Learning the Unlearnable: Adversarial Augmentations Suppress Unlearnable Example Attacks

Thank you for reviewing our paper and we would like to address your concerns below.

Confusion regarding "These perturbations can form “shortcuts” [12, 16]"

Thank you for highlighting the confusion regarding the term "shortcuts" in the context of unlearnable example attacks. We agree with the reviewer that [16] does not directly state that unlearnable perturbations are shortcuts, but its optimization of perturbations implies such a conclusion, as the perturbation added is encouraged to form unintended features with loss minimization. Instead of [16], we could cite [a] with an explicit claim on unlearnability shortcuts. We also note that [12] is cited as it provides the original definition of the term "shortcuts". We have updated the paper accordingly.

[a]: Yu et al., Availability attacks create shortcuts, SIGKDD 2022.

The explanation of why UEraser performs better than adversarial training is self-contradictory.

In Section 3.2, we intend the sentence "... which performs adversarial augmentations polices that preserves to the semantic information of the images rather than adding $\ell_p$-bounded adversarial noise" to describe the property of adversarial augmentations as preserving semantic information, instead of comparing the abilities to preserve semantics of both methods. We thank the reviewer for pointing this out and agree with the reviewer that the sentence could lead to confusion, and have updated the relevant text in Section 3.2 accordingly.

While $\ell_p$ bounded perturbations do preserve semantics from the perspective human perception, from a machine learning perspective, when crafted correctly, they have a profound impact on deep learning algorithms, making them unable to learn the original features effectively. In this sense, UEraser policies do preserve semantics better than standard training, as they can train models that learned such semantics much more effectively.

why not filter out spatial transformation-based augmentation ...

The direct use of TrivialAugment is to ensure the plug-and-play and simplicity of UEraser. Moreover, similar to standard training, the use of spatial transformations is to help further improve the generalization ability of the trained models to attain higher clean test accuracies.

Clerical errors in Sec. 3.2.

Thanks a lot for noticing! We have fixed the typos in the updated version.

Sec. 4 ... resizes all images of ImageNet-subset to 32x32. However, ... Table 8 ... is 224x224x3.

Thank you for pointing this out to us. We can confirm that our ImageNet subset results are trained on 224x224 images, but Section 4 were not updated to reflect this.

This paper repeats that UEraser-Lite has a fast training speed. How fast it is?

Thank you, and we have added the time costs of UEraser variants versus other defense methods in Appendix F.

Table 2 and Table 3 should add the results of UEraser trained model on clean data.

We kindly note that we reported the results of UEraser trained model on clean data in the description of Table 2. In the updated version of Table 3, we have also added the results for CIFAR-100, SVHN and ImageNet.

The results of adversarial training and other unlearnable methods (AR, OPS, TAP, NTGA, HYPO) in Table 3 should be shown out.

Thank you for your constructive suggestions. We added the results of adversarial training in Table 3 in the updated version.

There is no sensitivity analysis of hyperparameter W. How to pick a suitable value of W and K when deploying UEraser?

A smaller W makes UEraser training faster while a larger W gives better results. We kindly note that the sensitivity analyses of $K \in \{1,2,\ldots,10\}$ and $W \in \{50, E\}$, where $E$ is the number of total epochs, are reported in Table 12 of Appendix B. UEraser-Max (i.e. $W = E$) usually achieves the best results, while being the most computationally expensive. We chose $K = 5$ by default for all experiments that involve adversarial augmentations, as it offers a good trade-off between training speed and accuracy. Larger $K$ values resulted in lower accuracies, as the adversarial augmentations may become too aggressive.

Thank you for reviewing our paper and we would like to address your concerns below.

... seems rather straightforward in principle, we try to solve the objective (3) under various augmentation methods. So as we expand the augmentations, we should get better results.

We think this can also be taken as a compliment to our work. Simple and effective ideas are often the most impactful. We hope that our work can inspire future research to explore the potential of adversarial augmentation in unlearnable example attacks and defenses

do we need a tremendous amount of augmentation ... ?

Thanks for raising an interesting question. While the augmentations we used are not exhaustive, we believe they have the potential to be improved further. This could be optimized with auto machine learning algorithms, and we hope to explore this in the future.

what happens if the adversary is aware of the augmentations the training method is using ...

We kindly point out that this scenario is considered in Section 4 Adaptive Poisoning and Table 4. It shows that UEraser-Max can maintain a good defense against adaptive attacks using the UEraser variants.

1. The response is not satisfactory to me. I've experimented with various combinations of optimizer setups and schedules, but none of the results have matched the reported performance. Moreover, if the fundamental setup is unclear, it raises concerns about the credibility of the reported results. Moreover, the choice of an initial learning rate of 0.01 is questionable when experiments are conducted using a cosine annealing schedule. In general, other learning problems on CIFAR-10, such as adversarial training, commonly utilize an initial learning rate of 0.1 when employing the SGD optimizer. It's worth noting that this paper doesn't make any claims about unusual setups in this regard.

2. Another concerning point is in the comparison of training on CIFAR-10 with EM in Table 2 and Table 6. I don't think that changing the backbone from ResNet-18 to ResNet-50 would result in a drop of about 5%.

