Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Stable Unlearnable Example: Enhancing the Robustness of Unlearnable Examples via Stable Error-Minimizing Noise

Yixin Liu, Kaidi Xu, Xun Chen, Lichao Sun

TL;DR

This work addresses privacy risks from open image datasets by enhancing unlearnable examples through Stable Error-Minimizing Noise (SEM). SEM shifts defense training to random perturbations, while preserving a two-phase iterative optimization between a surrogate model and defensive noise, revealing that surrogate-model robustness largely drives protection. It achieves state-of-the-art protection on CIFAR-10/100 and ImageNet Subset, with about a $3.91\times$ speedup in noise generation and roughly a $17\%$ improvement in protection under adversarial training on CIFAR-10 ($\epsilon=4/255$). The approach offers practical, scalable data protection against unauthorized model training and adversarial countermeasures, supported by extensive ablations and a face-recognition case study.

Abstract

The open source of large amounts of image data promotes the development of deep learning techniques. Along with this comes the privacy risk of these open-source image datasets being exploited by unauthorized third parties to train deep learning models for commercial or illegal purposes. To avoid the abuse of public data, a poisoning-based technique, the unlearnable example, is proposed to significantly degrade the generalization performance of models by adding a kind of imperceptible noise to the data. To further enhance its robustness against adversarial training, existing works leverage iterative adversarial training on both the defensive noise and the surrogate model. However, it still remains unknown whether the robustness of unlearnable examples primarily comes from the effect of enhancement in the surrogate model or the defensive noise. Observing that simply removing the adversarial noise on the training process of the defensive noise can improve the performance of robust unlearnable examples, we identify that solely the surrogate model's robustness contributes to the performance. Furthermore, we found a negative correlation exists between the robustness of defensive noise and the protection performance, indicating defensive noise's instability issue. Motivated by this, to further boost the robust unlearnable example, we introduce stable error-minimizing noise (SEM), which trains the defensive noise against random perturbation instead of the time-consuming adversarial perturbation to improve the stability of defensive noise. Through extensive experiments, we demonstrate that SEM achieves a new state-of-the-art performance on CIFAR-10, CIFAR-100, and ImageNet Subset in terms of both effectiveness and efficiency. The code is available at https://github.com/liuyixin-louis/Stable-Unlearnable-Example.

Stable Unlearnable Example: Enhancing the Robustness of Unlearnable Examples via Stable Error-Minimizing Noise

TL;DR

This work addresses privacy risks from open image datasets by enhancing unlearnable examples through Stable Error-Minimizing Noise (SEM). SEM shifts defense training to random perturbations, while preserving a two-phase iterative optimization between a surrogate model and defensive noise, revealing that surrogate-model robustness largely drives protection. It achieves state-of-the-art protection on CIFAR-10/100 and ImageNet Subset, with about a speedup in noise generation and roughly a improvement in protection under adversarial training on CIFAR-10 (). The approach offers practical, scalable data protection against unauthorized model training and adversarial countermeasures, supported by extensive ablations and a face-recognition case study.

Abstract

The open source of large amounts of image data promotes the development of deep learning techniques. Along with this comes the privacy risk of these open-source image datasets being exploited by unauthorized third parties to train deep learning models for commercial or illegal purposes. To avoid the abuse of public data, a poisoning-based technique, the unlearnable example, is proposed to significantly degrade the generalization performance of models by adding a kind of imperceptible noise to the data. To further enhance its robustness against adversarial training, existing works leverage iterative adversarial training on both the defensive noise and the surrogate model. However, it still remains unknown whether the robustness of unlearnable examples primarily comes from the effect of enhancement in the surrogate model or the defensive noise. Observing that simply removing the adversarial noise on the training process of the defensive noise can improve the performance of robust unlearnable examples, we identify that solely the surrogate model's robustness contributes to the performance. Furthermore, we found a negative correlation exists between the robustness of defensive noise and the protection performance, indicating defensive noise's instability issue. Motivated by this, to further boost the robust unlearnable example, we introduce stable error-minimizing noise (SEM), which trains the defensive noise against random perturbation instead of the time-consuming adversarial perturbation to improve the stability of defensive noise. Through extensive experiments, we demonstrate that SEM achieves a new state-of-the-art performance on CIFAR-10, CIFAR-100, and ImageNet Subset in terms of both effectiveness and efficiency. The code is available at https://github.com/liuyixin-louis/Stable-Unlearnable-Example.
Paper Structure (20 sections, 1 theorem, 16 equations, 11 figures, 15 tables, 4 algorithms)

