Towards robust unlearnable examples via deep hiding

Q1: The method consists of three modules: The Deep Hiding Scheme, which introduces the concept of Image Hiding, an existing work; the Semantic Image Generation Module, which utilizes the existing ControlNet; and the Latent Feature Concentration Module, which is very similar to the idea of EntF mentioned in the related work. In summary, the ideas presented in this paper are intriguing, but the innovation is insufficient.

Ans: Thank you for the comments. We would like to clarify that our Latent Feature Concentration module (LFC) differs from EntF in various aspects. Firstly, EntF aims to generate entangled features associated with perturbed data, causing confusion in models; while our module encourages the concentration of the perturbation itself, creating stronger shortcuts. Secondly, EntF focuses on robustness against adversarial training, while we use LFC to achieve more general robustness. Besides, we would like to emphasize our novelty in semantic-based unlearnable examples. The proposed modules (i.e., Semantic Image Generation (SIG) and LFC) all combine to increase the inter-class distance and reduce the intra-class variance, enhancing the general robustness of unlearnable examples, shown in Table 4.

Table 4: Ablation studies on CIFAR10 for designed Latent Feature Concentration module (LFC), and Semantic Images Generation module (SIG), including Text Prompts Clustering (TPC) and Stable Diffusion model and ControlNet (SD+C).

Q2: Previous research has shown that some Unlearnable Examples possess inherent resistance to data augmentation, which contradicts the paper's claim that prior methods have overlooked these issues.

Ans: We agree that previous works have shown resistance to data augmentations to some extent. However, the recent work ISS[G] found that these methods are extremely vulnerable to simple data processing like Grayscaling and JPEG compression with low quality factors. We follow the protocol in ISS and gain insights from the results in Table 1:

• The existing methods are not generally robust against different types of data augmentations and processing. For example, though EM and REM are resistant to popular data augmentations like cutout and mixup, they are very vulnerable to grayscaling and JPEG compression.
• The existing methods are not resistant to the countermeasures with higher-level severity. We find most of the existing methods will be mitigated once the quality factor of JPEG decreases to 10. As a result, we argue that the resistance of UEs against countermeasures is not generally solved. We aim to improve general robustness with the deep hiding technique in this paper.

[G] Zhuoran Liu, Zhengyu Zhao, and Martha A. Larson. "Image Shortcut Squeezing: Countering Perturbative Availability Poisons with Compression." In International Conference on Machine Learning, 2023.

[H] Wu S, Chen S, Xie C, et al. One-pixel shortcut: on the learning preference of deep neural networks. ICLR, 2023.

Q1: The comparison experiments do not show the relationship between the scale of the perturbations generated by the proposed method and the comparison method, and the size of the generated perturbations cannot be fully controlled by alone, because there are other losses included in the total loss.

Ans: Thank you for your insightful comment. We evaluate the image quality (PSNR) between the generated unlearnable examples and clean image to analysize the perturbation scale. The PSNR results are: Ours (34.04), EM(34.17), REM(33.96), TAP(35.86) and LSP(37.73). This similarity in image quality indicates our method achieve comparable scale of the pertuibations compared to comparison methods. Despite we did not solely control the perturbation loss, this result further demonstrates that our perturbation loss incorporates well with other losses to restrict the perturbation scale (8/255) during joint optimization.

Q2: An ablation experiment on the semantic image generation module is missing to demonstrate its advantages compared with randomly selected hidden images.

Ans: Thank you for the comments. We conduct a comprehensive ablation study on the effectiveness of the semantic image generation module. We show the results in Table 4 and we have added it into the paper. In the class-wise setting, we find that the improvement of the generation module is marginal; however, in the sample-wise setting, the semantic generation module (SIG) can degrade the mean accuracy from 88% to 38%. It is further reduced to 27.5% with latent feature concentration (LFC). When we disentangle the text prompt clustering (TPC) and Stable Diffusion+ControlNet generation (SD+C), we find that SD+C contributes the most and TPC contributes around a 2% reduction. The ablation study shows that each component in our proposed method plays an important role in the generally robust unlearnable examples.

Table 4: Ablation studies on CIFAR10 for designed Latent Feature Concentration module (LFC), and Semantic Images Generation module (SIG), including Text Prompts Clustering (TPC) and Stable Diffusion model and ControlNet (SD+C).

