A. The Need for Systems to Forget

Today's systems produce a rapidly exploding amount of data, ranging from personal photos and office documents to logs of user clicks on a website or mobile device [15]. From this data, the systems perform a myriad of computations to derive even more data. For instance, backup systems copy data from one place (e.g., a mobile device) to another (e.g., the cloud). Photo storage systems re-encode a photo into different formats and sizes [23], [53]. Analytics systems aggregate raw data such as click logs into insightful statistics. Machine learning systems extract models and properties (e.g., the similarities of movies) from training data (e.g., historical movie ratings) using advanced algorithms. This derived data can recursively derive more data, such as a recommendation system predicting a user's rating of a movie based on movie similarities. In short, a piece of raw data in today's systems often goes through a series of computations, “creeping” into many places and appearing in many forms. The data, computations, and derived data together form a complex data propagation network that we call the data's lineage.

For a variety of reasons, users want a system to forget certain sensitive data and its complete lineage. Consider privacy first. After Facebook changed its privacy policy, many users deleted their accounts and the associated data [69]. The iCloud photo hacking incident [8] led to online articles teaching users how to completely delete iOS photos including the backups [79]. New privacy research revealed that machine learning models for personalized warfarin dosing leak patients' genetic markers [43], and a small set of statistics on genetics and diseases suffices to identify individuals [78]. Users unhappy with these newfound risks naturally want their data and its influence on the models and statistics to be completely forgotten. System operators or service providers have strong incentives to honor users' requests to forget data, both to keep users happy and to comply with the law [72]. For instance, Google had removed 171,183 links [50] by October 2014 under the “right to be forgotten” ruling of the highest court in the European Union.

Security is another reason that users want data to be forgotten. Consider anomaly detection systems. The security of these systems hinges on the model of normal behaviors extracted from the training data. By polluting¹ the training data, attackers pollute the model, thus compromising security. For instance, Perdisci et al. [56] show that PolyGraph [55], a worm detection engine, fails to generate useful worm signatures if the training data is injected with well-crafted fake network flows. Once the polluted data is identified, the system must completely forget the data and its lineage to regain security.

Usability is a third reason. Consider the recommendation or prediction system Google Now [7]. It infers a user's preferences from her search history, browsing history, and other analytics. It then pushes recommendations, such as news about a show, to the user. Noise or incorrect entries in analytics can seriously degrade the quality of the recommendation. One of our lab members experienced this problem first-hand. He loaned his laptop to a friend who searched for a TV show (“Jeopardy!”) on Google [1]. He then kept getting news about this show on his phone, even after he deleted the search record from his search history.

We believe that systems must be designed under the core principle of completely and quickly forgetting sensitive data and its lineage for restoring privacy, security, and usability. Such forgetting systems must carefully track data lineage even across statistical processing or machine learning, and make this lineage visible to users. They let users specify the data to forget with different levels of granularity. For instance, a privacy-conscious user who accidentally searches for a sensitive keyword without concealing her identity can request that the search engine forget that particular search record. These systems then remove the data and revert its effects so that all future operations run as if the data had never existed. They collaborate to forget data if the lineage spans across system boundaries (e.g., in the context of web mashup services). This collaborative forgetting potentially scales to the entire Web. Users trust forgetting systems to comply with requests to forget, because the aforementioned service providers have strong incentives to comply, but other trust models are also possible. The usefulness of forgetting systems can be evaluated with two metrics: how completely they can forget data (completeness) and how quickly they can do so (timeliness). The higher these metrics, the better the systems at restoring privacy, security, and usability.

We foresee easy adoption of forgetting systems because they benefit both users and service providers. With the flexibility to request that systems forget data, users have more control over their data, so they are more willing to share data with the systems. More data also benefit the service providers, because they have more profit opportunities services and fewer legal risks. In addition, we envision forgetting systems playing a crucial role in emerging data markets [3], [40], [61] where users trade data for money, services, or other data because the mechanism of forgetting enables a user to cleanly cancel a data transaction or rent out the use rights of her data without giving up the ownership.

Forgetting systems are complementary to much existing work [55], [75], [80]. Systems such as Google Search [6] can forget a user's raw data upon request, but they ignore the lineage. Secure deletion [32], [60], [70] prevents deleted data from being recovered from the storage media, but it largely ignores the lineage, too. Information flow control [41], [67] can be leveraged by forgetting systems to track data lineage. However, it typically tracks only direct data duplication, not statistical processing or machine learning, to avoid taint explosion. Differential privacy [75], [80] preserves the privacy of each individual item in a data set equally and invariably by restricting accesses only to the whole data set's statistics fuzzed with noise. This restriction is at odds with today's systems such as Facebook and Google Search which, authorized by billions of users, routinely access personal data for accurate results. Unsurprisingly, it is impossible to strike a balance between utility and privacy in state-of-the-art implementations [43]. In contrast, forgetting systems aim to restore privacy on select data. Although private data may still propagate, the lineage of this data within the forgetting systems is carefully tracked and removed completely and in a timely manner upon request. In addition, this fine-grained data removal caters to an individual user's privacy consciousness and the data item's sensitivity. Forgetting systems conform to the trust and usage models of today's systems, representing a more practical privacy vs utility tradeoff. Researchers also proposed mechanisms to make systems more robust against training data pollution [27], [55]. However, despite these mechanisms (and the others discussed so far such as differential privacy), users may still request systems to forget data due to, for example, policy changes and new attacks against the mechanisms [43], [56]. These requests can be served only by forgetting systems.

Fig. 1:

Unlearning idea. Instead of making a model directly depend on each training data sample (left), we convert the learning algorithm into a summation form (right). Specifically, each summation is the sum of transformed data samples, where the transformation functions $g_{i}$ are efficiently computable. There are only a small number of summations, and the learning algorithm depends only on summations. To forget a data sample, we simply update the summations and then compute the updated model. This approach is asymptotically much faster than retraining from scratch.

Show All

B. Machine Unlearning

While there are numerous challenges in making systems forget, this paper focuses on one of the most difficult chal-lenges: making machine learning systems forget. These systems extract features and models from training data to answer questions about new data. They are widely used in many areas of science [25], [35], [37], [46], [55], [63]–​[65]. To forget a piece of training data completely, these systems need to revert the effects of the data on the extracted features and models. We call this process machine unlearning, or unlearning for short.

A naïve approach to unlearning is to retrain the features and models from scratch after removing the data to forget. However, when the set of training data is large, this approach is quite slow, increasing the timing window during which the system is vulnerable. For instance, with a real-world data set from Huawei (see § VII), it takes Zozzle [35], a JavaScript malware detector, over a day to retrain and forget a polluted sample.

We present a general approach to efficient unlearning, without retraining from scratch, for a variety of machine learning algorithms widely used in real-world systems. To prepare for unlearning, we transform learning algorithms in a system to a form consisting of a small number of summations [33]. Each summation is the sum of some efficiently computable transformation of the training data samples. The learning algorithms depend only on the summations, not individual data. These summations are saved together with the trained model. (The rest of the system may still ask for individual data and there is no injected noise as there is in differential privacy.) Then, in the unlearning process, we subtract the data to forget from each summation, and then update the model. As Figure 1 illustrates, forgetting a data item now requires recomputing only a small number of terms, asymptotically faster than retraining from scratch by a factor equal to the size of the training data set. For the aforementioned Zozzle example, our unlearning approach takes only less than a second compared to a day for retraining. It is general because the summation form is from statistical query (SQ) learning [48]. Many machine learning algorithms, such as naïve Bayes classifiers, support vector machines, and k-means clustering, can be implemented as SQ learning. Our approach also applies to all stages of machine learning, including feature selection and modeling.

