Availability Attacks Need to Create Shortcuts for Contrastive Learning

Thanks for your comments and questions.

We have uploaded a new version of our paper. Based on your suggestions and other reviewers’ feedback, we adjusted the paper structure, improved the presentation, and added more experiments. We summarize these modifications in ‘Author’s comments’.

Besides, we’ll make some clarifications as follows:

• [CE and InfoNCE] CE and InfoNCE are typical loss functions for SL and CL respectively. Therefore, a decrease in CE loss signifies optimization of the SL task, while a decrease in InfoNCE loss indicates optimization of the CL task. By employing enhanced data augmentations, the observation that minimizing CE also leads to a decrease in InfoNCE suggests implicit optimization of the CL task. Building upon this insight, we then analyze the toy model and propose that supervised error minimization with enhanced data augmentations can partially replace the role of contrastive error minimization to enlarge the alignment and uniformity gaps and bring contrastive unlearnability. Moreover, stronger augmentations help adversarial poisoning regarding the CE loss generate poisons to deceive a contrastive-like reference model and thus improve the contrastive unlearnability as well.

• [Augmentations and EOT] The motivation, technique, and goal of augmentations in our methods are different from EOT. The augmentations used by EOT are standard supervised augmentations including RandomCrop and RandomHorizontalFlip. EOT sampling several augmentations and computes the average gradient over these samples. However, we use much stronger contrastive augmentations for both reference model update and perturbation update to equip the attack with contrastive unlearnability. In addition, we just do sampling but don’t take expectations.

• [Assumptions for toy model] For the final linear probing, CL trains a linear layer after feature extractor $g$ for classification. Our toy model analysis illustrates that the CL loss of $g$ is suppressed after SL training with stronger augmentations. It doesn’t matter if there is a linear layer/MLP placed over $g$ in a practical CL model for unsupervised training. So, it is reasonable to make such assumptions for the toy model in theoretical analysis.

• [ImageNet-like datasets] We added experiments on ImageNet-100 in Table 3 of the new version. Moreover, Tiny-ImageNet with 64x64 images was also used in [1]. Each class in the train/test set of Mini-ImageNet has 500/100 images, which is the same as Tiny-ImageNet and CIFAR-100. | ImageNet-100 | SL | SimCLR | MoCo | BYOL | SimSiam | |--------------|------|--------|------|------|---------| | Clean | 77.8 | 61.8 | 61.8 | 62.2 | 65.8 | | AUE | 5.1 | 5.2 | 6.2 | 7.5 | 4.7 | | T-AAP | 14.4 | 20.3 | 14.5 | 24.8 | 16.6 |

• [Gaps and contrastive unlearnability] Based on suggestions from Reviewer zrxn, we conducted Pearson correlation coefficient analysis of gaps and contrastive unlearnability in Section 4. In Table 1, the PCC between the alignment gap and the SimCLR accuracy is -0.78, and the PCC between the uniformity gap and the SimCLR accuracy is -0.87. It is revealed that contrastive unlearnability highly relates to alignment and uniformity gaps. Though the statistical metric reflects the relationship, it does not mean accuracy will change monotonically with the gaps. On the other hand, in certain settings, the relationship is more clear. In Appendix B.6, we gradually increase the augmentation strength from 0 to the default setting, i.e. s=0.6 in the generation of AUE attacks, and evaluate the alignment and uniformity gaps. In this case, the larger the gaps, the lower the accuracy of SimCLR.

• [Alignment] The alignment loss on poisoned data decreases at first while the alignment loss on clean data increases. Thus the alignment gap increases rapidly. Since what we emphasize is the alignment and uniformity gaps which play the role of shortcuts for CL, we replaced Figure 3(c) with a figure of gaps to avoid distraction in the new version. Comparing Figure 3(c) and Figure 4, we find that the trend of CL accuracy aligns with the overall trend of alignment and uniformity gaps. More detailed discussions are added in Section 6.3. We look forward to further discussions with you.

