arxiv: 2604.04030 · v1 · submitted 2026-04-05 · 💻 cs.CR · cs.LG

Recognition: 2 theorem links

· Lean Theorem

Jellyfish: Zero-Shot Federated Unlearning Scheme with Knowledge Disentanglement

Houzhe Wang , Xiaojie Zhu , Chi Chen

Authors on Pith no claims yet

Pith reviewed 2026-05-13 17:20 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords federated unlearningzero-shot unlearningknowledge disentanglementsynthetic datadata privacymodel repairfederated learning

0 comments

The pith

The Jellyfish scheme achieves zero-shot federated unlearning by generating proxy data from error-minimizing noise and disentangling knowledge through channel restrictions on forgotten data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Jellyfish as a zero-shot federated unlearning scheme designed to ensure that deleted data no longer influences or can be extracted from the shared model. It achieves this through generating synthetic proxy data from error-minimizing noise, disentangling knowledge by limiting activated channels in convolutional outputs, and balancing multiple loss terms to forget while retaining performance. A final repair step restores accuracy using the proxies alone. A sympathetic reader would care because it addresses privacy regulations in collaborative machine learning without the cost of full retraining or data sharing.

Core claim

Jellyfish proposes a zero-shot unlearning mechanism that generates error-minimization noise as proxy data for the data to be forgotten to preserve privacy. It employs a knowledge disentanglement mechanism that regularises the output of the final convolutional layer by restricting the number of activated channels for the data to be forgotten and encouraging activation sparsity to maintain model utility. A comprehensive loss function with hard loss, confusion loss, distillation loss, model weight drift loss, gradient harmonization, and gradient masking aligns the forgetting and retaining objectives. Finally, a zero-shot repair mechanism leverages proxy data to restore model accuracy without 0

What carries the argument

The knowledge disentanglement mechanism that regularises the output of the final convolutional layer by restricting the number of activated channels for the data to be forgotten and encouraging activation sparsity.

If this is right

The scheme preserves privacy of forgotten data through proxy generation without direct access.
Model utility is maintained by aligning forgetting and retaining learning trajectories via the multi-component loss.
Accuracy can be restored within acceptable bounds using only proxy data in the repair phase.
The approach demonstrates robustness across diverse settings and data distributions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

This method could apply to other privacy-sensitive distributed training scenarios beyond standard federated learning.
The channel restriction technique might be adapted for disentangling knowledge in different model architectures.
A practical extension would involve quantifying the exact degree of forgetting using privacy metrics like membership inference success rates.

Load-bearing premise

The assumption that the generated proxy data and channel-restriction disentanglement achieve verifiable forgetting of the target data distribution without introducing new leakage or utility collapse.

What would settle it

An experiment where the unlearned model is tested on forgotten data samples and shows prediction accuracy significantly higher than random guessing, indicating incomplete forgetting.

read the original abstract

With the increasing importance of data privacy and security, federated unlearning emerges as a new research field dedicated to ensuring that once specific data is deleted, federated learning models no longer retain or disclose related information. In this paper, we propose a zero-shot federated unlearning scheme, named Jellyfish. It distinguishes itself from conventional federated unlearning frameworks in four key aspects: synthetic data generation, knowledge disentanglement, loss function design, and model repair. To preserve the privacy of forgotten data, we design a zero-shot unlearning mechanism that generates error-minimization noise as proxy data for the data to be forgotten. To maintain model utility, we first propose a knowledge disentanglement mechanism that regularises the output of the final convolutional layer by restricting the number of activated channels for the data to be forgotten and encouraging activation sparsity. Next, we construct a comprehensive loss function that incorporates multiple components, including hard loss, confusion loss, distillation loss, model weight drift loss, gradient harmonization, and gradient masking, to effectively align the learning trajectories of the objectives of ``forgetting" and ``retaining". Finally, we propose a zero-shot repair mechanism that leverages proxy data to restore model accuracy within acceptable bounds without accessing users' local data. To evaluate the performance of the proposed zero-shot federated unlearning scheme, we conducted comprehensive experiments across diverse settings. The results validate the effectiveness and robustness of the scheme.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Jellyfish integrates proxy data from error-minimization noise with final-layer channel sparsity and a six-term loss for zero-shot federated unlearning, but the abstract leaves the actual forgetting effectiveness unverified.