We evaluated our unlearning approach on four diverse learning systems including (1) LensKit [39], an open-source recommendation system used by several websites for conference [5], movie [14], and book [4] recommendations; (2) an independent re-implementation of Zozzle, the aforementioned closed-source JavaScript malware detector whose algorithm was adopted by Microsoft Bing [42]; (3) an open-source online social network (OSN) spam filter [46]; and (4) PJScan, an open-source PDF malware detector [51]. We also used realworld workloads such as more than 100K JavaScript malware samples from Huawei. Our evaluation shows:

• All four systems are prone to attacks targeting learning. For LensKit, we reproduced an existing privacy attack [29]. For each of the other three systems, because there is no known attack, we created a new, practical data pollution attack to decrease the detection effectiveness. One particular attack requires careful injection of multiple features in the training data set to mislead feature selection and model training (see § VII).

• Our unlearning approach applies to all learning algorithms in LensKit, Zozzle, and PJScan. In particular, enabled by our approach, we created the first efficient unlearning algorithm for normalized cosine similarity [37], [63] commonly used by recommendation systems (e.g., LensKit) and for one-class support vector machine (SVM) [71] commonly used by classification/anomaly detection systems (e.g., PJScan uses it to learn a model of malicious PDFs). We show analytically that, for all these algorithms, our approach is both complete (completely removing a data sample's lineage) and timely (asymptot-ically much faster than retraining). For the OSN spam filter, we leveraged existing techniques for unlearning.

• Using real-world data, we show empirically that unlearning prevents the attacks and the speedup over retraining is often huge, matching our analytical results.

• Our approach is easy to use. It is straightforward to modify the systems to support unlearning. For each system, we modified from 20-300 lines of code, less than 1% of the system.

C. Contributions and Paper Organization

This paper makes four main contributions:

• The concept of forgetting systems that restore privacy, se-curity, and usability by forgetting data lineage completely and quickly;

• A general unlearning approach that converts learning algorithms into a summation form for efficiently forgetting data lineage;

• An evaluation of our approach on real-world systems/al-gorithms demonstrating that it is practical, complete, fast, and easy to use; and

• The practical data pollution attacks we created against real-world systems/algorithms.

While prior work proposed incremental machine learning for several specific learning algorithms [31], [62], [73], the key difference in our work is that we propose a general efficient unlearning approach applicable to any algorithm that can be converted to the summation form, including some that currently have no incremental versions, such as normalized cosine similarity and one-class SVM. In addition, our unlearning approach handles all stages of learning, including feature selection and modeling. We also demonstrated our approach on real systems.

Our unlearning approach is inspired by prior work on speeding up machine learning algorithms with MapReduce [33]. We believe we are the first to establish the connection between unlearning and the summation form. In addition, we are the first to convert non-standard real-world learning algorithms such as normalized cosine similarity to the summation form. The conversion is complex and challenging (see VI). In contrast, the prior work converts nine standard machine learning algorithms using only simple transformations.

The rest of the paper is organized as follows. In II, we present some background on machine learning systems and the extended motivation of unlearning. In III, we present the goals and work flow of unlearning. In IV, we present the core approach of unlearning, i.e., transforming a system into the summation form, and its formal backbone. In § V, we overview our evaluation methodology and summarize results. In § VI–​IX, we report detailed case studies on four real-world learning systems. In § X and § XI, we discuss some issues in unlearning and related work, and in § XII, we conclude.

A. Machine Learning Background

Figure 2 shows that a general machine learning system with three processing stages.

• Feature selection. During this stage, the system selects, from all features of the training data, a set of features most crucial for classifying data. The selected feature set is typically small to make later stages more accurate and efficient. Feature selection can be (1) manual where system builders carefully craft the feature set or (2) automatic where the system runs some learning algorithms such as clustering and chi-squared test to compute how crucial the features are and select the most crucial ones.

• Model training. The system extracts the values of the selected features from each training data sample into a feature vector. It feeds the feature vectors and the malicious or benign labels of all training data samples into some machine learning algorithm to construct a succinct model.

• Prediction. When the system receives an unknown data sample, it extracts the sample's feature vector and uses the model to predict whether the sample is malicious or benign.

Fig. 2:

A general machine learning system. Given a set of training data including both malicious (+) and benign (-) samples, the system first selects a set of features most crucial for classifying data. It then uses the training data to construct a model. To process an unknown sample, the system examines the features in the sample and uses the model to predict the sample as malicious or benign. The lineage of the training data thus flows to the feature set, the model, and the prediction results. An attacker can feed different samples to the model and observe the results to steal private information from every step along the lineage, including the training data set (system inference attack). She can pollute the training data and subsequently every step along the lineage to alter prediction results (training data pollution attack).

Show All

Note that a learning system mayor may not contain all three stages, work with labeled training data, or classify data as malicious or benign. We present the system in Figure 2 because it matches many machine learning systems for security purposes such as Zozzle. Without loss of generality, we refer to this system as an example in the later sections of the paper.

B. Adversarial Model

To further motivate the need for unlearning, we describe several practical attacks in the literature that target learning systems. They either violate privacy by inferring private information in the trained models (§ II-B1), or reduce security by polluting the prediction (detection) results of anomaly detection systems (§ II-B2).

A. Unlearning Goals

Recall that forgetting systems have two goals: (1) completeness, or how completely they can forget data; and (2) timeliness, or how quickly they can forget. We discuss what these goals mean in the context of unleaming.

B. Unlearning Work Flow

Given a training data sample to forget, unlearning updates the system in two steps, following the learning process shown in Figure 2. First, it updates the set of selected features. The inputs at this step are the sample to forget, the old feature set, and the summations previously computed for deriving the old feature set. The outputs are the updated feature set and summations. For example, Zozzle selects features using the chi-squared test, which scores a feature based on four counts (the simplest form of summations): how many malicious or benign samples contain or do not contain this feature. To support unlearning, we augmented Zozzle to store the score and these counts for each feature. To unlearn a sample, we update these counts to exclude this sample, re-score the features, and select the top scored features as the updated feature set. This process does not depend on the training data set, and is much faster than retraining which has to inspect each sample for each feature. The updated feature set in our experiments is very similar to the old one with a couple of features removed and added.

Second, unlearning updates the model. The inputs at this step are the sample to forget, the old feature set, the updated feature set, the old model, and the summations previously computed for deriving the old model. The outputs are the updated model and summations. If a feature is removed from the feature set, we simply splice out the feature's data from the model. If a feature is added, we compute its data in the model. In addition, we update summations that depend on the sample to forget, and update the model accordingly. For Zozzle which classifies data as malicious or benign using naïve Bayes, the summations are probabilities (e.g., the probability that a training data sample is malicious given that it contains a certain feature) computed using the counts recorded in the first step. Updating the probabilities and the model is thus straightforward, and much faster than retraining.