Q3: There is a backward revealing process for the INN-based hiding model used in the paper, but what is the significance of the existence of this process?

Ans: The backward revealing process is necessary to ensure that the semantic image is successfully hidden into the clean images. In the case of without revealing process, the network tends to embed nothing for satisfying the invisibility. In practice, during inference when generating UE, we do not require the revealing process but only utilize the hiding process.

Q4: The paper proposed a concentration loss (Eq. 7), and how are sample i and sample j selected in the specific implementation?

Ans: Sample ij refers to two samples within the same minibatch that have the same label. This is because our LFC only operates on pairs of samples with matching labels.

Thank you for your prompt response and insightful speculation.

To demonstrate the impact of solely training with perturbation loss (i.e., $\mathcal{L}_{hide}$), we conduct relevant experiments. 1. The training plot (Figure A in the supp) shows that the perturbation loss remains at 0, which indicates there is no optimization in hiding semantic images. 2. The perturbation maps generated by the hiding model trained on only $\mathcal{L}_{hide}$ ( Figure B in the supp) show minimal information with no semantic patterns (i.e., black images). 3. Our evaluation of unlearnable examples generated with only $\mathcal{L}_{hide}$ reveals that the test accuracy is close to that of clean images (Table. K). This indicates that minimal information is hidden in clean images, leading to ineffective unlearnability.

Table. K: Evaluation of the different hiding models trained by solely controlling the hiding loss ($\mathcal{L}_{\text{hide}}$) and using our designed loss ($\mathcal{L}_{\text{total}}$). The test accuracy (%) is evaluated on CIFAR-10 in the class-wise setting.

This phenomenon is because only controlling the perturbation loss (i.e., $\mathcal{L}_{hide}$) alone will lead to unstructured minimal perturbation. When solely optimizing the perturbation loss, the network tends to discard the information of the semantic image to meet the requirement of minimizing the difference between the clean image and generated UE rather than hide it. Thus, the revealing loss is important to enforce the network to hide the information of semantic image into the clean image by ensuring the revealing of the hidden information from the UE.

Based on the experimental results and our analysis, we argue that the revealing process with reveal loss is necessary to hide semantic information to create UEs. We hope it can address your concerns.

Q6: Although an LFC (a pretrained ResNet18) is used to regularize intra-class variance, and the CLIP, Stable Diffusion, and ControlNet are used to maximize inter-class separation, the author should consider the alignment between these pretrained models.

Ans: We've conducted an ablation study by removing the LFC (Table 4(Q3)) and found that there is a slight decrease on the experimental results. The reason is that these components serve as auxiliary elements to control the semantic image. Therefore, alignment is not an urgent requirement and does not significantly affect the results.

Q7: Although Grad-CAM is used to visualize the attention of DNNs, the intra-class and inter-class relationship with the classification and semantic generation should be more fully exploited. Evaluating the inter-class and intra-class statistics directly could also substantiate the claims around controlled semantics, see questions.

Ans: We investigate the intra-/inter-class distance in latent features using a trained (for unlearnable examples) or pre-trained (for clean images) ResNet18, shown in Table J. We observe that our unlearnable examples, in both class-wise and sample-wise settings, exhibit significantly reduced intra-class distances, as evidenced by a higher cosine similarity approaching 1.0000. Furthermore, by compacting the semantics within each class, we also achieve an increased inter-class distance. These outcomes suggest that our method successfully generates unlearnable examples characterized by minimal intra-class distances and maximized inter-class distances, thereby enhancing unlearnability.

The calculation detail of intra-/inter-class distance is shown below. We consider the output of the last CNN layer as the latent feature for each sample and average these to determine the mean latent feature per class. For intra-class distance, we compute and report the mean cosine similarity between each sample's latent feature and its class mean. For inter-class distance, we calculate the mean cosine similarity between each class's mean latent feature and the overall dataset mean.

Table J: Evaluation of Inter-Class and Intra-Class Distances.

Q8: On page 4, the paper mentions the previous work lacks semantic high-level features and redundancy. However, I don’t know how redundancy is solved in this work.

