Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Provably Unlearnable Data Examples

Derui Wang, Minhui Xue, Bo Li, Seyit Camtepe, Liming Zhu

TL;DR

A mechanism for certifying the so-called $(q, \eta)$-Learnability of an unlearnable dataset via parametric smoothing is proposed and a simple recovery attack can restore the clean-task performance of the classifiers trained on UEs by slightly perturbing the learned weights.

Abstract

The exploitation of publicly accessible data has led to escalating concerns regarding data privacy and intellectual property (IP) breaches in the age of artificial intelligence. To safeguard both data privacy and IP-related domain knowledge, efforts have been undertaken to render shared data unlearnable for unauthorized models in the wild. Existing methods apply empirically optimized perturbations to the data in the hope of disrupting the correlation between the inputs and the corresponding labels such that the data samples are converted into Unlearnable Examples (UEs). Nevertheless, the absence of mechanisms to verify the robustness of UEs against uncertainty in unauthorized models and their training procedures engenders several under-explored challenges. First, it is hard to quantify the unlearnability of UEs against unauthorized adversaries from different runs of training, leaving the soundness of the defense in obscurity. Particularly, as a prevailing evaluation metric, empirical test accuracy faces generalization errors and may not plausibly represent the quality of UEs. This also leaves room for attackers, as there is no rigid guarantee of the maximal test accuracy achievable by attackers. Furthermore, we find that a simple recovery attack can restore the clean-task performance of the classifiers trained on UEs by slightly perturbing the learned weights. To mitigate the aforementioned problems, in this paper, we propose a mechanism for certifying the so-called $(q, η)$-Learnability of an unlearnable dataset via parametric smoothing. A lower certified $(q, η)$-Learnability indicates a more robust and effective protection over the dataset. Concretely, we 1) improve the tightness of certified $(q, η)$-Learnability and 2) design Provably Unlearnable Examples (PUEs) which have reduced $(q, η)$-Learnability.

Provably Unlearnable Data Examples

TL;DR

A mechanism for certifying the so-called -Learnability of an unlearnable dataset via parametric smoothing is proposed and a simple recovery attack can restore the clean-task performance of the classifiers trained on UEs by slightly perturbing the learned weights.

Abstract

The exploitation of publicly accessible data has led to escalating concerns regarding data privacy and intellectual property (IP) breaches in the age of artificial intelligence. To safeguard both data privacy and IP-related domain knowledge, efforts have been undertaken to render shared data unlearnable for unauthorized models in the wild. Existing methods apply empirically optimized perturbations to the data in the hope of disrupting the correlation between the inputs and the corresponding labels such that the data samples are converted into Unlearnable Examples (UEs). Nevertheless, the absence of mechanisms to verify the robustness of UEs against uncertainty in unauthorized models and their training procedures engenders several under-explored challenges. First, it is hard to quantify the unlearnability of UEs against unauthorized adversaries from different runs of training, leaving the soundness of the defense in obscurity. Particularly, as a prevailing evaluation metric, empirical test accuracy faces generalization errors and may not plausibly represent the quality of UEs. This also leaves room for attackers, as there is no rigid guarantee of the maximal test accuracy achievable by attackers. Furthermore, we find that a simple recovery attack can restore the clean-task performance of the classifiers trained on UEs by slightly perturbing the learned weights. To mitigate the aforementioned problems, in this paper, we propose a mechanism for certifying the so-called -Learnability of an unlearnable dataset via parametric smoothing. A lower certified -Learnability indicates a more robust and effective protection over the dataset. Concretely, we 1) improve the tightness of certified -Learnability and 2) design Provably Unlearnable Examples (PUEs) which have reduced -Learnability.
Paper Structure (25 sections, 4 theorems, 33 equations, 7 figures, 14 tables, 5 algorithms)

This paper contains 25 sections, 4 theorems, 33 equations, 7 figures, 14 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Unlearnable Examples
  4. Smoothed Classifiers
  5. Problem Statement
  6. Overview
  7. Learnability Certification
  8. Quantile Parametric Smoothing
  9. Certified Learnability
  10. Certification Algorithm
  11. Generalization of the Certification
  12. Provably Unlearnable Examples
  13. Desiderata for Surrogates and PUEs
  14. Random Weight Perturbation
  15. Experiments
  16. ...and 10 more sections

Key Result

Theorem 1

Let $\Gamma: {\mathcal{X}}\times{\mathcal{Y}} \rightarrow \hat{\theta}\in\Theta$ be a learning function selecting $\hat{\theta}$ from the parameter space $\Theta$ based on a dataset defined in ${\mathcal{X}}\times{\mathcal{Y}}$. Given an target dataset ${\mathbb{D}}$ and a quantile smoothed function where $\overline{q}:=\Phi( \Phi^{-1}(q) + \frac{\eta}{\sigma})$. $\Phi(\cdot)$ is the standard Gaus

Figures (7)

  • Figure 1: Recovery attacks using a small portion ($1\%$-$20\%$) of the CIFAR10 training set. Points on the curves trace the clean testing accuracy of classifiers whose weights are perturbed away from the poisoned classifier. For each fine-tuned classifier, the $\ell_2$ norm of the weight perturbation is capped by $\eta$. This special adversary reveals that current UEs are not robust against uncertainty in classifier parameters, and their reliability cannot be guaranteed. Therefore, a mechanism for certifying UE performance is pivotal.
  • Figure 2: An overview of the certification and PUE crafting framework. A dataset ${\mathbb{D}}_s$ is perturbed into ${\mathbb{D}}_s \oplus \delta$ before being released to the public. The $(q, \eta)$-Learnability of ${\mathbb{D}}_s \oplus \delta$ can be certified to ensure that any unauthorized classifier trained on ${\mathbb{D}}_s \oplus \delta$ has a provable upper bound on its performance on any test set $\hat{{\mathbb{D}}}$ (or ${\mathbb{D}}$) in the same domain with ${\mathbb{D}}_s \oplus \delta$, as long as the parameters of the unauthorized classifier are within a certified parameter set. Generalization learnability can be computed using Hoeffding's bound, and PAC-Bayesian theory suggests that a certification surrogate with low prediction variance under large parametric noise can improve certified learnability. Optimized PUEs lead to lower $(q, \eta)$-Learnability.
  • Figure 3: An illustration of the certified $(q, \eta)$-Learnability.
  • Figure 4: The clean test accuracy scores of surrogate classifiers gauged on clean CIFAR10 (left) and CIFAR100 (right) test set after recovery attacks. The best accuracy scores approximate the True Learnability of parameters inside the hypersphere centered at $\hat{\theta}$ with a radius of $\eta$.
  • Figure 5: The robustness of PUE and EMN against recovery attacks.
  • ...and 2 more figures

Theorems & Definitions (9)

  • Definition 1: True Learnability of a perturbed dataset
  • Definition 2: Quantile Parametric Smoothing function
  • Theorem 1: Perturbation bound on QPS
  • Definition 3: $(q, \eta)$-Learnability
  • Corollary 1: Expected generalization accuracy under parametric smoothing noise
  • Theorem 1: Perturbation bound on QPS
  • proof
  • Corollary 1: Expected generalization accuracy under parametric smoothing noise
  • proof