A. Non-Adaptive SQ Learning

A Non-Adaptive SQ Learning algorithm must determine all SQs upfront. It follows that the number of these SQs is constant, denoted m, and the transformation g-functions are fixed, denoted $g_{1}, g_{2}, \ldots, g_{m}$. We represent the algorithm in the following form: \begin{equation*}Learn(\sum_{x_{i}\in X}g_{1}(x_{i},\ l_{x_{i}}),\ \sum_{x_{i}\in X}g_{2}(x_{i},\ l_{x_{i}}),\ \ldots,\ \sum_{x_{i}\in X}g_{m}(x_{i},\ l_{x_{i}})) \end{equation*}View Source\begin{equation*}Learn(\sum_{x_{i}\in X}g_{1}(x_{i},\ l_{x_{i}}),\ \sum_{x_{i}\in X}g_{2}(x_{i},\ l_{x_{i}}),\ \ldots,\ \sum_{x_{i}\in X}g_{m}(x_{i},\ l_{x_{i}})) \end{equation*} where $x_{i}$ is a training data sample and $l_{x_{i}}$ its label. This form encompasses many popular machine learning algorithms, including linear regression, chi-squared test, and naïve Bayes.

With this form, unlearning is as follows. Let $G_{k}$ be $\sum g_{k}(x_{i},\ l_{x_{i}})$. All $G_{k}\mathrm{s}$ are saved together with the learned model. To unlearn a data sample $x_{p}$ ‘ we compute $G_{k}'$ as $G_{k}-g_{k}(x_{p},\ l_{x_{p}})$. The updated model is thus \begin{equation*}Learn(G_{1}-g_{1}(x_{p},\ l_{x_{p}}),\ G_{2}-g_{2}(x_{p)}l_{x_{p}}),\ \ldots)G_{m}-g_{m}(x_{p},\ l_{x_{p}})) \end{equation*}View Source\begin{equation*}Learn(G_{1}-g_{1}(x_{p},\ l_{x_{p}}),\ G_{2}-g_{2}(x_{p)}l_{x_{p}}),\ \ldots)G_{m}-g_{m}(x_{p},\ l_{x_{p}})) \end{equation*}

Unlearning on a non-adaptive SQ learning algorithm is complete because this updated model is identical to \begin{equation*}Learn(2:_{i\neq p}g_{1}(x_{i},\ l_{x_{i}}),\ \sum_{i\neq p}g_{2}(x_{i},\ l_{x_{i}}),\ \ldots,\ \sum_{i\neq p}g_{m}(x_{i},\ l_{x_{i}})) \end{equation*}View Source\begin{equation*}Learn(2:_{i\neq p}g_{1}(x_{i},\ l_{x_{i}}),\ \sum_{i\neq p}g_{2}(x_{i},\ l_{x_{i}}),\ \ldots,\ \sum_{i\neq p}g_{m}(x_{i},\ l_{x_{i}})) \end{equation*} the model computed by retraining on the training data excluding $x_{p}$. For timeliness, it is also much faster than retraining because (1) computing $G_{k}'$ is easy: simply subtract $g_{k}(x_{p},\ l_{x_{p}})$ from $G_{k}$ and (2) there are only a constant number of summations $G_{k}$.

We now illustrate how to convert a non-adaptive SQ learning algorithm into this summation form using naïve Bayes as an example. Given a sample with features $F_{1}, F_{2}$, and $F_{k}$, naïve Bayes classifies the sample with label $L$ if $P(L\vert F_{1},\cdots, F_{k})$, the conditional probability of observing label $L$ on a training data sample with all these features, is bigger than this conditional probability for any other label. This conditional probability is computed using Equation 1. \begin{equation*}P(L\vert F_{1}, \ldots,\ F_{k})=\frac{P(L)\Pi_{i=0}^{k}P(F_{i}\vert L)}{\Pi_{i=0}^{k}P(F_{i})} \tag{1} \end{equation*}View Source\begin{equation*}P(L\vert F_{1}, \ldots,\ F_{k})=\frac{P(L)\Pi_{i=0}^{k}P(F_{i}\vert L)}{\Pi_{i=0}^{k}P(F_{i})} \tag{1} \end{equation*}

We now convert each probability term $P$ in this equation into summations. Consider $P(F_{i}\vert L)$ as an example. It is computed by taking (1) the number of training data samples with feature $F_{i}$ and label $L$, denoted $N_{F_{i}, L}$, and dividing by (2) the number of training data samples with label $L$, denoted $N_{L}$. Each counter is essentially a very simple summation of a function that returns 1 when a sample should be counted and 0 otherwise. For instance, $N_{L}$ is the sum of an indicator function $g_{L}(x,\ l_{x})$ that returns 1 when $l_{x}$ is $L$ and 0 otherwise. Similarly, all other probability terms are computed by dividing the corresponding two counters. $P(L)$ is the division of $N_{L}$ over the total number of samples, denoted N. $P(F_{i})$ is the division of the number of training data samples with the feature $F_{i}$, denoted $N_{F_{i}}$, over $N$.

To unlearn a sample, we simply update these counters and recompute the probabilities. For instance, suppose the training sample to unlearn has label $L$ and one feature $F_{j}$. After unlearning, $F(F_{j}\vert L)$ becomes $\frac{N_{F_{j}L}-1}{N_{L}-1}$, and all other $P(F_{i}\vert L)\mathrm{s}$ become $\frac{N_{F_{i}L}}{N_{L}-1}. P(L)$ becomes $\frac{N_{L}-1}{N}. P(F_{j})$ becomes $\frac{N_{F_{j}}-1}{N-1}$, and all other $P(F_{i})\mathrm{s}$ become $\frac{N_{F_{i}}}{N-1}$.

B. Adaptive SQ Learning

An adaptive SQ learning algorithm issues its SQs iteratively on the fly, and later SQs may depend on results of earlier ones. (Non-adaptive SQ learning is a special form of adaptive SQ learning.) Operationally, adaptive SQ learning starts by selecting an initial state $s_{0}$, randomly or heuristically. At state $s_{j}$, it determines the transformation functions in the SQs based on the current state, sends the SQs to the oracle, receives the results, and learns the next state $s_{j+1}$. It then repeats until the algorithm converges. During each iteration, the current state suffices for determining the transformation functions because it can capture the entire history starting from $s_{0}$. We represent these functions in each state $s_{j}$ as $g_{s_{j}},\mathrm{i}, g_{s_{j},2}, g_{s_{j}, m}$. Now, the algorithm is in the following form:

1. $s_{0}$: initial state;

2. $s_{j+1} =Learn(\sum_{x_{i}\in X}g_{s_{j},1}(x_{i}l_{x_{i}}), \sum_{x_{i}\in X}g_{s_{j},2}(x_{i},\ l_{x_{i}}),\ldots, \sum_{x_{i}\in X}g_{s_{j},m}(x_{i},\ l_{x_{i}}))$;

3. Repeat (2) until the algorithm converges.

The number of iterations required for the algorithm to converge depends on the algorithm, the initial state selected, and the training data. Typically the algorithm is designed to robustly converge under many scenarios. This adaptive form of SQ learning encompasses many popular machine learning algorithms, including gradient descent, SVM, and k-means.