read the letter

Jellyfish proposes a zero-shot federated unlearning method that avoids retraining or accessing forgotten data. It generates proxy samples via error-minimization noise, applies sparsity regularization to the final convolutional layer outputs for the target data, and uses a composite loss with hard loss, confusion loss, distillation, weight drift, gradient harmonization, and masking to balance forgetting against utility. A final repair step then restores accuracy using the proxies. These four pieces—synthetic generation, disentanglement, loss design, and repair—are presented as a combined scheme that has not appeared together before in the cited federated unlearning literature. That integration is the clearest new element and gives the work a practical flavor for handling deletion requests at scale without full retraining cycles. The multi-component loss in particular looks like a reasonable attempt to align the conflicting objectives without one dominating the other. The paper is aimed at applied researchers in federated learning and privacy who need concrete mechanisms for GDPR-style right-to-be-forgotten scenarios. A reader looking for new loss terms or proxy-generation heuristics would pick up usable ideas here. The central soft spot is verification. The abstract asserts that experiments across diverse settings confirm effectiveness and robustness, yet supplies no forgetting metrics, ablation tables, membership-inference results, or utility curves. Without those numbers it is difficult to judge whether the proxy distribution is close enough to the original forgotten data for the subsequent losses to actually push parameters outside the target manifold. The stress-test worry about residual leakage therefore remains open until the full results are examined. If the experiments include proper attack evaluations and show clear separation, the contribution strengthens; if they rely mainly on accuracy recovery, the forgetting claim stays under-supported. Overall the proposal is constructive enough to merit peer review rather than desk rejection, though any referee will need to see the detailed metrics and ablations before accepting the robustness claims.

Referee Report

3 major / 2 minor

Summary. The manuscript proposes Jellyfish, a zero-shot federated unlearning scheme for federated learning models. It generates proxy data for forgotten samples via error-minimization noise, applies knowledge disentanglement by restricting the number of activated channels in the final convolutional layer to encourage sparsity, constructs a composite loss function incorporating hard loss, confusion loss, distillation loss, model weight drift loss, gradient harmonization, and gradient masking to align forgetting and retention objectives, and includes a zero-shot repair step using proxy data to restore utility without accessing local client data. Comprehensive experiments across diverse settings are reported to validate the scheme's effectiveness and robustness in achieving forgetting while preserving model performance.

Significance. If the core mechanisms are rigorously validated, this work would contribute a practical zero-shot approach to federated unlearning, addressing privacy needs in distributed settings without requiring data access or retraining from scratch. The combination of synthetic proxy generation, channel-based disentanglement, and multi-term loss design offers a constructive framework that could advance the field beyond conventional methods, provided the forgetting guarantees hold against standard attacks.

major comments (3)

[Abstract] Abstract: The central effectiveness claim—that error-minimization noise proxy data plus final-conv-layer channel restriction achieves verifiable forgetting—lacks any derivation, distribution-distance bound, or attack-success metric showing that the proxy distribution is close enough to the forgotten manifold for the subsequent loss terms to drive parameters outside the original data support. Without this, residual leakage remains possible.
[§4] §4 (Loss Function Design): The composite loss (hard loss + confusion loss + distillation loss + weight drift loss + gradient harmonization + masking) is asserted to align forgetting and retaining trajectories, but no explicit equations or weighting scheme is supplied to demonstrate that the terms do not conflict or introduce new leakage paths; the alignment is described at a high level only.
[Experiments] Experiments section: The reported validation of effectiveness and robustness supplies no forgetting-specific metrics (membership-inference or reconstruction attack success rates), ablation results on the disentanglement or proxy components, error bars, or baseline comparisons, so the robustness claim cannot be assessed from the given description.

minor comments (2)

Notation for the channel-restriction operation and the error-minimization noise generation could be formalized with explicit equations to improve reproducibility.
[Abstract] The abstract would benefit from one or two concrete quantitative results (e.g., accuracy drop on forgotten class or attack success rate) to ground the effectiveness claim.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed comments on our manuscript. We address each major comment point by point below. Where the feedback identifies gaps in presentation or supporting analysis, we have revised the manuscript to incorporate the requested elements.

read point-by-point responses

Referee: [Abstract] Abstract: The central effectiveness claim—that error-minimization noise proxy data plus final-conv-layer channel restriction achieves verifiable forgetting—lacks any derivation, distribution-distance bound, or attack-success metric showing that the proxy distribution is close enough to the forgotten manifold for the subsequent loss terms to drive parameters outside the original data support. Without this, residual leakage remains possible.

