When Forgetting Reveals: Black-Box Inversion Attacks on Unlearning in Large Language Models
摘要
Modern large language models (LLMs) are increasingly required to forget specific knowledge for legal, ethical, or privacy reasons. Machine unlearning aims to remove specific data or facts from a model without retraining from scratch. In this work, we show that current LLM unlearning techniques leave identifiable behavioral fingerprints in their outputs that a malicious actor can exploit. We consider an unlearning inversion attack in which an adversary with black-box query access to an original model and its unlearned version tries to infer what knowledge was removed. We evaluate four state-of-the-art unlearning methods - Gradient Ascent (GA), Direct Preference Optimization (DPO), Negative Preference Optimization (NPO), and Rejection Tuning (RT) - on the Real-World Knowledge Unlearning (RWKU) benchmark for factual knowledge removal. By crafting probe queries and using Gemini 2.5 Pro as a LLM judge to quantify behavioral changes, the attacker can reliably assign a Discrepancy Score to each candidate and identify the removed subject. Our experiments show high success rates in identifying the removed subject, far above random chance. We also discuss how each unlearning method leaves a unique “fingerprint” in model behavior and examine possible countermeasures.