Unlearning this adaptive form is more changing than nonadaptive because, even if we restart from the same initial state, if the training data sample to forget changes one iteration, all subsequent iterations may deviate and require computing from scratch. Fortunately, our insight is that, after removing a sample, the previously converged state often becomes only slightly out of convergence. Thus, unlearning can simply “resume” the iterative learning algorithm from this state on the updated training data set, and it should take much fewer iterations to converge than restarting from the original or a newly generated initial state.

Operationally, our adaptive unlearning approach works as follows. Given the converged state S computed on the original training data set, it removes the contributions of the sample to forget from the summations that Learn uses to compute S, similar to unlearning the non-adaptive form. Let the resultant state be $S$. Then, it checks whether $S$ meets the algorithm's convergence condition. If not, it sets $S$ as the initial state and runs the iterative learning algorithm until it converges.

We now discuss the completeness of our adaptive unlearning approach in three scenarios. First, for algorithms such as SVM that converge at only one state, our approach is complete because the converged state computed from unlearning is the same as that retrained from scratch. Second, for algorithms such as k-means that converge at multiple possible states, our approach is complete if the state $S'$ is a possible initial state selected by the algorithm (e.g., the algorithm selects initial state randomly). A proof sketch is as follows. Since $S'$ is a possible initial state, there is one possible retraining process that starts from $S'$ and reaches a new converged state. At every iteration of this retraining process, the new state computed by Learn is identical to the state computed in the corresponding iteration in unlearning. Thus, they must compute the same exact converged state, satisfying the completeness goal (§ III-A1). Third, our approach may be incomplete if (a) $S'$ cannot be a possible initial state (e.g., the algorithm selects initial state using a heuristic that happens to rule out $S'$) or (b) the algorithm does not converge or converges at a state different than all possible states retraining converges to. We expect these scenarios to be rare because adaptive algorithms need to be robust anyway for convergence during normal operations.

Our adaptive unlearning approach is also timely. The speedup over retraining is twofold. First, unlearning is faster at computing the summations if there are old results of the summations to use. For example, it updates the state S by removing contributions of the removed sample. Second, unlearning starts from an almost-converged state, so it needs fewer iterations to converge than retraining. In practice, we expect that the majority of the speedup comes from the reduced number of iterations. For instance, our evaluation shows that, on average, PJScan retraining needs 42 iterations while unlearning only 2.4, a speedup of over 17x (§ IX). The implication is that, in principle, our adaptive unlearning approach should speed up any robust iterative machine learning algorithm, even if the algorithm does not follow SQ learning. In practice, however, very few practical learning algorithms cannot be converted to the adaptive SQ learning form. Specifically, many machine learning problems can be cast as optimization problems, potentially solvable using gradient descent, an adaptive SQ learning algorithm. Thus, we used adaptive SQ learning to represent the more general class of iterative algorithms in our discussion.

Now, we illustrate how to convert an adaptive SQ learning algorithm into the summation form using k-means clustering as an example. K-means clustering starts from an initial set of randomly selected cluster centers, $c_{1}, \ldots, c_{k}$, assigns each data point to a cluster whose center has the shortest Euclidean distance to the point, and then updates each $c_{i}$ based on the mean value of all the data points in its cluster. It repeats this assignment until the centers no longer change.

To support unlearning, we convert the calculation of each $c_{i}$ into summations. Because k-means clustering is unsupervised, labels are not involved in the following discussion. Let us define $g_{c_{i}, j}(x)$ as a function that outputs $x$ when the distance between x and $c_{i}$ is minimum, and otherwise 0; and define $g_{j}'(x)$ as a function that outputs 1 when the distance between $x$ and $C_{i}$ is minimum, and otherwise 0. Now, the new $c_{i}$ in the $j+1$ iteration equals $\frac{\Sigma_{x\in X}g_{c_{i}j}(x)}{\Sigma_{x\in X}g_{\mathrm{c}_{i}j}'(x)}$.

To unlearn a sample $x_{p}$, we update $\sum_{x\in X}g_{c_{\mathrm{t}}, j}(x)$ and $\sum_{x\in X}g_{c_{i}, j}'(x)$ by subtracting $g_{c_{i}, j}(x_{p})$ and $g_{c_{i}, j}'(x_{p})$ from the summations. Then, we continue the iteration process until the algorithm converges.

A. The Attack – System Inference

Since there exists a prior system inference attack against recommendation systems [29], we reproduced this attack against LensKit and verified the effectiveness of the attack. As described by Calandrino et al. [29], the attacker knows the item-item similarity matrix and some items that the user bought from the past. To infer a newly bought item of the user, the attacker computes a delta matrix between the current item-item similarity matrix and the one without the item. Then, based on the delta matrix, the attacker could infer an initial list of items that might lead to the delta matrix, i.e., potential items that the user might have newly bought. Comparing the list of inferred items and the user's purchasing history, the attacker could infer the newly bought item. Following the attack steps, we first record the item-item similarity matrix of LensKit and one user's rating history. Then, we add one item to the user's rating history, compute the delta matrix and then successfully infer the added rating from the delta matrix and the user's rating history.