3. The additional Adversarial Training results lack convincing evidence for both CIFAR-100 and ImageNet-subset. In my implementations, for ImageNet-subset (200 images per class), performance reaches 44% for both EM and REM, and the proposed method is comparable to adversarial training in terms of computation. On the CIFAR-100 dataset, performance exceeds 55%, higher than reported ones.

4. Moreover, the outcomes on ImageNet-subset, particularly when training on clean data, appear not practical. If you consider 200 images per class, I am certain that the accuracy cannot attain 72%. ISS [1] reported similar results, with standard training on clean ImageNet-subset yielding 62%.

5. The claimed effectiveness of the proposed methods seems overstated due to 1) Limited experiments on datasets other than CIFAR-10; 2) Subpar performance on ImageNet-subset, potentially tailored for datasets with small resolutions.

6. The reported results appear to sidestep more robust defense methods, such as median filtering, which can achieve 85% on the OPS, surpassing the proposed method.

7. When confronted with adaptive poisoning, the performance is lower than adversarial training (80% vs. 85%).

8. Using augmentation as a defensive method lacks compelling support. This type of augmentation-based approach has been extensively discussed in related attacks. The novelty of this paper seems to fall below the acceptance standards of ICLR.

In summary, I highly recommend that the authors conduct a thorough examination of the experimental setups, provide detailed implementations, and conduct more comprehensive experiments.

[1] Zhuoran Liu, Zhengyu Zhao, and Martha Larson. Image shortcut squeezing: Countering perturbative availability poisons with compression. In Proc. Int’l Conf. Machine Learning, 2023

Thank you for reviewing our paper and we would like to address your concerns below.

with a fixed learning rate of 0.01 throughout the training process, I've observed that the accuracy of models trained on clean images struggles to converge to a satisfactory level

the use of a fixed learning rate of 0.01 (too large to converge to the optimal model when conducting UEraser-Max) is not likely to reach an accuracy of 95.24% for EM poisons

a notable disparity emerged in comparison to the reported results in the paper ...

We sincerely apologize for the oversight in the paper, where instead of a fixed 0.01 learning rate, we used the cosine annealing schedule with an initial learning rate of 0.01 in experiments by default. The paper has been updated to reflect this, and we appreciate your diligence in identifying this discrepancy, and we are committed to providing accurate and reliable results.

We appreciate your keen interest in our paper and the effort you've invested in reproducing the results. We would like to engage with you in the discussion period to address the questions raised and help you reproduce the results. If permissible by the conference guidelines, we could set up an anonymized Google Colab to ensure its reproducibility.

Are results on ImageNet-subset resized to 32x32?

Thank you for pointing this out to us. Section 4 incorrectly states that the images are resized to 32x32, instead they are resized to 224x224, as originally stated in Table 8 of Appendix A.1. The accuracy differences from previous papers can be attributed to the smaller training set size (200 images per class).

... extended evaluation would help assess how well the model generalizes across different datasets and under various UE attack methods.

We thank the reviewer for the suggestion, and given the time available during discussion period and limited computational resources, we will expand the experimental analysis on CIFAR-100 in an updated version.

The proposed methods do not exhibit robustness to adaptive poisoning using UEraser-Max. To facilitate a fair comparison, it would be beneficial to report the performance of adaptive poisoning when facing ISS.

We have added adaptive poisoning and defenses with ISS in Appendix E. Additionally, achieving over 80% accuracy under adaptive poisoning of our method should not be perceived negatively, which is in line with adaptive attacks using adversarial training and ISS.

The concept presented in this work is not particularly innovative, and the achieved performance heavily relies on empirical augmentations for defense, which can be significantly undermined by adaptive poisoning.

We highlight that the novelty of UEraser variants is the proposal of adversarial augmentation, and its ability to mitigate the impact of unlearnable examples. We also point out that the key takeaway of our paper is that all existing $\ell_p$ bounded attacks cannot effectively protect the data against learning, which is a significant finding that needs urgent attention from the community.

We hope to engage with the reviewer further for us to address your concerns more thoroughly.

Thank you for reviewing our paper and we would like to address your concerns below.

The use of adversarial training and data augmentation for defense is not entirely new

We highlight that while adversarial training and data augmentation are not new, the proposal of adversarial augmentation is novel and effective, as it forms an effective defense against unlearnable example attacks. It also breaks the perception that data augmentations were not effective countermeasure against unlearnable examples. Finally, it outperforms the state-of-the-art methods against existing unlearnable example attacks.

The paper could benefit from exploring additional evaluation of UEraser and UEraserLite, particularly in terms of computational efficiency/time cost compared with existing defenses

Thank you for your constructive feedback. We have added the time cost of proposed method versus other defense methods in the Appendix F.

a more comprehensive theoretical analysis of why UEraser works and under what conditions it is most effective could strengthen the paper

We thank the reviewer for the suggestion. The main contribution of this paper is the proposal of adversarial augmentation, empirically show its ability to mitigate the impact of unlearnable example attacks, and shed light to the inadequacy of the existing attacks. We hope to turn our focus to its theoretical analysis in the future.