This paper contains 20 sections, 1 theorem, 16 equations, 11 figures, 15 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Methodology
  4. Iterative Training of Generator and Defensive Noise
  5. Improving the Stability of Defensive Noise
  6. Experiments
  7. Experimental Setup
  8. Performance Analysis
  9. Sensitivity Analysis
  10. Ablation Study
  11. Case study: Face Recognition
  12. Related Works
  13. Conclusion
  14. Justification of Assumption $\rho_u \geq \rho_a$
  15. Baselines Implementation
  16. ...and 5 more sections

Key Result

Theorem 3

Given a classifier $f: \mathcal{X} \rightarrow \mathcal{Y}$, protection radius $\rho_u$, adversarial training radius $\rho_a$, clean dataset $\mathcal{T}^{c}=\{x_i,y_i\}_{i=1 \cdots N}$, protected dataset $\mathcal{T}^{u}=\{(x_i+\delta^{u}_{i},y_i)|\left\| {\delta ^u}_i \right\| _p\le \rho _u\}_{i=1

Figures (11)

  • Figure 1: The performance comparison on CIFAR-10 between the current SoTA method, the robust error-minimizing noise (REM) fuRobustUnlearnableExamples2022, and our proposed stable error-minimizing noise (SEM). Our SEM outperforms the REM in terms of both effectiveness and generation efficiency.
  • Figure 2: The overall framework of our approach. Our approach consists of two phases: noise training and generator training. During the noise training phase, we train the defensive noise, denoted as $\delta^u$, to counter random perturbations. In the subsequent generator training phase, the original images, represented as $x$, are transformed to $x_{\text{input}} = t(x + \delta^u) + \delta^a$ before being input into the network. Here, $t$ represents a transformation derived from distribution $T$, and $\delta^a$ represents the adversarial perturbation produced using PGD. The noise generator, $f^{\prime}_{\theta}$, updates the network parameters, $\theta$, by minimizing adversarial loss. By applying our defensive noise, models trained on the protected data learn minimal information and exhibit poor performance on clean data.
  • Figure 3: Exploration of the contribution of the robustness of defensive noise, denoted as $\mathcal{R}_{\theta}$, and the surrogate model, represented by $\mathcal{R}_{\delta^u}$, to the protection performance $F$. The Pearson correlation coefficients ($r$) quantify the strength of these relationships. Tests were conducted on the CIFAR-10 dataset with settings $\rho_a = 4/255$ and $\rho_u = 8/255$.
  • Figure 4: Visualization of various noise and crafted examples for CIFAR-10 and ImageNet Subset datasets. The noise includes EM (Error-Minimizing noise), TAP (Targeted Adversarial Poisoning noise), NTGA (Neural Tangent Generalization Attack noise), SC (Shortcut noise), REM (Robust Error-Minimizing noise), and SEM (our proposed Stable Error-Minimizing noise).
  • Figure 5: Effect of noise training steps and sampling step size on the testing accuracy of the trained model.
  • ...and 6 more figures

Theorems & Definitions (6)

  • Definition 1: Robustness of surrogate model
  • Definition 2: Robustness of defensive noise
  • Theorem 3
  • proof
  • Definition 4: Delusiveness of noise
  • Definition 5: Stability of noise