B. Analytical Results

To support unlearning in LensKit, we converted its recommendation algorithm into the summation form. Equation 4 shows this process. We start by substituting $\vec{a}_{\ast, k}$ and $\vec{a}_{\ast, l}$ in Equation 3 with their corresponding values in Equation 2 where n is the number of users and m the number of items, and expanding the multiplications. We then simplify the equation by substituting some terms using the five summations listed in Equation 5. The result shows that our summation approach applies to item-item recommendation using cosine similarity. \begin{align*} sim(k, l)& =\frac{\sum_{i=1}^{n}a_{ik}a_{il}}{\sqrt{\sum_{i=1}^{n}a_{ik}^{2}\sum_{i=1}^{n}a_{il}^{2}}}=\frac{\sum^{n}_{i=1}(r_{ik}-\mu_{i}-\eta_{k}+g)(r_{il}-\mu_{i}-\eta_{l}+g)}{\sqrt{\sum_{i=1}^{n}(r_{ik}-\mu_{i}-\eta_{k}+g)^{2}\sum_{i=1}^{n}(r_{il}-\mu_{i}-\eta_{l}+g)^{2}}}\\ &=\frac{\sum^{n}(r_{ik}-\mu_{i})(r_{il}-\mu_{i})-\eta_{k}\sum^{n}_{i=1}(r_{il}-\mu_{i})-\eta_{l}\sum^{n}_{i=1}(r_{ik}-\mu_{i})-g(\eta_{k}+\eta_{l})N+\eta_{k}\eta_{l}N+g^{2}N+g\sum^{n}_{i=1}(r_{ik}+r_{il}-2\mu_{i})} {\sqrt{\sum_{i=1}^{n}(r_{ik}-\mu_{i})^{2}-2(\eta_{k}-g)\sum_{i=1}^{n}(r_{ik}-\mu_{i})+(\eta_{k}-g)^{2}N}\sqrt{\sum_{i=1}^{n}(r_{il}-\mu_{i})^{2}-2(\eta_{l}-g)\sum_{i=1}^{n}(r_{il}-\mu_{i})+(\eta_{l}-g)^{2}N}}\tag{4} \\ & =\frac{S_{kl}-\eta_{k}S_{l}-\eta_{l}S_{k}+g(S_{k}+S_{l})-g(\eta_{k}+\eta_{l})N+\eta_{k}\eta_{l}N+g^{2}N}{\sqrt{S_{kk}-2(\eta_{k}-g)S_{k}+(\eta_{k}-g)^{2}N}\sqrt{S_{ll}-2(\eta_{l}-g)S_{l}+(\eta_{l}-g)^{2}N}}\\ &=Learn(S_{kl},\ S_{k},\ S_{l)}S_{kk)}S_{ll},\ g,\ \eta_{k},\ \eta_{l}) \\ &S_{kl}=\sum^{n}_{i=1}(r_{ik}-\mu_{i})(r_{il}-\mu_{i})\\ &S_{k}=\sum^{n}_{i=1}(r_{ik}-\mu_{i}) S_{l}=\sum^{n}_{i=1}(r_{il}-\mu_{i})\tag{5} \\ &S_{kk}=\sum^{n}_{i=1}(r_{ik}-\mu_{i})^{2} S_{ll}=\sum_{i=1}^{n}(r_{il}-\mu_{i})^{2} \end{align*}View Source\begin{align*} sim(k, l)& =\frac{\sum_{i=1}^{n}a_{ik}a_{il}}{\sqrt{\sum_{i=1}^{n}a_{ik}^{2}\sum_{i=1}^{n}a_{il}^{2}}}=\frac{\sum^{n}_{i=1}(r_{ik}-\mu_{i}-\eta_{k}+g)(r_{il}-\mu_{i}-\eta_{l}+g)}{\sqrt{\sum_{i=1}^{n}(r_{ik}-\mu_{i}-\eta_{k}+g)^{2}\sum_{i=1}^{n}(r_{il}-\mu_{i}-\eta_{l}+g)^{2}}}\\ &=\frac{\sum^{n}(r_{ik}-\mu_{i})(r_{il}-\mu_{i})-\eta_{k}\sum^{n}_{i=1}(r_{il}-\mu_{i})-\eta_{l}\sum^{n}_{i=1}(r_{ik}-\mu_{i})-g(\eta_{k}+\eta_{l})N+\eta_{k}\eta_{l}N+g^{2}N+g\sum^{n}_{i=1}(r_{ik}+r_{il}-2\mu_{i})} {\sqrt{\sum_{i=1}^{n}(r_{ik}-\mu_{i})^{2}-2(\eta_{k}-g)\sum_{i=1}^{n}(r_{ik}-\mu_{i})+(\eta_{k}-g)^{2}N}\sqrt{\sum_{i=1}^{n}(r_{il}-\mu_{i})^{2}-2(\eta_{l}-g)\sum_{i=1}^{n}(r_{il}-\mu_{i})+(\eta_{l}-g)^{2}N}}\tag{4} \\ & =\frac{S_{kl}-\eta_{k}S_{l}-\eta_{l}S_{k}+g(S_{k}+S_{l})-g(\eta_{k}+\eta_{l})N+\eta_{k}\eta_{l}N+g^{2}N}{\sqrt{S_{kk}-2(\eta_{k}-g)S_{k}+(\eta_{k}-g)^{2}N}\sqrt{S_{ll}-2(\eta_{l}-g)S_{l}+(\eta_{l}-g)^{2}N}}\\ &=Learn(S_{kl},\ S_{k},\ S_{l)}S_{kk)}S_{ll},\ g,\ \eta_{k},\ \eta_{l}) \\ &S_{kl}=\sum^{n}_{i=1}(r_{ik}-\mu_{i})(r_{il}-\mu_{i})\\ &S_{k}=\sum^{n}_{i=1}(r_{ik}-\mu_{i}) S_{l}=\sum^{n}_{i=1}(r_{il}-\mu_{i})\tag{5} \\ &S_{kk}=\sum^{n}_{i=1}(r_{ik}-\mu_{i})^{2} S_{ll}=\sum_{i=1}^{n}(r_{il}-\mu_{i})^{2} \end{align*}

We now discuss analytically the completeness and timeliness of unlearning in LensKit. To forget a rating in LensKit, we must update its item-item similarity matrix. To update the similarity between items k and l, we simply update all the summations in Equation 4, and then recompute $sim(k,\ l)$ using the summations. This unlearning process is 100% complete because it computes the same value of sim(k, l) as recomputing from scratch following Equation 3. The asymptotic time to unlearn sim(k, l) is only O(1) because there is only a constant number of summations, each of which can be updated in constant time. Considering all $m^{2}$ pairs of items, the time complexity of unlearning is $O(m^{2})$. In contrast, the time complexity of retraining from scratch is $O(nm^{2})$ because recomputing sim(k, l) following Equation 3 requires the dot-product of two vectors of size n. Thus, unlearning has a speedup factor of O(n) over retraining. This speedup is quite huge because a recommendation system typically has much more users than items (e.g., Netflix's users vs movies).

Algorithm 1: Learning Stage Preparation in LensKit

Now that we have shown mathematically how to convert LensKit's item-item similarity equation into the summation form and its analytical completeness and timeliness, we proceed to show algorithmically how to modify LensKit to support unlearning. While doing so is not difficult once Equation 4 is given, we report the algorithms we added to provide a complete picture of how to support unlearning in LensKit.

We added two algorithms to LensKit. Algorithm 1 runs during the learning stage of LensKit, which occurs when the system bootstraps or when the system operator decides to retrain from scratch. This algorithm computes the necessary summations for later unlearning. To compute the average rating of each user i ($\mu_{i}$, line 13), it tracks the number of ratings given by the user $(Count_{\mu_{i}}$, line 6) and the sum of these ratings ($Sum_{\mu_{i}}$, line 5). It similarly computes the average rating of each item k ($\eta_{k}$, line 17) by tracking the number of all ratings received by item $k(Count_{\eta_{k}}$, line 8) and the sum of these ratings ($Sum_{\eta_{k}}$, line 7). It computes the average of all ratings (g, line 15) by tracking the total number of ratings ($Count_{g}$, line 10) and the sum of them $(Sum_{\mathrm{g}}$, line 9). In addition, it computes additional summations $S_{k}$ and $S_{kl}$ (line 19 and 23) required by Equation 4. Once all summations are ready, it computes the similarity of each pair of items following Equation 4. It then stores the summations $\mu_{i}$ and $count_{\mu_{i}}$ for each user, $\eta_{j}$ and $count_{\eta_{j}}$ for each item, 9 and $count_{g}, S_{k}$ for each item, and $S_{kl}$ for each pair of items for later unlearning.

Algorithm 2: Unlearning Stage in LensKit

Algorithm 2 is the core algorithm for unlearning in LensKit. To forget a rating, it updates all relevant summations and relevant cells in the item-item similarity matrix. Suppose that user $u$ asks the system to forget a rating she gave about item $t$, Algorithm 2 first updates user $u$ 'S average rating $\mu_{i}$, item $t'$ s average rating $\eta_{j}$, and the global average rating g by multiplying the previous value of the average rating with the corresponding total number, subtracting the rating to forget $r_{ut}$, and dividing by the new total number (lines 1–3). It then updates item $t$ 's summations $S_{t}$ and $S_{tt}$ by subtracting the value contributed by $r_{ut}$ which simplifies to the assignments shown on lines 4–5. It then updates $S_{j}$ and $S_{jj}$ (lines 6–11) for each of the other items $j$ that received a rating from user m. Because the ratings given by the other users and their averages do not change, Algorithm 2 subtracts the old value contributed by user $u$ and adds the updated value. Algorithm 2 updates $S_{jk}$ similarly (lines 12–20). Finally, it recomputes $sim(j, k)$, based on updated summations following Equation 4 (line 21).

