InstantForget: Update-Free Backdoor Unlearning with Inference-Time Feature Reset

2026-06-14 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

InstantForget is a novel method for update-free backdoor unlearning, designed to remove malicious trigger behavior from deployed models at inference time without altering model parameters. The research first audits a common projection assumption, finding it effective only on BadNets, while failing on WaNet, Blended, and SIG triggers, yielding high Attack Success Rates (ASR) of 0.683, 0.888, and 0.941 respectively on CIFAR-10 ResNet-18. This failure is attributed to a logit-triplet gap. InstantForget introduces a clean-calibrated gated reset that identifies anomalous features using a Mahalanobis score and shifts only these flagged features towards a neutral non-target representation. With a single fixed operating point, InstantForget reduces the average ASR to 0.071 across four non-adaptive CIFAR-10 triggers, achieves 0.981 detection AUROC, and transfers to six of eight tested backbones.

Key takeaway

For AI Security Engineers deploying models susceptible to backdoor attacks, InstantForget offers a critical update-free unlearning solution. You can mitigate backdoor risks at inference time, achieving an average ASR of 0.071 on CIFAR-10 triggers and 0.981 detection AUROC, without costly model retraining or access to triggered samples. Consider integrating this inference-time feature reset for robust post-deployment security.

Key insights

InstantForget enables update-free, inference-time backdoor unlearning by resetting anomalous features identified via a Mahalanobis score.

Principles

• Update-free backdoor unlearning is feasible at inference time.
• Logit-triplet gap predicts projection unlearning failures.
• Mahalanobis score flags anomalous triggered features.

Method

InstantForget employs a clean-calibrated gated reset. It flags anomalous features using a Mahalanobis score and shifts only these flagged features towards a neutral non-target representation, without model parameter updates.

In practice

• Reduces average ASR to 0.071 on CIFAR-10 triggers.
• Achieves 0.981 detection AUROC for trigger detection.
• Transfers to six of eight tested backbones.

Topics

• Backdoor Unlearning
• Inference-Time Security
• Feature Reset
• Mahalanobis Score
• Attack Success Rate
• Model Security

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

• Roots Beneath the Cut: Uncovering the Risk of Concept Revival in Pruning-Based Unlearning for Diffusion Models — Pruning-based unlearning in diffusion models is vulnerable to concept revival via side-channel information from pruned weight locations.
• Kill it with FIRE: On Leveraging Latent Space Directions for Runtime Backdoor Mitigation in Deep Neural Networks — FIRE neutralizes neural network backdoors at inference time by reversing trigger-induced latent space directions.
• THRD: A Training-Free Multi-Turn Defense Framework for Jailbreak Attacks on Large Language Models — Safety in multi-turn LLM interactions is trajectory-dependent, requiring defenses that model temporal risk accumulation.
• Patching Faster is Not the Answer to Mythos. Patching Smarter Is. — The overwhelming volume of AI-generated vulnerabilities necessitates context-aware prioritization using adversarial simulation to identify truly exploitable threats.
• Patcher: Post-Hoc Patching of Backdoored Large Language Models — Patcher repairs backdoored LLMs post-hoc using a single failure case, localizing triggers via saliency and patching with constrained fine-tuning.
• ZK-APEX: Zero-Knowledge Approximate Personalized Unlearning with Executable Proofs — ZK-APEX enables verifiable personalized machine unlearning on edge devices using ZK-SNARKs and curvature-aware updates.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.