Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting and Corrupting Convolution-based Unlearnable Examples

Minghui Li, Xianlong Wang, Zhifei Yu, Shengshan Hu, Ziqi Zhou, Longling Zhang, Leo Yu Zhang

TL;DR

This paper tackles the vulnerability of deep networks to convolution-based unlearnable examples (UEs) that embed class-wise multiplicative noise via convolution. It introduces COIN, a defense that uses random multiplicative interpolation in the image domain, and EPD, an edge-pixel detector to identify convolution-based UEs; it also expands the UE space with VUDA and HUDA for generalization testing. The authors show COIN outperforms 11 SOTA defenses on CIFAR and ImageNet, while EPD achieves high detection accuracy and AUC, establishing a practical detection-and-defense framework. Overall, the work highlights a new, effective approach to counter convolution-based UEs and broadens the understanding of UE design and defense.

Abstract

Convolution-based unlearnable examples (UEs) employ class-wise multiplicative convolutional noise to training samples, severely compromising model performance. This fire-new type of UEs have successfully countered all defense mechanisms against UEs. The failure of such defenses can be attributed to the absence of norm constraints on convolutional noise, leading to severe blurring of image features. To address this, we first design an Edge Pixel-based Detector (EPD) to identify convolution-based UEs. Upon detection of them, we propose the first defense scheme against convolution-based UEs, COrrupting these samples via random matrix multiplication by employing bilinear INterpolation (COIN) such that disrupting the distribution of class-wise multiplicative noise. To evaluate the generalization of our proposed COIN, we newly design two convolution-based UEs called VUDA and HUDA to expand the scope of convolution-based UEs. Extensive experiments demonstrate the effectiveness of detection scheme EPD and that our defense COIN outperforms 11 state-of-the-art (SOTA) defenses, achieving a significant improvement on the CIFAR and ImageNet datasets.

Detecting and Corrupting Convolution-based Unlearnable Examples

TL;DR

This paper tackles the vulnerability of deep networks to convolution-based unlearnable examples (UEs) that embed class-wise multiplicative noise via convolution. It introduces COIN, a defense that uses random multiplicative interpolation in the image domain, and EPD, an edge-pixel detector to identify convolution-based UEs; it also expands the UE space with VUDA and HUDA for generalization testing. The authors show COIN outperforms 11 SOTA defenses on CIFAR and ImageNet, while EPD achieves high detection accuracy and AUC, establishing a practical detection-and-defense framework. Overall, the work highlights a new, effective approach to counter convolution-based UEs and broadens the understanding of UE design and defense.

Abstract

Convolution-based unlearnable examples (UEs) employ class-wise multiplicative convolutional noise to training samples, severely compromising model performance. This fire-new type of UEs have successfully countered all defense mechanisms against UEs. The failure of such defenses can be attributed to the absence of norm constraints on convolutional noise, leading to severe blurring of image features. To address this, we first design an Edge Pixel-based Detector (EPD) to identify convolution-based UEs. Upon detection of them, we propose the first defense scheme against convolution-based UEs, COrrupting these samples via random matrix multiplication by employing bilinear INterpolation (COIN) such that disrupting the distribution of class-wise multiplicative noise. To evaluate the generalization of our proposed COIN, we newly design two convolution-based UEs called VUDA and HUDA to expand the scope of convolution-based UEs. Extensive experiments demonstrate the effectiveness of detection scheme EPD and that our defense COIN outperforms 11 state-of-the-art (SOTA) defenses, achieving a significant improvement on the CIFAR and ImageNet datasets.
Paper Structure (20 sections, 20 equations, 6 figures, 5 tables)

This paper contains 20 sections, 20 equations, 6 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Threat Model
  4. Broadening the Attack Range
  5. Low-dimensional Representation
  6. Design of Low-dimensional Defense
  7. Methodology
  8. Our Design for Defense Scheme: COIN
  9. Our Design for Detection Scheme: EPD
  10. Experiments
  11. Experimental Settings
  12. Comparison with SOTA Defenses
  13. Evaluation Metrics
  14. Evaluation of Defense Scheme COIN
  15. Evaluation of Detection Scheme EPD
  16. ...and 5 more sections

Figures (6)

  • Figure 1: (a) Visual images of clean samples and three convolution-based UEs, CUDA sadasivan2023cuda, HUDA, and VUDA. (b) The plots of perturbation values from bounded and convolution-based UEs. It can be seen that the bounded perturbation values are limited within a certain range, while convolution-based perturbations lack such constraints.
  • Figure 2: Hypothesis validation. Test accuracy (%) with $\Theta_{imc}$ (top row) and $\Theta_{imi}$ (bottom row) via changing parameter $a_y$.
  • Figure 3: Key intuition behind our proposed defense.
  • Figure 4: Effectiveness of our proposed defense. Comparison results of test accuracy before and after left-multiplying a random matrix $\mathcal{A}_r$ on all CUDA samples, $\alpha$ is set to 0.5.
  • Figure 5: Our defense scheme COIN
  • ...and 1 more figures