Towards Provably Unlearnable Examples via Bayes Error Optimisation
Ruihan Zhang, Jun Sun, Ee-Peng Lim, Peixin Zhang
TL;DR
The paper tackles the problem of protecting data from being effectively learned in the presence of training data mixtures by introducing a Bayes-error based framework. It formalizes unlearnability via the Bayes error $\beta_D$ and provides a differentiable estimator from samples using local posterior averaging, enabling optimization under $L^p$ perturbation via projected gradient ascent. The method provably increases the Bayes error and remains effective when unlearnable examples are mixed with clean data, with extensive experiments on CIFAR-10/100 and Tiny ImageNet showing substantial test-accuracy drops and transferability across architectures. It also demonstrates resilience against adversarial training, suggesting practical utility for data owners to protect personal data at the source while outlining avenues for future work on defenses against generative-model threats.
Abstract
The recent success of machine learning models, especially large-scale classifiers and language models, relies heavily on training with massive data. These data are often collected from online sources. This raises serious concerns about the protection of user data, as individuals may not have given consent for their data to be used in training. To address this concern, recent studies introduce the concept of unlearnable examples, i.e., data instances that appear natural but are intentionally altered to prevent models from effectively learning from them. While existing methods demonstrate empirical effectiveness, they typically rely on heuristic trials and lack formal guarantees. Besides, when unlearnable examples are mixed with clean data, as is often the case in practice, their unlearnability disappears. In this work, we propose a novel approach to constructing unlearnable examples by systematically maximising the Bayes error, a measurement of irreducible classification error. We develop an optimisation-based approach and provide an efficient solution using projected gradient ascent. Our method provably increases the Bayes error and remains effective when the unlearning examples are mixed with clean samples. Experimental results across multiple datasets and model architectures are consistent with our theoretical analysis and show that our approach can restrict data learnability, effectively in practice.