[1] Rui Wen, Zhengyu Zhao, Zhuoran Liu, Michael Backes, Tianhao Wang, and Yang Zhang. Is adversarial training really a silver bullet for mitigating data poisoning? In International Conference on Learning Representations, 2023

Dear reviewer,

We hope this message finds you well. We would like to inquire if our responses and explanations in our previous reply have addressed your concerns. Please kindly let us know if there are any further clarifications or modifications that you would like us to make. We greatly appreciate your time and effort in providing feedback. Thank you.

Best regards,

The Authors

Thanks for your feedback and questions! We have uploaded a new version of our paper. Specifically, based on your suggestion, we have made some modifications as follows:

• We investigated the influence of decoupled augmentation factors in Section 6.4.
• We conducted Pearson correlation coefficient analysis of gaps and contrastive unlearnability in Section 4. We added more explanation of the CL shortcuts.
• We relocated the definitions of alignment and uniformity to the ‘Threat Model and Background’ section.
• We removed the alignment and uniformity losses and preserved only the gaps in Table 1 to avoid redundant information.
• We moved the tables of ‘transferability across networks’, ‘poisoning ratio’, and ‘poisoning budget’ to Appendix B.3-B.5.
• We introduced the attack abbreviations before Table 1.

We summarize other modifications in ‘Author’s comments’.

Besides, we’ll make some clarifications as follows:

1. [Novelty] We are the first to introduce stronger contrastive augmentations into the poison generation process using supervised models. Our proposed poisoning attacks achieve SOTA worst-case unlearnability across SL and CL algorithms compared to existing methods.
2. [Pearson correlation coefficient] In Table 1, the PCC between the alignment gap and the SimCLR accuracy is -0.78, and the PCC between the uniformity gap and the SimCLR accuracy is -0.87. It is revealed that contrastive unlearnability highly relates to alignment and uniformity gaps.
3. [Shortcuts] Table 1 illustrates gaps are the key to shortcuts. It is the reason why AP-based attacks are effective for CL while other non-contrastive poisoning attacks are not. On the other hand, contrastive error-minimization attacks, i.e. CP and TUE naturally possess huge gaps since their generation process optimizes the contrastive loss [1]. It inspires us that if we can mimic the contrastive error-minimization in a supervised way, the resulting attacks possibly obtain both supervised and contrastive unlearnability. In the next section, we analyze how enhanced data augmentations can boost the contrastive unlearnability of basic supervised poisoning approaches.
4. [Redundant information in Table 1] We emphasize the alignment and uniformity gaps, so we remove alignment and uniformity losses for a clear presentation. We also include SL accuracy in Table 1 because in later experiments we do not evaluate attacks without CL unlearnability such as UE and DC.
5. [Theorem] Recall that contrastive error-minimization replaces the supervised loss in the supervised error-minimization with contrastive loss. The theorem says that the upper bound of contrastive loss decreases with the supervised loss if their data augmentations obey the same distribution. Thus, supervised error minimization with enhanced data augmentations can partially replace the role of contrastive error minimization to enlarge the alignment and uniformity gaps and bring contrastive unlearnability. Moreover, stronger augmentations help adversarial poisoning generate poisons to deceive a contrastive-like reference model and thus improve the contrastive unlearnability as well.
6. [Assumption of MSE and InfoNCE] For a toy model analysis, we use MSE for simplicity since CE involves a softmax operation. InfoNCE loss with one negative example is commonly used for theoretical analysis, for example in [2].
7. [Comparison with CP and TUE] Our proposed poisoning attacks achieve SOTA worst-case unlearnability across SL and CL algorithms compared to existing methods. Moreover, the unlearnability of CP is not stable: CP-BYOL becomes ineffective for SL on CIFAR-100. On higher-resolution datasets with more classes such as Mini/Tiny-ImageNet, our AUE outperforms TUE-MoCo by 13%/28% which is a great advantage.
8. [Augmentations in CP and TUE] These two contrastive error-minimization methods have already involved contrastive training in the poison generation process that employs standard contrastive augmentations (i.e. s=1). So our methods are not applicable to CP and TUE.
9. [HYPO, EntF] These two availability attacks were proposed to deceive adversarial training and degrade the final robust SL accuracy. We test them for a comprehensive evaluation. In the new version, we just group the attacks into contrastive and non-contrastive attacks.

