Machine Forgetting Vulnerabilities in Large Reasoning Models: When 'Being Forgotten' Becomes an Attack Entry Point

This article reveals security vulnerabilities in large reasoning models during the machine forgetting process and proposes a new attack method: inducing the model to forget specific data while generating seemingly reasonable but incorrect reasoning processes, which has important warning significance for AI security research. Background: Data privacy regulations drive the demand for the 'right to be forgotten'; machine forgetting technology aims to eliminate the impact of specific training data. Large reasoning models enhance interpretability through multi-step reasoning trajectories, but this feature may become an attack breakthrough in forgetting scenarios.

With the strictness of data privacy regulations, the 'right to be forgotten' has become an important issue in the AI field, and machine forgetting technology has emerged (eliminating the impact of specific data without retraining). Large Reasoning Models (LRMs) improve interpretability and reasoning ability through explicit multi-step reasoning trajectories, but this interpretability is a double-edged sword in forgetting scenarios: the forgetting process involves fine parameter adjustments and exposes additional interaction interfaces, while traditional research only focuses on forgetting success rates and ignores security vulnerabilities.

The research team proposes a forgetting attack against LRMs: not only making the model output wrong answers, but also inducing it to generate seemingly reasonable and logically coherent reasoning trajectories ("convincing but misleading"), which is highly deceptive. Example: Let the model answer "2+2=?" with "5" and attach a rigorous derivation. This attack is particularly dangerous in scenarios that rely on reasoning decisions, such as medical diagnosis assistance, legal analysis, and educational tutoring.

Three challenges to implement the attack: 1. Non-differentiable logical constraints (reasoning correctness involves discrete judgments, which are difficult to optimize with gradients); 2. Weak optimization signals in long reasoning chains (error signal propagation attenuates, leading to weak optimization effects in early steps); 3. Discrete forgetting set selection (coupled with parameter optimization). Solutions: A two-layer precise forgetting attack framework with three components: differentiable objective function (converting discrete constraints), influence token alignment (focusing on key token optimization), and relaxation indication strategy (converting discrete selection to continuous optimization).

White-box scenario (attackers have access to the model's internal state/gradients): High attack success rate, and the misleading reasoning trajectories have impeccable surface logic. Black-box scenario (only API interaction): Effective attacks are achieved by constructing query sequences to infer sensitive directions, which is closer to actual deployment scenarios and poses a real threat.

Warning: Machine forgetting operations may introduce security risks, so the deployment of forgetting mechanisms needs to be cautious. Defense recommendations: 1. Forgetting verification (checking the forgetting of target data and abnormal reasoning behavior); 2. Reasoning process monitoring (identifying abnormal patterns); 3. Multi-model cross-validation (manual review when there are discrepancies); 4. Developing attack detectors (detecting deep semantic anomalies).

Current limitations: Only focuses on English text reasoning tasks; the effectiveness in other languages/domains (mathematical proof, code generation) remains to be verified; attack success rate depends on model architecture and training methods. Future directions: Developing robust forgetting algorithms, audit tools for automatically detecting misleading reasoning, and exploring attack and defense in distributed scenarios such as federated learning.

Large reasoning models are widely used in key decision-making systems, and their security and reliability are crucial. Machine forgetting technology meets privacy regulations, but we need to be alert to the attack surfaces it introduces. Only by understanding the risks can we build trustworthy AI systems, which is an important direction for AI security researchers.