Ans: In our paper, we solve the redundancy issue by using the image-hiding framework, which can inherently and adaptively hide different amounts of information in each pixel. In this way, we can hide semantic images instead of noise-based perturbations in clean images. The redundancy found in semantic images – such as the repeated shapes and colors in a forest scene – allows for a certain degree of data loss or alteration without significantly impacting the image's overall structure or meaning. As a result, the high redundancy of the hidden semantic information contributes to the high tolerance of unlearnability when under image processing.

Q9: Ablation studies: There are some ablation experiments that remove each major component would indeed provide better insights into their individual contributions:

1. Using clean images from different classes as hidden semantic images, or using random natural images as hidden semantic images, rather than generated ones. As you noted, this removes the control over the consistency of semantics within a class. The drop in unlearnability can show the importance of controlled generation.
2. Removing the Latent Feature Concentration (LFC) module. This would demonstrate the impact of the proposed module in regularizing intra-class perturbations.
3. Removing the CLIP-based clustering of text prompts. Using random prompts for generation removes controlled inter-class differences.
4. Evaluating inter-class and intra-class separation quantitatively using metrics like mean intra-class distance and mean inter-class distance. This can formally validate the claims.

Ans: Thank you so much for the detailed suggestions on ablation studies. The ablations significantly improve our papers. We have conducted the following ablations and show the results in the respective tables:

• Ablation on each component in Semantic Generation Module. The results are shown in Table D and Table 4.
• Ablation on LFC. The results are shown in the modified Table 4.

We hope ablation studies can address your concerns and provide better insights into the components.

Q3: A pre-trained ResNet-18 is used as the feature extractor, all text prompts are clustered using K-means with the semantic features from the CLIP model, and Stable Diffusion model and ControlNet to generate semantic images. It's hard to analyze the effectiveness of each component.

Ans: Thank you for the comments. We conduct a comprehensive ablation study on the effectiveness of each component. We show the results in Table 4, and we have added it into the paper. In the class-wise setting, we find that the improvement of the generation module is marginal; however, in the sample-wise setting, the semantic generation module (SIG) can degrade the mean accuracy from 88% to 38%. It is further reduced to 27.5% with latent feature concentration (LFC). When we disentangle the text prompt clustering (TPC) and Stable Diffusion+ControlNet generation (SD+C), we find that SD+C contributes the most and TPC causes around a 2% reduction. The ablation study shows that each component in our proposed method plays an important role in the generally robust unlearnable examples.

Table 4: Ablation studies on CIFAR10 for designed Latent Feature Concentration module (LFC), and Semantic Images Generation module (SIG), including Text Prompts Clustering (TPC) and Stable Diffusion model and ControlNet (SD+C).

Q4: From the above, the connection between the hidden image and the unlearnable example is unclear. The hidden semantic image may not directly contribute to unlearnability.

Ans: We agree that it is difficult to give a certain answer about the source of unlearnability, since the image generation and hiding network are still black boxes. We want to reclaim our hypothesis in Section 3.3 that deep hiding semantic images can create shortcuts, leading to unlearnability. Furthermore, based on the ablation results in Table D(Q1) and Table 4(Q3), we show the hidden semantic image contributes to the unlearnability in the class-wise setting; In the sample-wise setting, the unlearnability mainly comes from the controlled semantic image generation. These results highlight the effectiveness of the hidden semantic image.

Q5: The robustness and effectiveness may come from the pre-trained ResNet-18, CLIP, Stable Diffusion, or ControlNet. Therefore, the effectiveness and robustness may not come from the architecture and the idea; instead, these may only come from the extra information from the four pre-trained models.

Ans: Similar to the previous responses, we would like to clarify that the effectiveness of the unlearnable examples comes from the semantic hiding images instead of the pre-trained models, based on the analysis and experimental results.

Q1: Additional Requirements of generating a large dataset of semantic images using paired text prompts and canny edge maps.