Authors: We acknowledge that the abstract provides only a high-level summary. Section 3 of the manuscript derives the error-minimization noise generation process and motivates its use as a proxy for the forgotten data manifold. To address the concern rigorously, the revised version adds an explicit distribution-distance bound (Wasserstein-2 distance between proxy and original distributions) together with membership-inference attack success rates measured on the unlearned model. These additions demonstrate that the proxy data, combined with channel-restricted disentanglement, moves parameters sufficiently far from the original support to limit residual leakage. revision: yes
Referee: [§4] §4 (Loss Function Design): The composite loss (hard loss + confusion loss + distillation loss + weight drift loss + gradient harmonization + masking) is asserted to align forgetting and retaining trajectories, but no explicit equations or weighting scheme is supplied to demonstrate that the terms do not conflict or introduce new leakage paths; the alignment is described at a high level only.

Authors: We agree that explicit formulations are required. The revised §4 now presents the complete set of loss equations, including the precise weighting coefficients for each term and the gradient-harmonization and masking operators. A short analysis is added showing that the combined gradient directions remain consistent between forgetting and retention objectives and do not create additional leakage channels, as verified by monitoring gradient norms during training. revision: yes
Referee: [Experiments] Experiments section: The reported validation of effectiveness and robustness supplies no forgetting-specific metrics (membership-inference or reconstruction attack success rates), ablation results on the disentanglement or proxy components, error bars, or baseline comparisons, so the robustness claim cannot be assessed from the given description.

Authors: The original experiments section contains quantitative results across multiple datasets and settings, yet we accept that the presentation omitted several requested elements. The revised version adds: (i) membership-inference and reconstruction attack success rates before and after unlearning, (ii) ablation tables isolating the contributions of the proxy-generation and channel-disentanglement modules, (iii) error bars computed over five independent runs, and (iv) direct comparisons against recent federated unlearning baselines. These additions allow direct evaluation of the robustness claims. revision: yes

Circularity Check

0 steps flagged

No significant circularity; constructive proposal validated by experiments

full rationale

The paper proposes a zero-shot federated unlearning scheme (Jellyfish) via proxy data generation through error-minimization noise, channel-restricted knowledge disentanglement at the final convolutional layer, and a composite loss (hard loss, confusion loss, distillation, weight drift, gradient harmonization, masking). No equations, derivations, or self-citations are presented that reduce the claimed forgetting performance or utility preservation to a fitted parameter defined by the same experiment or to a self-referential input. The central claims rest on the explicit construction of the mechanism and its empirical evaluation across diverse settings, which is independent of the target results. This is the normal case for a design paper whose validation is external to any internal fit.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The scheme rests on standard federated learning assumptions plus newly introduced mechanisms; no explicit free parameters, invented physical entities, or ad-hoc axioms are named in the abstract.

axioms (1)

domain assumption Federated models can be updated centrally using only aggregated gradients or updates without direct access to local data.
Implicit in all federated unlearning work and required for the zero-shot claim.

pith-pipeline@v0.9.0 · 5558 in / 1210 out tokens · 41007 ms · 2026-05-13T17:20:18.542354+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

78 extracted references · 78 canonical work pages · 1 internal anchor

[1]

Federated Learning: Strategies for Improving Communication Efficiency

Koneˇ cn` y, J., McMahan, H.B., Yu, F.X., Richt´ arik, P., Suresh, A.T., Bacon, D.: Federated learning: Strategies for improving communication efficiency. arXiv preprint arXiv:1610.05492 (2016)

work page internal anchor Pith review Pith/arXiv arXiv 2016
[2]

