Papers
Topics
Authors
Recent
Search
2000 character limit reached

SoK: Unlearnability and Unlearning for Model Dememorization

Published 12 May 2026 in cs.LG, cs.AI, and cs.CR | (2605.11592v1)

Abstract: Advanced model dememorization methods, including availability poisoning (unlearnability) and machine unlearning, are emerging as key safeguards against data misuse in ML. At the training stage, unlearnability embeds imperceptible perturbations into data before release to reduce learnability. At the post-training stage, unlearning removes previously acquired information from models to prevent unauthorized disclosure or use. While both defenses aim to preserve the right to withhold knowledge, their vulnerabilities and shared foundations remain unclear. Specifically, both unlearnability and unlearning suffer from issues such as shallow dememorization, leading to falsely claimed data learnability reduction or forgetting in the presence of weight perturbations. Moreover, input perturbations may affect the effectiveness of downstream unlearning, while unlearning may inadvertently recover domain knowledge hidden by unlearnability. This interplay calls for deeper investigation. Finally, there is a lack of formal guarantees to provide theoretical insights into current defenses against shallow dememorization. In this Systematization of Knowledge, we present the first integrated analysis of model dememorization approaches leveraging unlearnability and unlearning. Our contributions are threefold: (i) a unified taxonomy of unlearnability and scalable unlearning methods; (ii) an empirical evaluation revealing the robustness, interplay, and shallow dememorization of leading methods; and (iii) the first theoretical guarantee on dememorization depth for models processed through certified unlearning. These results lay the foundation for unifying dememorization mechanisms across the ML lifecycle to achieve a deeper immemor state for sensitive knowledge.

Summary

  • The paper presents a unified taxonomy of unlearnability and unlearning methods to enforce model dememorization.
  • The paper empirically shows that shallow dememorization allows models to quickly recover censored data through parameter perturbations.
  • The paper proposes the first formal guarantee on dememorization depth, linking parameter-space robustness to enhanced privacy compliance.

A Unified Systematization of Unlearnability and Unlearning for Model Dememorization

Introduction and Motivation

The imperative to guarantee users' right to withhold or erase personal data from ML systems has produced a surge of research on model dememorization: systematically preventing unauthorized memorization during training, and reliably deleting knowledge post hoc. "SoK: Unlearnability and Unlearning for Model Dememorization" (2605.11592) delivers a comprehensive systematization of both input-level unlearnability (upstream, via data perturbations to limit learnability) and output-level machine unlearning (downstream, via model updates or retraining to erase prior knowledge), analyzing their vulnerabilities, mutual interactions, and the theoretical underpinnings of "deep" versus "shallow" dememorization. Figure 1

Figure 1: An overview of the model dememorization framework within the ML model development lifecycle. un and unlearning safeguard the upstream and downstream stages, respectively, yet each faces distinct robustness challenges, and their interaction remains insufficiently understood.

Across both paradigms, the paper reveals pervasive issues with shallow removal of knowledge: data perturbations and post hoc unlearning can often be easily circumvented via parameter or training-space manipulations. Furthermore, the interplay between unlearnability and unlearning is underexplored, with each stage potentially undermining the other. The work establishes a unified taxonomy, empirically evaluates state-of-the-art approaches, and—crucially—proposes the first formal guarantee on the "depth" of dememorization for models with certified unlearning, rooting these guarantees in parameter-space perturbation robustness.

Taxonomy: Unlearnability and Unlearning

The authors introduce a structured taxonomy that rigorously unifies both upstream and downstream approaches:

Upstream: Unlearnability (Data-Centric Protection)

  • Error-Based Perturbation: Includes error-maximizing (E-Max, e.g., [shen2019tensorclog], [huang2020metapoison]) and error-minimizing (E-Min, e.g., [huang2021unlearnable], [fu2022robust], [wang2025provably]) techniques. These typically add bounded, often imperceptible noise to training data to degrade generalization or force model memorization of non-generalizable patterns.
  • Distribution-Based (Shortcuts): Gradient-free interventions derived from data feature distributions (e.g., [sandoval2022autoregressive], [yu2022availability], [wu2023one]), exploiting the tendency of models to learn simple, spurious patterns.
  • Representation-Based: Perturbations are designed to manipulate deep feature spaces, either by increasing feature dissimilarization (e.g., [chen2024one]) or by inducing feature collisions ([shan2020fawkes], [shan2023glaze]) with external targets.