Ans: Thank you for your invaluable comments on the ‘semantic image generation’ module. As we mention in Section 3.2.3, we use the paired text prompt and canny edge maps to control the generated semantic content more precisely, which leads to better robustness of the UEs. We conduct ablation studies using random natural images, and next-class images, without using paired text prompts and canny edge maps. Table D demonstrates that without the ControlNet based generation, the performance is still competitive in the class-wise setting while dropping dramatically in the sample-wise setting. The competitive results in the class-wise setting prove the effectiveness of unlearnability brought from hiding semantic images, highlighting robust generalizability across various countermeasures. However, simply using next-class images or random natural images in the sample-wise setting fails to achieve unlearnability due to without controlling the similarity of hidden semantic images within intra-class data, which validates the effectiveness of generating a large dataset of semantic images using paired text prompts and canny edge maps.

Table D: Additional experimental results on CIFAR10 by using different hidden semantic images, including images from the next class, random natural images (CIFAR100), and our semantic image generation module.

Q2: The sample-wise setting may leak information about hidden images. If some hackers know an image is protected in this way, they may find a countermeasure for the unlearnable examples based on the proposed hidden semantic generations.

Ans: Thank you for your insights. We would like to clarify that we reduce the exposure risk of the sample-wise setting from 2 aspects:

1. We hide different semantic images into the images in each class. Though the semantic images share similar semantics, they are totally different in textures and colors.
2. Our deep hiding model will generate content-dependent perturbations. When we hide the semantic image into the original image, the perturbation will embed into the original content adaptively, leading to more pixel-wise changes.

In data protection and adversarial learning research, we will always face challenges from hackers who wish to mitigate the effects of the perturbations. We are consistently improving the robustness of the defensive perturbations, so the hackers will need more effort to remove them. It is the initiative of our work as well, and we believe the research community is working towards more generally robust unlearnable examples endlessly.

Q8: What about transferability in terms of limited samples used to learn unlearnable examples?

Ans: We conducted the transferability study across architectures with limited unlearnable examples, and we show the results in Table F in the supplementary. The test accuracy decreases in a similar trend when we increase the percentage of the unlearnable examples.

Table F: Test accuracy (%) of CIFAR-10 on the different models trained by the clean data mixed with different percentages of unlearnable examples.

Q9: The paper also needs to discuss existing contemporary image-hiding works effective in generating adversarial examples and how they are different from this work. Why they can not be used as compared to the proposed DH?

1. Din SU, Akhtar N, Younis S, Shafait F, Mansoor A, Shafique M. Steganographic universal adversarial perturbations. Pattern Recognition Letters. 2020 Jul 1;135:146-52.
2. A. Agarwal, N. Ratha, M. Vatsa and R. Singh, "Crafting Adversarial Perturbations via Transformed Image Component Swapping," in IEEE Transactions on Image Processing, vol. 31, pp. 7338-7349, 2022, doi: 10.1109/TIP.2022.3204206.

Ans: Thank you for suggesting a comparison with contemporary image-hiding techniques in the context of adversarial examples. Our work indeed shares the image-hiding framework with the studies you mentioned, but our goals and methodologies differ substantially.

The specific aim of our work is to disrupt the learning process of a model. We seek to ensure high training accuracy on the unlearnable examples we generate, while deliberately reducing accuracy on a clean testing set. The adversarial examples crafted in the studies you listed are intended to lead a fully trained model to make incorrect predictions, a different goal than ours.

Additionally, we have expanded our research to different image-hiding networks, notably the ISGAN [D]. Our experiments assess the effectiveness of ISGAN-hidden unlearnable examples. The findings reveal that while unlearnability can be achieved with other deep hiding models like ISGAN, the performance is not as optimal as with our applied Invertible Neural Network (INN). INN demonstrates superior performance in deep hiding [E][F], which is why we chose it as our baseline model to validate our concepts.

We believe these distinctions, along with our comprehensive evaluations, underscore the unique contribution of our work in the field of image hiding and data privacy.

[D] Zhang, R., Dong, S., & Liu, J. (2019). Invisible steganography via generative adversarial networks. Multimedia tools and applications, 78, 8559-8575.
[E] Xu Y, Mou C, Hu Y, et al. Robust invertible image steganography. CVPR, 2022: 7875-7884.
[F] Mou C, Xu Y, Song J, et al. Large-capacity and flexible video steganography via invertible neural network. CVPR, 2023: 22606-22615.

Table H: Test accuracy (%) of model train on unlearnable examples generated by using another deep hiding model (ISGAN).