In: Artificial Intelligence and Statistics, pp

McMahan, B., Moore, E., Ramage, D., Hampson, S., Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics, pp. 1273–1282 (2017). PMLR

work page 2017
[3]

Intersoft Consult- ing, Accessed in October24(1) (2018) 30

Regulation, G.D.P.: General data protection regulation (gdpr). Intersoft Consult- ing, Accessed in October24(1) (2018) 30

work page 2018
[4]

Pardau, S.L.: The california consumer privacy act: Towards a european-style privacy regime in the united states. J. Tech. L. & Pol’y23, 68 (2018)

work page 2018
[5]

In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), pp

Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), pp. 1–15 (2018)

work page 2019
[6]

IEEE Journal on Selected Areas in Communications38(10), 2430–2444 (2020)

Song, M., Wang, Z., Zhang, Z., Song, Y., Wang, Q., Ren, J., Qi, H.: Analyzing user-level privacy attack against federated learning. IEEE Journal on Selected Areas in Communications38(10), 2430–2444 (2020)

work page 2020
[7]

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Salem, A., Zhang, Y., Humbert, M., Berrang, P., Fritz, M., Backes, M.: Ml- leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018)

work page Pith review arXiv 2018
[8]

In: International Conference on Artificial Intelligence and Statistics, pp

Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., Shmatikov, V.: How to back- door federated learning. In: International Conference on Artificial Intelligence and Statistics, pp. 2938–2948 (2020). PMLR

work page 2020
[9]

arXiv preprint arXiv:1911.03030 (2019)

Guo, C., Goldstein, T., Hannun, A., Van Der Maaten, L.: Certified data removal from machine learning models. arXiv preprint arXiv:1911.03030 (2019)

work page arXiv 1911
[10]

arXiv preprint arXiv:2403.02437 (2024)

Jeong, H., Ma, S., Houmansadr, A.: Sok: Challenges and opportunities in federated unlearning. arXiv preprint arXiv:2403.02437 (2024)

work page arXiv 2024
[11]

In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp

Zhang, Q., Wu, Y.N., Zhu, S.-C.: Interpretable convolutional neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 8827–8836 (2018)

work page 2018
[12]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp

Lin, S., Zhang, X., Chen, C., Chen, X., Susilo, W.: Erm-ktp: Knowledge-level machine unlearning via knowledge transfer. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 20147–20155 (2023)

work page 2023
[13]

arXiv preprint arXiv:2406.08288 (2024)

Zhu, J., Han, B., Yao, J., Xu, J., Niu, G., Sugiyama, M.: Decoupling the class label and the target concept in machine unlearning. arXiv preprint arXiv:2406.08288 (2024)

work page arXiv 2024
[14]

In: Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part II 16, pp

Liang, H., Ouyang, Z., Zeng, Y., Su, H., He, Z., Xia, S.-T., Zhu, J., Zhang, B.: Training interpretable convolutional neural networks by differentiating class- specific filters. In: Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part II 16, pp. 622–638 (2020). Springer

work page 2020
[15]

IEEE Transactions on Neural Networks and Learning Systems (2023) 31

Tarun, A.K., Chundawat, V.S., Mandal, M., Kankanhalli, M.: Fast yet effec- tive machine unlearning. IEEE Transactions on Neural Networks and Learning Systems (2023) 31

work page 2023
[16]

IEEE Transactions on Information Forensics and Security (2023)

Chundawat, V.S., Tarun, A.K., Mandal, M., Kankanhalli, M.: Zero-shot machine unlearning. IEEE Transactions on Information Forensics and Security (2023)

work page 2023
[17]

In: Proceedings of the AAAI Conference on Artificial Intelligence, vol

Foster, J., Schoepf, S., Brintrup, A.: Fast machine unlearning without retraining through selective synaptic dampening. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 38, pp. 12043–12051 (2024)

work page 2024
[18]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp

Golatkar, A., Achille, A., Soatto, S.: Eternal sunshine of the spotless net: Selective forgetting in deep networks. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 9304–9312 (2020)

work page 2020
[19]

In: Computer Vision–ECCV 2020: 16th European Conference, Glas- gow, UK, August 23–28, 2020, Proceedings, Part XXIX 16, pp