Note that while these algorithms require additional $n+ m^{2}+2m$ space to store the summations, the original item-item recommendation algorithm already uses $O(nm)$ space for the user-item rating matrix and $O(m^{2})$ space for the item-item similarity matrix. Thus, the asymptotic space complexity remains unchanged.

C. Empirical Results

To modify LensKit to support unlearning, we have inserted 302 lines of code into nine files spanning over three LensKit packages: lenskit-core, lenskit-knn, and lenskit-data-structures.

Empirically, we evaluated completeness using two sets of experiments. First, for each data subset, we randomly chose a rating to forget, ran both unlearning and retraining, and compared the recommendation results for each user and the item-item similarity matrices computed. We repeated this experiment ten times and verified that in all experiments, the recommendation results were always identical. In addition, the maximum differences between the Corresponding similarities were less than $1.0\times 10^{-6}$. These tiny differences were caused by imprecision in floating point arithmetic.

Second, we verified that unlearning successfully prevented the aforementioned system inference attack [29] from gaining any information about the forgotten rating. After unlearning, LensKit gave exactly the same recommendations as if the forgotten rating had never existed in the system. When we launched the attack, the delta matrices $(\S$ [V in [29]) used in the attack contained all zeros, so the attacker cannot infer anything from these matrices.

We evaluated timeliness by measuring the time it took to unlearn or retrain. We used all three data subsets and repeated each experiment three times. Table II shows the results. The first row shows the time of retraining, and the second row the time of unlearning, and the last row the speedup of unlearning over retraining. Unlearning consistently outperforms retraining. The speedup factor is less than the $O(n)$ analytical results because there are many empty ratings in the data set, i.e., a user does not give ratings for every movie. Therefore, the retraining speed is closer to $O(Nm)$ and the speedup factor is closer to $O(N/m)$ where $N$ is the number of ratings and m is the number of users. For a larger data set, the speedup may be even larger. For example, IMDb contains 2,950,317 titles (including TV shows, movies, etc.) and 54 million registered users [9], [19], which may produce billions or even trillions of ratings. In that case, the unlearning may take several hours to complete, while the retraining may take several days.

Table II: Speedup of unlearning over retraining for lenskit. The time of retraining increases by the factor of the number of total ratings, and the overhead of unlearning increases by the factor of the number of total users

A. The Attack – Training Data Pollution

To perform data pollution and influence the detection of Zozzle, an attacker might craft malicious samples by injecting features that do not appear in any benign samples. In such case, those crafted malicious samples could be captured by Zozzle's ground-truth detector (such as Nozzle [59]), and included in the training data set. The injected features (such as an if statement with an unusual condition) in the crafted malicious samples can influence both the feature selection and the sample detection stage of Zozzle. In the feature selection stage, the injected features are likely to be selected, and influence existing malicious features so that they are less likely to be picked. In the sample detection stage, the injected features influence the decision for a true malicious sample.

First, because the injected features do not appear in benign samples but only malicious samples, in the chi-squared test (Equation 6), $N_{+, F}$ and $N_{-,\hat{F}}$ are large, and $N_{-, F}$ and $N_{+,\hat{F}}$ are small. Therefore, the feature selection process is likely to pick the injected features.

In addition, the injected features can make a real malicious feature that would have been selected $-F_{real}$-less likely to be selected. Because the attacker does not change any benign training sample or remove the $F_{real}$ in existing malicious samples, but only add new samples, in the chi-squared test, $N_{+, F_{real}}, N_{-F_{r{e}a1}}$ and $N_{-,\hat{F}_{r{e}a1}}$ remain the same, and $N_{+,\hat{F}_{r{e}al}}$ increases. Therefore, the feature selection process is less likely to pick up $F_{real}$ as a malicious feature.

Second, the presence of an injected feature, $F_{inject}$, lowers the accuracy of the naïve Bayes classifier. Let us consider how the detection of a sample with one malicious feature, $F_{mal}$, is influenced in the presence of $F_{inject}$-i.e., how the value of $P(+\vert F_{mal})$ is lowered. Intuitively, since both $F_{mal}$ and $F_{inject}$ appear to be good indicators that a sample is malicious, Zozzle splits the weight it were to place on $F_{mal}$ alone onto both $F_{mal}$ and $F_{inject}$. Therefore, the weight on $F_{mal}$ is lowered.

In addition, if a single $F_{inject}$ cannot lower the accuracy of the naïve Bayes classifier significantly, the attacker could inject a large number of $F_{inject}$ to further lower the accuracy. Because of the independence assumption in the naïve Bayes classifier, the larger the number of $F_{inject}$, the smaller the weight of $F_{mal}$.

Now, we formally show how the accuracy of the naïve Bayes classifier is lowered. Before computing $P(+\vert F_{mal})-$ the probability of malice of samples with $F_{mal}$, let us take a first look at the computation of $P(+\vert F_{mal},\ F_{inject})$, and then we deduce $P(+\vert F_{mal})$ based on $P(+\vert F_{mal},\ F_{inject})$. Suppose, the attacker can inject samples with $F_{mal}$ and another crafted feature, $F_{inject}$. As discussed, in the feature selection stage, $F_{inject}$ is selected based on the chi-squared test. Now, we have Equation 7 for samples with $F_{mal}$ and $F_{inject}$. \begin{equation*}\begin{split}P(+\vert F_{mal},\ F_{inject})& =\frac{P(F_{mal}, F_{inject}\vert +)P(+)}{P(F_{mal}, F_{inject})}\\ &=\frac{P(F_{inject}\vert +)P(F_{mal}\vert +)P(+)}{P(F_{inject})P(F_{mal})}\\ &=\frac{P(F_{inject}\vert +)}{P(F_{inject})}P(+\vert F_{mal})\end{split} \tag{7} \end{equation*}View Source\begin{equation*}\begin{split}P(+\vert F_{mal},\ F_{inject})& =\frac{P(F_{mal}, F_{inject}\vert +)P(+)}{P(F_{mal}, F_{inject})}\\ &=\frac{P(F_{inject}\vert +)P(F_{mal}\vert +)P(+)}{P(F_{inject})P(F_{mal})}\\ &=\frac{P(F_{inject}\vert +)}{P(F_{inject})}P(+\vert F_{mal})\end{split} \tag{7} \end{equation*}

Through transformation (note that in Equation 7, naïve Bayes assumes that $F_{mal}$ and $F_{inject}$ are independent-i.e., derived from the independence assumption), we have Equation 8 for $P(+\vert F_{mal})$, the probability of malice for samples with just $F_{mal}$. \begin{equation*} P(+\vert F_{mal})=P(+\vert F_{mal}, F_{inject})\frac{P(F_{inject})}{P(F_{inject}\vert +)} \tag{8} \end{equation*}View Source\begin{equation*} P(+\vert F_{mal})=P(+\vert F_{mal}, F_{inject})\frac{P(F_{inject})}{P(F_{inject}\vert +)} \tag{8} \end{equation*}

In Equation 8, if $P(+\vert F_{mal})$ is below 0.5 and thus less than $P(-\vert F_{mal})$, Zozzle classifies samples with $F_{mal}$ as benign $(-)$. The purpose of pollution is to make this happen. Because $\frac{P(F_{inject})}{P(F_{i\mathrm{n}j\mathrm{e}ct}\vert +)}$ is a value corresponding to the percentage of malicious samples in the training set and thus less than 1, $P(+\vert F_{mal})$, is lowered due to the existence of $F_{inject}$.