Table D: Additional experimental results on CIFAR10 by using different hidden semantic images, including images from the next class, random natural images (CIFAR100), and our semantic image generation module.

Q3: The authors have mentioned that 100 semantic images are generated for image hiding. Are these all 100 images used and how?

Ans: We generate 100 images for each class, resulting in a total of 1k, 10k, and 10k semantic images for CIFAR10, CIFAR100, and ImageNet-100, respectively. Thus, these semantic images have the same class number as the target dataset.

During the hiding process, we differ in the image selection for two types of hiding settings:

• In the class-wise setting, we randomly select only one semantic image for all the clean images in the same class. In other words, each image in a class shares the same selected semantic images, while images in different classes are assigned with different semantic images.

• In the sample-wise setting, for each class, we generate 100 semantic images with the same text prompt and canny edge map, to balance the diversity and generation efficiency of the semantic images. For each image in the same class, we randomly pick one semantic image from the 100-image pool and hide it into the clean image.

Q4: Why the existing algorithms are re-implemented? Are they implemented and fine-tuned using the parameters provided in the papers? can't we use the protocols of existing work for direct comparisons?

Ans: Thanks for your question regarding the re-implementation of existing algorithms. We would like to clarify that we follow the same protocols of existing works based on their papers and the public code repositories. Besides, we implement and fine-tune the parameters provided in the papers. The ‘re-implementation’ indicates that we integrate all the existing methods into a unified code framework.

The primary reason for ‘re-implementing’ these algorithms was to ensure consistency and fairness in our comparisons. To evaluate the general robustness of the UEs, our study involved 13 different countermeasures. Since the existing papers did not provide all the necessary results for these specific conditions, we opted to implement the existing methods in a unified framework.

Q5: Any reason why JPEG10 is yielding significantly higher robustness across each unlearnable example? Any explainable reason for this and have the authors tried with a lower JEPG value?

Ans: We show examples of images compressed by JPEG(quality factor=10) in the supplementary. The examples show that the compression level of JPEG10 can result in significant distortion to the images, leading to a decrease in the performance of UE. In response to your suggestion, we experimented with lower JPEG values (Table I). We found that lower JPEG values result in even lower test accuracy, which confirms that stronger compression not only damages the unlearnable example perturbations but also distorts the original image features significantly.

Table I: Test accuracy (%) of model train on unlearnable examples from CIFAR10 against JPEG compression.

[A] Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, James Bailey, and Yisen Wang. Unlearnable examples: Making personal data unexploitable. ICLR, 2021.
[B] Shaopeng Fu, Fengxiang He, Yang Liu, Li Shen, and Dacheng Tao. Robust unlearnable examples: Protecting data privacy against adversarial learning. ICLR, 2022.
[C] Sadasivan, Vinu Sankar, Mahdi Soltanolkotabi, and Soheil Feizi. Cuda: Convolution-based unlearnable datasets. CVPR, 2023.

Q1: The paper can bring the hiding process into the main text in comparison to adding it to the supplementary file.

Ans: Thank you for your suggestion. We've added the specific hiding process to the main text, making it easier for readers to understand our method.

Q2: The experimental section of the paper is weak. The ablation studies with several parameters used in the proposed algorithm are missing. For example: ablation concerning the role of individual loss items, concerning values of wi.

Ans: Thank you for your comments on the experimental sections. We have added several ablation results based on your suggestions:

• Ablation on weights of individual loss wi: we conduct a grid search on the 3 loss weights separately. We search from 0.01 to 10 for w1 and w2, and search from 1e-5 to 1e-2 for w3, since loss associated with w3 is generally 1000 times larger. The results in Table A&B&C show that when we set weights to 1, 1, 0.0001, the mean accuracy against countermeasures archives the best performance. Hence, we adopt these hyperparameters in all our experiments.
• Ablation on generation module: we further conduct ablation study on the impact of the semantic image generation module (Table 4 and Table D). We show that each module plays significant role to further improve the robustness of the deep hiding unlearnable examples.

We hope these amendments address your concerns and further strengthen our paper.

Table A: The experimental results of different settings on parameters of $\omega_1$.

Table B: The experimental results of different settings on parameters of $\omega_2$.