Golatkar, Aditya and Achille, Alessandro and Soatto, Stefano: Forgetting outside the box: Scrubbing deep networks of information accessible from input-output observations. In: Computer Vision–ECCV 2020: 16th European Conference, Glas- gow, UK, August 23–28, 2020, Proceedings, Part XXIX 16, pp. 383–398 (2020). Springer

work page 2020
[20]

In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp

Liu, J., Xue, M., Lou, J., Zhang, X., Xiong, L., Qin, Z.: Muter: Machine unlearning on adversarially trained models. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 4892–4902 (2023)

work page 2023
[21]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp

Mehta, R., Pal, S., Singh, V., Ravi, S.N.: Deep unlearning via randomized condi- tionally independent hessians. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 10422–10431 (2022)

work page 2022
[22]

In: International Conference on Machine Learning, pp

Chourasia, R., Shah, N.: Forget unlearning: Towards true data-deletion in machine learning. In: International Conference on Machine Learning, pp. 6028– 6073 (2023). PMLR

work page 2023
[23]

In: Proceedings of the AAAI Conference on Artificial Intelligence, vol

Chundawat, V.S., Tarun, A.K., Mandal, M., Kankanhalli, M.: Can bad teaching induce forgetting? unlearning in deep networks using an incompetent teacher. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, pp. 7210–7217 (2023)

work page 2023
[24]

arXiv preprint arXiv:2310.12508 (2023)

Fan, C., Liu, J., Zhang, Y., Wong, E., Wei, D., Liu, S.: Salun: Empowering machine unlearning via gradient-based weight saliency in both image classification and generation. arXiv preprint arXiv:2310.12508 (2023)

work page arXiv 2023
[25]

In: Proceedings of the AAAI Conference on Artificial Intelligence, vol

Graves, L., Nagisetty, V., Ganesh, V.: Amnesiac machine learning. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, pp. 11516–11524 (2021)

work page 2021
[26]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp

Kim, J., Woo, S.S.: Efficient two-stage model retraining for machine unlearning. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4361–4369 (2022)

work page 2022
[27]

IEEE Transactions on Artificial Intelligence 32 (2024)

Alam, M., Lamri, H., Maniatakos, M.: Get rid of your trail: Remotely eras- ing backdoors in federated learning. IEEE Transactions on Artificial Intelligence 32 (2024)

work page 2024
[28]

IEEE Journal on Selected Areas in Communications (2023)

Xia, H., Xu, S., Pei, J., Zhang, R., Yu, Z., Zou, W., Wang, L., Liu, C.: Fedme 2: Memory evaluation & erase promoting federated unlearning in dtmn. IEEE Journal on Selected Areas in Communications (2023)

work page 2023
[29]

In: International Conference on Medical Image Computing and Computer-Assisted Intervention, pp

Dinsdale, N.K., Jenkinson, M., Namburete, A.I.: Fedharmony: Unlearning scan- ner bias with distributed data. In: International Conference on Medical Image Computing and Computer-Assisted Intervention, pp. 695–704 (2022). Springer

work page 2022
[30]

arXiv preprint arXiv:2404.03180 (2024)

Wang, H., Zhu, X., Chen, C., Esteves-Ver´ ıssimo, P.: Goldfish: An efficient federated unlearning framework. arXiv preprint arXiv:2404.03180 (2024)

work page arXiv 2024
[31]

In: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security, pp

Wang, W., Tian, Z., Zhang, C., Liu, A., Yu, S.: Bfu: Bayesian federated unlearning with parameter self-sharing. In: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security, pp. 567–578 (2023)

work page 2023
[32]

In: 2021 IEEE Symposium on Security and Privacy (SP), pp

Bourtoule, L., Chandrasekaran, V., Choquette-Choo, C.A., Jia, H., Travers, A., Zhang, B., Lie, D., Papernot, N.: Machine unlearning. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 141–159 (2021). IEEE

work page 2021
[33]

In: International Conference on Machine Learning, pp

Brophy, J., Lowd, D.: Machine unlearning for random forests. In: International Conference on Machine Learning, pp. 1092–1104 (2021). PMLR

work page 2021
[34]