As discussed in last few paragraphs, the injection of one $F_{inject}$ lowers $P(+\vert F_{mal})$. Now, we show that more injected features lower $P(+\vert F_{mal})$ even further. Suppose, the injection of one feature cannot decrease $P(+\vert F_{mal})$ in Equation 8 to a value below 0.5. An adversary can introduce enough number of $F_{inject}$, and as a generalization of Equation 8, we have Equation 9. \begin{equation*}\begin{split} P(+\vert F_{mal})= &P(+\vert F_{mal}, F_{1, inj{e}ct},\ \ldots, F_{k, inject})\\ &\times\frac{P(F_{1, inj{e}ct})}{P(F_{1, inject}\vert +)}\ldots \frac{P(F_{k, inj{e}ct})}{P(F_{k, inject}\vert +)}\end{split} \tag{9} \end{equation*}View Source\begin{equation*}\begin{split} P(+\vert F_{mal})= &P(+\vert F_{mal}, F_{1, inj{e}ct},\ \ldots, F_{k, inject})\\ &\times\frac{P(F_{1, inj{e}ct})}{P(F_{1, inject}\vert +)}\ldots \frac{P(F_{k, inj{e}ct})}{P(F_{k, inject}\vert +)}\end{split} \tag{9} \end{equation*}

Because each $\frac{P(F_{iinj\mathrm{e}\mathrm{c}t})}{P(F_{iinj\mathrm{e}ct}\vert +)}$ is less than 1, if k is large enough, the attacker can eventually decrease $P(+\vert F_{mal})$ to a value below 0.5, and hence Zozzle classifies the sample with $F_{mal}$ as benign. In summary, by injecting enough features, an adversary could subvert the detection decision of a malicious sample in Zozzle.

In practice, to pollute the training data, we inject five features that do not exist in any existing benign samples into 10% of the training set. We retrained the system with the same training set as well as the newly added samples with injected features, and the testing samples are still the same as those before pollution. The detection results are shown in the second column of Table III. Because of the injection of features, the true positive rate drops significantly from 93.1% to 37.8%. The false positive rate also drops a little bit from 0.5% to 0.3%, because more benign features are selected from the feature sets.

Table III: Zozzle's detection rate. The first column and the third column are exactly the same, illustrating that our unlearning is complete

B. Analytical and Empirical Results

Unlearning in Zozzle works as follows. First, the unlearning process groups all the data to forget together and extract corresponding features from the data to forget. Then, the chi values of all the features are updated. Since $N_{+, F}, N_{-, F}, N_{+,\hat{F}}$ ‘ and $N_{-,\hat{F}}$ in the chi value calculation (Equation 6) are counts of samples, or a summation of outputs of indicator functions, one can easily update the chi value of features. If the chi value of one feature cannot meet the threshold, the feature is removed. We reuse the feature selection process implemented by Zozzle to extract features from the data to forget, and then update the chi values stored in the database. Then, a new list of features is generated based on the new chi values. Second, the unlearning process updates all the conditional probability values related to updated features found in the first step. The detailed process has already been described in § IV. Note that because none of the aforementioned updates involve the size of training data set, the time complexity is $O(q)$, where $q$ is the number of features.

Empirically, we added only 21 lines of code to support unlearning in Zozzle, i.e., updated all the chi values and conditional probability. Then, we evaluated the completeness of unlearning by removing all the crafted samples from Zozzle. The results show that the feature sets and conditional probabilities after pollution and unlearning are the same as those generated by unpolluted data, as if the whole pollution process does not exist. Further, the true positive and false positive after pollution and unlearning shown in the third column of Table III are the same as those without data pollution as expected.

Next, we evaluate the timeliness of unlearning. Because the size of training samples is huge, the overall learning process takes one day and two hours. In contrast, unlearning one training sample takes less than one second on average, and the speedup is $9.5\times 10^{4}$. The overhead of unlearning is a linear function to the number of the samples to forget. As mentioned in III-A2, when the number of samples to forget increases, the overhead of unlearning increases, but the overhead of retraining decreases. When the number of samples to forget exceeds 63% of the total training samples, the retraining process is faster than the unlearning technique used in this section. In such an unlikely case, one may use retraining to achieve the unlearning task.

A. The Attack – Training Data Pollution

OSNSF is more robust to training data pollution than a traditional machine learning-based detection system. The reasons are twofold: manually picked features and pre-clustering before machine learning. While manually picked features introduce human efforts and cannot evolve over time, they prevent an attacker from polluting the feature selection stage (in which she can craft data to inject fake features). Pre-clustering of incoming samples can reduce the noises (polluted samples) introduced by attacks. For example, in the experiment, if we directly input random mislabeled training data, the filtering rate is affected to a very small degree (approximately 1% difference).

However, during pre-clustering stage, if the injected samples are crafted so that they can form a cluster, they significantly influence the filtering result. We utilize this fact to successfully manipulate OSNSF by polluting its training data. In particular, we craft training data based on two features in OSNSF: average message interval and social degree, because we find that the two features are more effective than other features such as cluster size. In the evaluation, we entirely removed the cluster size parameter from OSNSF and found that the filtering rate only drops a little. In comparison, both average message interval and social degree have large impacts on OSNSF, and further an attacker can manipulate the two parameters. For example, an attacker can send more or less messages to affect the average message interval, and friend or de-friend spam accounts that she owns to change the social degree.

By manipulating the two parameters in OSNSF, we successfully pollute the training data and lower the true positive rate as shown in Figure 3. The x-axis is the rate of polluted samples in all the training data and the y-axis is the true positive rate of the system, i.e., the number of true spams divided by the number of detected spams. As mentioned, because of the existence of clustering, when the pollution rate is lower than 1.7%, the effect of pollution on true positive rate is small. However, when the polluted samples successfully form into a new cluster, the system utilizes the feature values represented by the new cluster containing the polluted samples. Therefore, the true positive rate decreases significantly. This is also reflected in the generated decision tree, containing a branch of the injected feature values.

Fig. 3:

True positive rate of OSNSF vs percentage of polluted training data. After only 1.75% of the training data is polluted, OSNSF's true positive rate drops sharply because the polluted training data starts to form a cluster.

Show All

B. Analytical and Empirical Results

To enable unlearning for OSNSF, there are two steps: decremental clustering and decremental decision tree. The first step-decremental clustering-can be implemented by feeding polluted samples with the opposite labels into the incremental clustering interface of the current system, which either merges new samples into the existing cluster or creates a new cluster. Therefore, we focus on integrating a decremental decision tree into the system.

