Catch-Only-One: Non-Transferable Examples for Model-Specific Authorization

TL;DR

This work tackles how to preserve data utility for an authorized model while preventing misuse by unknown models at inference time. It introduces non-transferable examples (Nes), a training-free input-side recoding strategy that confines perturbations to the authorized model's insensitivity subspace, keeping $f^\star$'s predictions intact while degrading non-target models. The authors provide a formal framework and theoretical guarantees based on spectral perturbation and the Hoffman-Wielandt inequality, and validate across diverse architectures and modalities (including vision-language models) with strong cross-model non-transferability and robustness to common preprocessing and reconstruction attacks. Collectively, Nes offer a practical, scalable approach to model-level usage control without retraining or heavy cryptographic cost.

Abstract

Recent AI regulations call for data that remain useful for innovation while resistant to misuse, balancing utility with protection at the model level. Existing approaches either perturb data to make it unlearnable or retrain models to suppress transfer, but neither governs inference by unknown models, and both typically require control over training. We propose non-transferable examples (NEs), a training-free and data-agnostic input-side usage-control mechanism. We recode inputs within a model-specific low-sensitivity subspace, preserving outputs for the authorized model while reducing performance on unauthorized models through subspace misalignment. We establish formal bounds that guarantee utility for the authorized model and quantify deviation for unauthorized ones, with the Hoffman-Wielandt inequality linking degradation to spectral differences. Empirically, NEs retain performance on diverse vision backbones and state-of-the-art vision-language models under common preprocessing, whereas non-target models collapse even with reconstruction attempts. These results establish NEs as a practical means to preserve intended data utility while preventing unauthorized exploitation. Our project is available at https://trusted-system-lab.github.io/model-specificity

Figures (5)

• Figure 1: Authorized vs. $\!$unauthorized accuracy on target-recoded inputs across perturbation strength; visual examples in Figure \ref{['fig:sheep']}.
• Figure 2: Illustrative visualization of effective on data authorization on VLM.
• Figure 3: The spectral structure of the first-layer weight matrices in ResNet-50 and ViT-Base via singular value decomposition.
• Figure 4: Effect of perturbation strength (PSNR, dB). Visual examples across increasing strength. Authorized models remain stable even at 10dB; at 0dB, ResNet-50 on ImageNet loses only 0.1% accuracy.
• Figure 5: Illustrative visualization of effective on data authorization on VLM.

Theorems & Definitions (13)

• Definition 1: $\tau$-insensitive Subspace
• Theorem 1: Bounding Authorized Utility
• proof
• Theorem 2: Bounding Unauthorized Utility
• proof
• Definition 2: Eigendecomposition
• Definition 3: Principal Component Analysis (PCA)
• Lemma 1: Singular Value Decomposition (SVD)
• Definition 4: Nullspace
• Definition 5: Convolution