Advances in neural information processing systems32 (2019)

Ginart, A., Guan, M., Valiant, G., Zou, J.Y.: Making ai forget you: Data dele- tion in machine learning. Advances in neural information processing systems32 (2019)

work page 2019
[35]

In: IEEE INFOCOM 2023- IEEE Conference on Computer Communications, pp

Su, N., Li, B.: Asynchronous federated unlearning. In: IEEE INFOCOM 2023- IEEE Conference on Computer Communications, pp. 1–10 (2023). IEEE

work page 2023
[36]

In: 2015 IEEE Symposium on Security and Privacy, pp

Cao, Y., Yang, J.: Towards making systems forget with machine unlearning. In: 2015 IEEE Symposium on Security and Privacy, pp. 463–480 (2015). IEEE

work page 2015
[37]

In: IEEE INFOCOM 2022- IEEE Conference on Computer Communications, pp

Liu, Y., Xu, L., Yuan, X., Wang, C., Li, B.: The right to be forgotten in federated learning: An efficient realization with rapid retraining. In: IEEE INFOCOM 2022- IEEE Conference on Computer Communications, pp. 1749–1758 (2022). IEEE

work page 2022
[38]

Advances in Neural Information Processing Systems34, 18075–18086 (2021)

Sekhari, A., Acharya, J., Kamath, G., Suresh, A.T.: Remember what you want to forget: Algorithms for machine unlearning. Advances in Neural Information Processing Systems34, 18075–18086 (2021)

work page 2021
[39]

IEEE Transactions on Information Forensics and Security (2023)

Zhang, L., Zhu, T., Zhang, H., Xiong, P., Zhou, W.: Fedrecovery: Differentially private machine unlearning for federated learning frameworks. IEEE Transactions on Information Forensics and Security (2023)

work page 2023
[40]

In: 2021 IEEE/ACM 29th 33 International Symposium on Quality of Service (IWQOS), pp

Liu, G., Ma, X., Yang, Y., Wang, C., Liu, J.: Federaser: Enabling efficient client- level data removal from federated learning models. In: 2021 IEEE/ACM 29th 33 International Symposium on Quality of Service (IWQOS), pp. 1–10 (2021). IEEE

work page 2021
[41]

Journal of Network and Computer Applications, 104181 (2025)

Meng, R., Gao, S., Fan, D., Gao, H., Wang, Y., Xu, X., Wang, B., Lv, S., Zhang, Z., Sun, M., et al.: A survey of secure semantic communications. Journal of Network and Computer Applications, 104181 (2025)

work page 2025
[42]

Machine Learning111(9), 3203–3226 (2022)

Baumhauer, T., Sch¨ ottle, P., Zeppelzauer, M.: Machine unlearning: Linear filtration for logit-based classifiers. Machine Learning111(9), 3203–3226 (2022)

work page 2022
[43]

In: 31st USENIX Security Symposium (USENIX Security 22), pp

Thudi, A., Jia, H., Shumailov, I., Papernot, N.: On the necessity of auditable algo- rithmic definitions for machine unlearning. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 4007–4022 (2022)

work page 2022
[44]

In: International Conference on Artificial Intelligence and Statistics, pp

Izzo, Z., Smart, M.A., Chaudhuri, K., Zou, J.: Approximate data deletion from machine learning models. In: International Conference on Artificial Intelligence and Statistics, pp. 2008–2016 (2021). PMLR

work page 2008
[45]

In: Algorithmic Learning Theory, pp

Neel, S., Roth, A., Sharifi-Malvajerdi, S.: Descent-to-delete: Gradient-based meth- ods for machine unlearning. In: Algorithmic Learning Theory, pp. 931–962 (2021). PMLR

work page 2021
[46]

In: International Conference on Machine Learning, pp

Wu, Y., Dobriban, E., Davidson, S.: Deltagrad: Rapid retraining of machine learn- ing models. In: International Conference on Machine Learning, pp. 10355–10366 (2020). PMLR

work page 2020
[47]

Halimi, A., Kadhe, S., Rawat, A., Baracaldo, N.: Federated unlearning: How to efficiently erase a client in fl? arXiv preprint arXiv:2207.05521 (2022)

work page arXiv 2022
[48]

