained predictors and outputs the weights of the predictors that unlearned the given forgetting set. We evaluate submissions based on both the strength of the forgetting algorithm and the practicality of the model. It also enforces a hard he cutoff that rejects unlearned algorithms that run less than a fraction of the time it takes to retrain. A valuable outcome of this contest is to characterize the trade-offs of various non-learning algorithms.

Extract images with age annotations from the Face Synthetics dataset. This contest considers a scenario where the age predictor has been trained on face images like the one above, and after training we need to forget a certain subset of the training images.

For forgetting assessment, use a MIA-inspired tool such as LiRA. MIA was first developed in the privacy and security literature and its purpose is to infer which samples are part of the training set. Intuitively, if unlearning succeeds, MIA fails because the untrained model contains no traces of forgotten examples. An attacker cannot infer that the forgotten set was actually part of the original training set. In addition, we use statistical tests to quantify how much the distribution of an untrained model (generated by a particular submitted untrained algorithm) differs compared to that of a model retrained from scratch. increase. For an ideal non-learning algorithm, the two are indistinguishable.

Conclusion

Machine learning unlearning is a powerful tool with the potential to address some unsolved problems in machine learning. We hope that as research in this area progresses, new methods will emerge that are more efficient, effective and responsible. We are thrilled to have the opportunity to raise awareness of this area through this competition and look forward to sharing our insights and findings with the community.

Acknowledgments

The author of this post is now part of Google DeepMind. We are writing this blog post on behalf of: Eleni Triantafillou*, Fabian Pedregosa* (*contributing equally), Meghdad Kurmanji, Kairan Zhao, Guintare Carolina Dziugaite, Peter Triantafillou, Ioannis Mitliagkas, Vincent Dumoulin and Lisheng Sun Housing, Peter Kairouz, Julius CS James Jr., Jun Wang, Sergio Scalera, Isabel Guillon.