To be continued.

Dear reviewer,

We hope this message finds you well. We would like to inquire if our responses and explanations in our previous reply have addressed your concerns. Please kindly let us know if there are any further clarifications or modifications that you would like us to make. We greatly appreciate your time and effort in providing feedback. Thank you.

Best regards,

The Authors

Thanks for your feedback and questions! We have uploaded a new version of our paper. Specifically, based on your suggestion, we have made some modifications as follows:

• We repositioned the ‘Related Works’ section to the main body of the paper.
• We rectified some typos.
• We incorporated the evaluation of OPS and REM attacks in Table 1
• We included the attack performance on ImageNet-100 in Table 3.
• We added defenses including ISS-JPEG, ISS-Grayscale, UEraser-Lite, UEraser-Max, and AVATAR in Table 5.

We summarize other modifications in ‘Author’s comments’.

Besides, we’ll make some clarifications as follows:

• [Augmentations in defense] For CL, we have studied additional augmentations in the evaluation stage, including cutout, random noise, and Gaussian blur, which was used in [1] as well. For SL, we included additional experiments of more defenses such as ISS variants (JPEG, Grayscale), UEraser variants (-Max, -Lite), and AVATAR [2] in Table 5.
• [Mean performance of unlearnability] Our threat model in Equ (1) considers the worst-case unlearnability since the worst performance across different algorithms determines the reliability of using availability attacks to protect private data, namely the "wooden barrel theory". Average unlearnability has two major problems: 1) Fairness. It’s difficult to set proper weights for different evaluation algorithms. For example, it seems to be unfair to take a simple mean of one SL algorithm and multiple CL algorithms. 2) Soundness. Average unlearnability has the potential to underestimate the learnability of the most powerful algorithm. The reliability of attack methods with the same average unlearnability can vary significantly. For example, under 3 evaluation algorithms, alg A (5%, 10%, 90%) and alg B (30%, 35%, 40%) have the same average unlearnability of 35%.
• [ImageNet-100] Our AUE and AAP attacks are also effective on ImageNet-100. | ImageNet-100 | SL | SimCLR | MoCo | BYOL | SimSiam | |--------------|------|--------|------|------|---------| | Clean | 77.8 | 61.8 | 61.8 | 62.2 | 65.8 | | AUE | 5.1 | 5.2 | 6.2 | 7.5 | 4.7 | | T-AAP | 14.4 | 20.3 | 14.5 | 24.8 | 16.6 |

We look forward to further discussions with you.

[1] Hao He, Kaiwen Zha, and Dina Katabi. Indiscriminate poisoning attacks on unsupervised contrastive learning.

[2] The Devil's Advocate: Shattering the Illusion of Unexploitable Data using Diffusion Models. https://arxiv.org/abs/2303.08500

Dear reviewer,

We hope this message finds you well. We would like to inquire if our responses and explanations in our previous reply have addressed your concerns. Please kindly let us know if there are any further clarifications or modifications that you would like us to make. We greatly appreciate your time and effort in providing feedback. Thank you.

Best regards,

The Authors

Thanks for your feedback and questions! We have uploaded a new version of our paper. In particular, considering your valuable suggestions, we have implemented the following modifications:

• We added defenses including ISS-JPEG, ISS-Grayscale, UEraser-Lite, UEraser-Max, and AVATAR in Table 5.
• We included the attack performance on ImageNet-100 in Table 3.
• We moved the pseudo-code of augmentations to Appendix A.2.
• We moved the tables of ‘transferability across networks’, ‘poisoning ratio’, and ‘poisoning budget’ to Appendix B.3-B.5.
• We included the comparison of computation consumption with CP and TUE in Appendix B.1.

We summarize other modifications in ‘Author’s comments’.