Downstream: Unlearning (Model-Centric Erasure)

  • Exact Unlearning: Retraining from scratch on the retain set ([bourtoule2021machine], [dukler2023safe]), sometimes accelerated with sharding or adapters, ensures perfect deletion at considerable cost.
  • Approximate Unlearning:
    • Non-certifiable: Heuristic methods such as gradient ascent ([graves2021amnesiac], [thudi2022unrolling]) or fine-tuning ([golatkar2020eternal]) that lack formal guarantees.
    • Convex-certifiable: Influence function/Newton update-based methods with ϵ\epsilon-differential privacy-like guarantees for convex models ([guo2020certified], [warnecke2023machine]).
    • Non-convex-certifiable: Noisy fine-tuning and stochastic post-processing ([koloskova2025certified], [chien2024langevin]) extend guarantees to non-convex (deep) models.

Empirical Analysis of Shallow Dememorization

Limitations of Unlearnability and Unlearning

The empirical component demonstrates that, across vision (CIFAR-10/100, ImageNet) and text (RegText) domains, both unlearnability and unlearning are highly susceptible to shallow dememorization: model states deemed to have “forgotten” target knowledge can rapidly recover it through parameter-space recovery attacks. This undermines the utility of existing approaches for regulatory compliance and privacy guarantees. Figure 2

Figure 2: Shallow un and shallow unlearning revealed by recovery attacks under an 2\ell_2 parametric perturbation magnitude (η\eta) of 0.4; all major approaches (influence function, gradient ascent, fine-tuning) are susceptible to recovery when assessed beyond single model checkpoints.

Augmentation and Transferability Issues

Further, upstream unlearnability is eroded by common techniques such as data augmentation. Figure 3 highlights that models trained on "unlearnable" data frequently regain high test accuracy when augmentation is applied, especially on transformers and large datasets. Figure 3

Figure 3: The test accuracy (\%) of ViT-Tiny trained on un data with and without augmentation, exposing fragility of upstream protection.

Interplay: Unlearnability and Unlearning

A systematic evaluation is performed by sequentially applying unlearnability and then unlearning. Surprisingly, the combination does not necessarily yield additive or deeper erasure. Instead, they are sometimes antagonistic—unlearning can inadvertently increase the risk of privacy leakage, for example, by amplifying membership inference attack (MIA) success rates against clean counterparts of the target class (see Figures 5–8). Figure 4

Figure 4

Figure 4: MIA on UE-s (membership inference attack; left: class-level, right: subset-level, demonstrating privacy leakage even after unlearning).

These results expose a structural trade-off between fidelity and depth of erasure: hyperparameter tuning that ensures downstream performance often leaves residual knowledge, while aggressive forgetting degrades utility for non-target data.

Theoretical Guarantees on Dememorization Depth

To address the evaluation gap—where current assessments focus on single parameter states—the authors introduce the notion of dememorization depth: the robustness of the immemor state under parameter-space perturbations. The main theoretical contribution is a probabilistic bound: For models processed via certified unlearning, one can bound with high confidence the maximum performance a parameter-perturbed model can achieve on the forgotten data, where the bound depends on the width of the perturbation radius. Furthermore, these bounds transfer to any model statistically indistinguishable from the certified model, as formalized via (ϵ,ζ)(\epsilon,\zeta)-indistinguishability. Figure 5

Figure 5: Parametric robustness of un perturbations gauged by recovery attacks, demonstrating accuracy recovery with increasing 2\ell_2-norm weight perturbations.

This approach grounds the practical definition of "deep immemor state": if no nearby models in parameter space can substantially exceed a specified utility threshold on the censored data, the knowledge is provably hard to reconstruct.

Implications and Future Directions

This SoK has critical implications for privacy-preserving ML, regulatory auditability, and adversarial ML. Key points include:

  • Formal Evaluation of Erasure Robustness: Auditors and practitioners should not rely on post-unlearning performance alone. Parameter-space and model-space robustness must be routinely evaluated.
  • Antagonistic Interactions: The upstream and downstream defenses can interfere, undermining each other's effectiveness and suggesting that future methods must be co-designed.
  • Regulatory Compliance: Current heuristics do not meet the bar for robust, verifiable right-to-forget guarantees; legal compliance in high-stakes domains demands both theoretical and empirical certification of depth.
  • Future Research: New approaches should integrate parameter-space robustness guarantees from the onset, exploring joint optimization of upstream and downstream mechanisms. Noise-scaled, robust fine-tuning and hybrid methods that combine rigorous certification with practical scalability will be central.

Conclusion

By providing a comprehensive taxonomy, empirical evidence, and theoretical guarantees on the depth of dememorization, this work highlights and quantifies the challenges of shallow unlearnability and unlearning. The proposed framework for robust, parameter-space-based certification is poised to influence the future design of privacy-preserving ML systems and regulatory audit tools. Substantial future work remains open in constructing scalable, interoperable, and robust dememorization pipelines across the ML development lifecycle (2605.11592).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.