IEEE Network36(5), 129–135 (2022)

Wu, L., Guo, S., Wang, J., Hong, Z., Zhang, J., Ding, Y.: Federated unlearning: Guarantee the right of clients to forget. IEEE Network36(5), 129–135 (2022)

work page 2022
[49]

arXiv preprint arXiv:2201.09441 (2022)

Wu, C., Zhu, S., Mitra, P.: Federated unlearning with knowledge distillation. arXiv preprint arXiv:2201.09441 (2022)

work page arXiv 2022
[50]

In: Proceedings of the ACM Web Conference 2023, pp

Zhu, X., Li, G., Hu, W.: Heterogeneous federated knowledge graph embedding learning and unlearning. In: Proceedings of the ACM Web Conference 2023, pp. 2444–2454 (2023)

work page 2023
[51]

Ghazal, A.: Zero-shot machine unlearning using gans (2024)

work page 2024
[52]

arXiv preprint arXiv:2507.16733 , year=

Fan, D., Meng, R., Xu, X., Liu, Y., Nan, G., Feng, C., Han, S., Gao, S., Xu, B., Niyato, D., et al.: Generative diffusion models for wireless networks: Fundamental, architecture, and state-of-the-art. arXiv preprint arXiv:2507.16733 (2025)

work page arXiv 2025
[53]

An information theoretic approach to machine unlearning,

Foster, J., Fogarty, K., Schoepf, S., ¨Oztireli, C., Brintrup, A.: Zero-shot machine unlearning at scale via lipschitz regularization. arXiv preprint arXiv:2402.01401 (2024) 34

work page arXiv 2024
[54]

Spectral Norm Regularization for Improving the Generalizability of Deep Learning

Yoshida, Y., Miyato, T.: Spectral norm regularization for improving the general- izability of deep learning. arXiv preprint arXiv:1705.10941 (2017)

work page Pith review arXiv 2017
[55]

arXiv preprint arXiv:2312.02052 (2023)

Cotogni, M., Bonato, J., Sabetta, L., Pelosin, F., Nicolosi, A.: Duck: Distance- based unlearning via centroid kinematics. arXiv preprint arXiv:2312.02052 (2023)

work page arXiv 2023
[56]

Advances in Neural Information Processing Systems34(2021)

Huang, Y., Gupta, S., Song, Z., Li, K., Arora, S.: Evaluating gradient inver- sion attacks and defenses in federated learning. Advances in Neural Information Processing Systems34(2021)

work page 2021
[57]

arXiv preprint arXiv:2308.09881 (2023)

Sun, H., Zhu, T., Chang, W., Zhou, W.: Generative adversarial networks unlearning. arXiv preprint arXiv:2308.09881 (2023)

work page arXiv 2023
[58]

arXiv preprint arXiv:2210.01504 , year=

Jang, J., Yoon, D., Yang, S., Cha, S., Lee, M., Logeswaran, L., Seo, M.: Knowl- edge unlearning for mitigating privacy risks in language models. arXiv preprint arXiv:2210.01504 (2022)

work page arXiv 2022
[59]

IEEE Transactions on Pattern Analysis and Machine Intelligence45(9), 11374–11381 (2023)

Pan, J., Foo, L.G., Zheng, Q., Fan, Z., Rahmani, H., Ke, Q., Liu, J.: Gradmdm: Adversarial attack on dynamic networks. IEEE Transactions on Pattern Analysis and Machine Intelligence45(9), 11374–11381 (2023)

work page 2023
[60]

Advances in Neural Information Processing Systems33, 5824–5836 (2020)

Yu, T., Kumar, S., Gupta, A., Levine, S., Hausman, K., Finn, C.: Gradient surgery for multi-task learning. Advances in Neural Information Processing Systems33, 5824–5836 (2020)

work page 2020
[61]

arXiv preprint arXiv:2407.10494 (2024)

Huang, M.H., Foo, L.G., Liu, J.: Learning to unlearn for robust machine unlearning. arXiv preprint arXiv:2407.10494 (2024)

work page arXiv 2024
[62]