Besides, we’ll make some clarifications as follows:

• [Novelty] We are the first to introduce stronger contrastive augmentations into the poison generation process using supervised models. Our proposed poisoning attacks achieve SOTA worst-case unlearnability across SL and CL algorithms compared to existing methods.
• [Stronger defenses] According to Table 5 in the new version, UEraser-Max demonstrates stronger strength compared to other UEraser variants, resulting in improved defense performance. However, UEraser-Max is not particularly effective against AUE attacks. Grayscale proves ineffective, while JPEG surpasses ISS in performance. AVATAR achieves the highest defense performance for our attacks, reaching approximately 85-88%.
• [UT-AAP and UT-AP] The utilization of stronger augmentations in our methods enhances contrastive unlearnability, but it may potentially weaken supervised unlearnability. This compromise is further complicated by the inherent instability in generating untargeted adversarial poisoning [1].
• [AUE and AAP] The roles of augmentations in AUE and AAP are somewhat different. In the case of AUE, supervised error minimization with enhanced data augmentations can partially replace the role of contrastive error minimization to enlarge the alignment and uniformity gaps and bring contrastive unlearnability. Moreover, stronger augmentations help adversarial poisoning generate poisons to deceive a contrastive-like reference model and thus improve the contrastive unlearnability as well.
• [Theorem] Recall that contrastive error-minimization replaces the supervised loss in the supervised error-minimization with contrastive loss. The theorem says that the upper bound of contrastive loss decreases with the supervised loss if their data augmentations in SL obey the same distribution as CL. Thus, optimizing the augmented supervised loss in the poison generation process implicitly optimizes the contrastive loss.
• [ImageNet-100] Our AUE and AAP attacks are also effective on ImageNet-100. | ImageNet-100 | SL | SimCLR | MoCo | BYOL | SimSiam | |--------------|------|--------|------|------|---------| | Clean | 77.8 | 61.8 | 61.8 | 62.2 | 65.8 | | AUE | 5.1 | 5.2 | 6.2 | 7.5 | 4.7 | | T-AAP | 14.4 | 20.3 | 14.5 | 24.8 | 16.6 |
• [Computation overheads] Computation efficiency is important for protecting private data using availability attacks in real-world scenarios. On CIFAR-10/100 and using a single NVIDIA 3090 GPU, AUE/AAP costs around 2.7/2.2 hours while CP-SimCLR costs around 48 hours, and TUE-MoCo costs around 8.5 hours to generate poisons. Our supervised training-based attacks are much more efficient than contrastive training-based ones. The results of our methods on other datasets are shown in Appendix B.1.

We look forward to further discussions with you.

[1] Fowl, Liam, et al. "Adversarial examples make strong poisons." Advances in Neural Information Processing Systems 34 (2021): 30339-30351.

Dear reviewer,

We hope this message finds you well. We would like to inquire if our responses and explanations in our previous reply have addressed your concerns. Please kindly let us know if there are any further clarifications or modifications that you would like us to make. We greatly appreciate your time and effort in providing feedback. Thank you.

Best regards,

The Authors

Thank you for your recognition and feedback! We have uploaded a new version of our paper. Specifically, based on your suggestions, we have moved some tables to the appendix and rectified the typos. We summarize other modifications in ‘Author’s comments’.

Besides, we’ll make some clarifications as follows:

• [About SEP] On CIFAR-10, SEP is not a Pareto improvement of AUE since for SimSiam evaluation, AUE outperforms SEP (34.5% v.s 36.7%). Furthermore, on CIFAR-100, both AUE and T-AAP attacks outperform SEP in the worst-case unlearnability.
• [Augmentations] The motivation, technique, and goal of augmentations in our methods are different from [1]. Differential augmentations employed by [1] contain only standard SL augmentations including RandomCrop and RandomHorizontalFlip. However, our method is motivated by empirical observations and theoretical analysis that combining supervised poisoning approaches with much stronger contrastive augmentations can craft effective poisons for both SL and CL.

We look forward to further discussions with you.

Dear reviewer,

We hope this message finds you well. We would like to inquire if our responses and explanations in our previous reply have addressed your concerns. Please kindly let us know if there are any further clarifications or modifications that you would like us to make. We greatly appreciate your time and effort in providing feedback. Thank you.

Best regards,

The Authors