The C4.5 decision tree incorporated by OSNSF does not support any incremental or decremental algorithm for incoming data. Therefore, to support unlearning, we adopted another incremental decision tree-VFDT [38], the implementation of which is available in the VFML (Very Fast Machine Learning) toolkit, and the analytical overhead of which is $O(logN)$ for learning one sample as shown in the VFDT paper. To incorporate VFDT into OSNSF, we modify VFDT to read the decision tree generated by C4.5 and learn polluted samples with the opposite labels. Since VFDT supports the C4.5 data format, the intermediate output of OSNSF (i.e., the extracted feature values for each cluster) can be easily fed into VFDT.

Table IV: OSNSF's detection rate

Now we show the empirical results. We first feed polluted samples into OSNSF, and OSNSF outputs the features of newly created clusters. Next, our modified version of VFDT reads the polluted C4.5 decision tree and starts incremental building upon the polluted decision tree instead of a single leaf in the original implementation. After that, a new decision tree is outputted in the C4.5 format and used as the decision tree of OSNSF. The modified version only introduces 33 lines of code into main.cpp of the implementation of OSNSF to support the aforementioned process.

We then show the completeness results in Table IV. The first column shows the original true positive and false positive rate. After polluting 1.75% of the training data, both true and false positive rates decrease. Then, after unlearning the polluted samples, both the true positive rate and false positive rate increase. Note that the unlearning process does not restore the true positive rate to its pre-pollution value. This is because the two decision trees are generated by C4.5 and VFDT-different algorithms. VFDT will not generate the same decision tree as the C4.5 algorithm, even if the inputs as well as the order of the inputs are the same. However, we believe that the filtering rate (true positive) after unlearning is enough for a spam filtering system. Further, for 99.4% of testing samples, the original system and the unlearned system generate the same result, achieving 99.4% for the completeness of unlearning, a fairly high number. We also evaluate the timeliness of unlearning. The retraining takes 30mins, and the unlearning of one sample takes only 21.5ms, leading to a speedup factor of $8.4\times 10^{4}$.

A. The Attack – Training Data Pollution

To pollute PJScan, we need to move the center of the new, polluted n-sphere far away from the original center. In practice, we repeat the same alert functions (alert (1);) and inject such a fixed pattern into PDFs to achieve it.

We show the pollution results in Table V. The first column of Table V shows that without pollution PJScan classifies 81.5% of the malicious PDFs as malicious. When we pollute 21.8% of the training samples, the detection rate decreases to 69.3%. Then, when we increase the percentage of polluted training samples to 28.2%, the detection rate finally drops to 46.2%. The result indicates that one-class machine learning is harder to pollute than two-class machine learning. Specifically, two-class SVM classifier needs to draw a line between the sphere labeled as benign and the sphere labeled as malicious, and therefore the radius of one sphere is constrained by the other. In contrast, one-class SVM classifier can always increase the radius of the sphere and keep the percentage of included data samples in the sphere as a constant. This also aligns with the fact that one-class machine learning is robust to mimic attacks [57].

B. Analytical and Empirical Results

The unlearning process can be divided into two stages due to inherent properties of one-class SVM in PJScan. The first stage of unlearning is to re-calculate the new $\alpha$ value [20] of each support vector calculated by the solver in libSVM, and the second stage is to recalculate the center and the radius of the sphere. In the first stage, the calculation of $\alpha$ values is an iterative process of adaptive SQ learning, which starts from an initial assignment of $\alpha$ values, and in the end reaches the optimal point. Since the changes of $\alpha$ during unlearning is relatively small, we just need to feed the old values of $\alpha$ into the iteration process and then let the iteration process output the new $\alpha$.

The second stage of unlearning recalculates the value of the center and the radius. The calculation of the center is in the form of $\alpha_{1}x_{1}+\alpha_{2}x_{2}+\ldots$ – a summation. If the value of $\alpha$ changes in the first stage, we need to multiply the delta of $\alpha$ by the support vector and add it to the summation. If a new support vector emerges or an old one disappears, we also need to add or subtract corresponding values from the summation. Meanwhile, the calculation of the radius is based on the distance between the support vector with the smallest $\alpha$ and the center. If that support vector changes, the unlearning needs to recalculate the value of radius from scratch. Otherwise, as in the calculation of the center, the unlearning can utilize some of the partial calculation results from the past.

Empirically, in total, we added 30 lines of code into the libsvm_oc module of PJScan to update the $\alpha$ value, the center and the radius. Next, we evaluate the completeness by showing the unlearning result in the last column of Table V, the same as the original detection rate. In addition, we also evaluate the timeliness of unlearning. To calculate the $\alpha$ value, retraining takes 42 iterations, and unlearning one data sample takes 2.4 iterations on average, significantly smaller than retraining.

A. Adversarial Machine Learning

Broadly speaking, adversarial machine learning [22], [47] studies the behavior of machine learning in adversarial en-vironments. Based on a prior taxonomy [47], the attacks targeting machine learning are classified into two major cate-gories: (1) causative attacks in which an attacker has “write” access to the learning system-she pollutes the training data and subsequently influences the trained models and prediction results; and (2) exploratory attacks in which an attacker has “read-only” access-she sends data samples to the learning system hoping to steal private data inside the system or evade detection. In the rest of this subsection, we discuss these two categories of attacks in greater detail.

B. Defense of Data Pollution and Privacy Leakage

In this subsection, we discuss current defense mechanisms for data pollution and privacy leakage. Although claimed to be robust, many of these defenses are subsequently defeated by new attacks [43], [56]. Therefore, unlearning serves as an excellent complimentary method for these defenses.

C. Incremental Machine Learning

Incremental machine learning studies how to adjust the trained model incrementally to add new training data or remove obsolete data, so it is closely related to our work. Romero et al. [62] found the exact maximal margin hyperplane for linear SVMs so that a new component can be easily added or removed from the inner product. Cauwenberghs et al. [31] proposed using adiabatic increments to update a SVM from l training samples to $l+1$. Utgoff et al. [74] proposed an incremental algorithm to induce decision trees equivalent to the trees formed by Quinlan's ID3 algorithm. Domingos et al. [38] proposed a high performance construction algorithm of decision trees to deal with high-speed data streams. Recently, Tsai et al. [73] proposed using warm starts to practically build incremental SVMs with linear kernels.

Compared to prior incremental machine learning work, our unlearning approach differs fundamentally because we propose a general efficient unlearning approach applicable to any algorithm that can be converted to the summation form, including some that currently have no incremental versions. For instance, we successfully applied unlearning to normalized cosine similarity which recommendation systems commonly use to compute item-item similarity. This algorithm had no incremental versions prior to our work. In addition, we applied our learning approach to real-world systems, and demonstrated that it is important that unlearning handles all stages of learning, including feature selection and modeling.

Chu et al. [33] used the summation form to speed up machine learning algorithms with map-reduce. Their summation form is based on SQ learning, and provided inspiration for our work. We believe we are the first to establish the connection between unlearning and the summation form. Furthermore, we demonstrated how to convert non-standard machine learning algorithms, e.g., the normalized cosine similarity algorithm, to the summation form. In contrast, prior work converted nine standard machine learning algorithms using only simple transformations.