In: 2024 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp

Meerza, S.I.A., Sadovnik, A., Liu, J.: Confuse: Confusion-based federated unlearning with salience exploration. In: 2024 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp. 427–432 (2024). IEEE

work page 2024
[63]

In: International Conference on Machine Learning, pp

Yin, D., Chen, Y., Kannan, R., Bartlett, P.: Byzantine-robust distributed learn- ing: Towards optimal statistical rates. In: International Conference on Machine Learning, pp. 5650–5659 (2018). Pmlr

work page 2018
[64]

Master’s thesis, University of Waterloo (2022)

Li, X.: Improved model poisoning attacks and defenses in federated learning with clustering. Master’s thesis, University of Waterloo (2022)

work page 2022
[65]

In: Proceedings of the AAAI Conference on Artificial Intelligence, vol

Cao, X., Jia, J., Gong, N.Z.: Provably secure federated learning against malicious clients. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, pp. 6885–6893 (2021)

work page 2021
[66]

arXiv preprint arXiv:2201.00763 (2022)

Rieger, P., Nguyen, T.D., Miettinen, M., Sadeghi, A.-R.: Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection. arXiv preprint arXiv:2201.00763 (2022)

work page arXiv 2022
[67]

In: 31st USENIX Security Symposium (USENIX Security 22), pp

Nguyen, T.D., Rieger, P., De Viti, R., Chen, H., Brandenburg, B.B., Yalame, 35 H., M¨ ollering, H., Fereidooni, H., Marchal, S., Miettinen, M.,et al.:{FLAME}: Taming backdoors in federated learning. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 1415–1432 (2022)

work page 2022
[68]

In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pp

Fung, C., Yoon, C.J., Beschastnikh, I.: The limitations of federated learning in sybil settings. In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pp. 301–316 (2020)

work page 2020
[69]

arXiv preprint arXiv:2312.04432 (2023)

Fereidooni, H., Pegoraro, A., Rieger, P., Dmitrienko, A., Sadeghi, A.-R.: Freqfed: A frequency analysis-based approach for mitigating poisoning attacks in federated learning. arXiv preprint arXiv:2312.04432 (2023)

work page arXiv 2023
[70]

Proceedings of the IEEE86(11), 2278–2324 (1998)

LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proceedings of the IEEE86(11), 2278–2324 (1998)

work page 1998
[71]

Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)

work page 2009
[72]

In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp

Hitaj, B., Ateniese, G., Perez-Cruz, F.: Deep models under the gan: informa- tion leakage from collaborative deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 603–618 (2017)

work page 2017
[73]

In: 2023 IEEE Symposium on Security and Privacy (SP), pp

Gong, X., Chen, Y., Yang, W., Wang, Q., Gu, Y., Huang, H., Shen, C.: Redeem myself: Purifying backdoors in deep learning models using self attention distil- lation. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 755–772 (2023). IEEE

work page 2023
[74]

In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp

He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recogni- tion. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

work page 2016
[75]

In: European Conference on Computer Vision, pp

Huang, M.H., Foo, L.G., Liu, J.: Learning to unlearn for robust machine unlearning. In: European Conference on Computer Vision, pp. 202–219 (2025). Springer

work page 2025
[76]

In: Proceedings of the 25th International Middleware Conference, pp

Dhasade, A., Ding, Y., Guo, S., Kermarrec, A.-M., Vos, M., Wu, L.: Quickdrop: Efficient federated unlearning via synthetic data generation. In: Proceedings of the 25th International Middleware Conference, pp. 266–278 (2024)

work page 2024
[77]

Advances in neural information processing systems36 (2024)

Kurmanji, M., Triantafillou, P., Hayes, J., Triantafillou, E.: Towards unbounded machine unlearning. Advances in neural information processing systems36 (2024)

work page 2024
[78]

Hu, H., Salcic, Z., Sun, L., Dobbie, G., Yu, P.S., Zhang, X.: Membership infer- ence attacks on machine learning: A survey. ACM Computing Surveys (CSUR) 54(11s), 1–37 (2022) 36 Appendix A Experimental Results on the Training Set This section presents the experimental results of the unlearning approach evaluation on the training set. Table A1 shows the mod...

work page 2022