defense 2025

Erase or Hide? Suppressing Spurious Unlearning Neurons for Robust Unlearning

Nakyeong Yang 1,2, Dong-Kyum Kim 2, Jea Kwon 2, Minsung Kim 1, Kyomin Jung 1, Meeyoung Cha 2

1 Seoul National University

2 Max Planck Institute for Security and Privacy

1 citations · 36 references · arXiv
α

Published on arXiv

2509.22263

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

Ssiuu reliably erases target knowledge and outperforms strong baselines across both adversarial relearning scenarios, showing that attribution-guided regularization prevents knowledge resurfacing during subsequent training

Ssiuu

Novel technique introduced

Large language models trained on web-scale data can memorize private or sensitive knowledge, raising significant privacy risks. Although some unlearning methods mitigate these risks, they remain vulnerable to "relearning" during subsequent training, allowing a substantial portion of forgotten knowledge to resurface. In this paper, we show that widely used unlearning methods cause shallow alignment: instead of faithfully erasing target knowledge, they generate spurious unlearning neurons that amplify negative influence to hide it. To overcome this limitation, we introduce Ssiuu, a new class of unlearning methods that employs attribution-guided regularization to prevent spurious negative influence and faithfully remove target knowledge. Experimental results confirm that our method reliably erases target knowledge and outperforms strong baselines across two practical retraining scenarios: (1) adversarial injection of private data, and (2) benign attack using an instruction-following benchmark. Our findings highlight the necessity of robust and faithful unlearning methods for safe deployment of language models.

Key Contributions

  • Identifies 'shallow unlearning alignment' — existing unlearning methods create spurious neurons that hide rather than erase target knowledge, making them vulnerable to relearning
  • Proposes Ssiuu, an attribution-guided regularization method that suppresses spurious negative influence to achieve faithful knowledge erasure
  • Demonstrates robustness against two adversarial relearning scenarios: adversarial injection of private data and benign instruction-following fine-tuning

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
training_timewhite_box
Applications
large language model privacyllm safe deploymentknowledge unlearning
Read PDF arXiv DOI

Similar Papers

defense

Chain-of-Sanitized-Thoughts: Plugging PII Leakage in CoT of Large Reasoning Models

2026 1 cit.
82%
defense

Navigating the Designs of Privacy-Preserving Fine-tuning for Large Language Models

2025 0 cit.
Model Inversion Attack
77%
defense

Adaptive Token-Weighted Differential Privacy for LLMs: Not All Tokens Require Equal Protection

2025 1 cit.
Model Inversion Attack
77%
defense

Downgrade to Upgrade: Optimizer Simplification Enhances Robustness in LLM Unlearning

2025 0 cit.
77%
defense

Data-Free Privacy-Preserving for LLMs via Model Inversion and Selective Unlearning

2026 0 cit.
Model Inversion Attack
77%
defense

Beyond Sharp Minima: Robust LLM Unlearning via Feedback-Guided Multi-Point Optimization

2025 1 cit.
77%
defense

Stop Tracking Me! Proactive Defense Against Attribute Inference Attack in LLMs

2026 1 cit.
75%
defense

AlienLM: Alienization of Language for API-Boundary Privacy in Black-Box LLMs

2026 0 cit.
75%