We thank reviewer mhbh for the positive feedback and valuable suggestions. Below, we provide responses to each weakness and question.

W1&Q1: We would like to clarify the difference between data poisoning attacks and unlearnable examples from three aspects [1, 2, 3, 4].

(1) Different Goals. Data poisoning is an attack technique that aims to manipulate model behavior of specific samples during inference (e.g., causing cats to be misclassified as dogs). In contrast, unlearnable examples are a defense technique designed to protect privacy. They introduce imperceptible perturbations, encouraging the model to rely on perturbations for classification rather than learning meaningful semantic features. As a result, the model is learning nothing meaningful from unlearnable examples, effectively enhancing privacy protection.

(2) Different Methodological Designs. Data poisoning attacks operate as an adversarial game, often employing strategies like feature collision or gradient matching to craft poisoned samples that deliberately collide with target class features. In contrast, unlearnable examples aim at decouple model learning from real data semantics, which establishes direct associations between perturbations and labels, instead of images and labels. Therefore, privacy is protected since models are not learning real semantics for classification but relying on perturbations.

(3) Different Perturbed Ratios for Decreasing Test Accuracy. While data poisoning and unlearnable examples both decrease the test accuracy, data poisoning attacks typically inject a small number of imperceptibly poisoned samples into the training set, aiming to achieve poisoning effect (manipulate model prediction) and remain stealthy. In contrast, unlearnable examples aim at preventing the entire dataset from unauthorized exploitation. Therefore, it adds perturbations to each sample and tricks the model to learn perturbations instead of real semantics, leading to good privacy protection.

W2: We clarify that unlearnable examples do not increase the risk of privacy leakage. To evaluate whether our method compromises data privacy, we conduct a standard Membership Inference Attack (MIA) [5], which attempts to determine whether a given sample was part of the model’s training set based solely on its outputs. This attack is widely used as a proxy for measuring privacy leakage.

We compare our method against representative UE baselines, including EMN, LSP, TUE, and GUE. Instead of reporting absolute attack accuracy that may vary with dataset and task, we report below each method's difference in MIA accuracy compared to an anchor model trained with clean data. All models are trained and evaluated on CIFAR-10 to ensure consistent and fair comparison.

We observe that all evaluated UE methods, except GUE, either maintain MIA accuracy at clean baseline levels or further reduce privacy risks. Notably, our method achieves the greatest reduction in MIA accuracy, indicating strong protection against training data extraction. Contrary to concerns about data exposure, our unlearnable perturbations actually enhance the model's resilience to membership inference attacks.

[1] Unlearnable Examples: Making Personal Data Unexploitable. ICLR 2021.

[2] A Survey on Unlearnable Data. arXiv 2025.

[3] Transferable Clean-Label Poisoning Attacks on Deep Neural Nets. ICML 2019.

[4] Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. NeurIPS 2018.

[5] Membership inference attacks against machine learning models. IEEE Symposium on Security and Privacy 2017.

We thank reviewer bdeR for the positive feedback and valuable suggestions. Below we provide responses to each weakness and question.

W1: To better explain why our generated perturbations are effective, we have presented t-SNE visualizations in the supplementary material and add additional empirical analyses on the spatial dispersion of perturbations in the rebuttal.

(1) T-SNE visualizations on classifier’s last layer features. As shown in Supplementary Figure 3, we have presented t-SNE visualizations of model's learned feature representations on the clean test set, after training models on perturbed (unlearnable) data. We observe that GUE still yields well-separated class clusters when transferring perturbations from CIFAR-100 to CIFAR-10, which fails to prevent model from learning real semantics. In contrast, model trained on our unlearnable examples produce entangled and overlapping feature distributions on the clean test data, indicating that the model did not learn useful semantics from the perturbed training set.

(2) Perturbations' spatial dispersion. Moreover, we assess the spatial dispersion of perturbations by computing the Shannon entropy of each perturbation map. A higher entropy reflects that the perturbation values are more evenly distributed across spatial locations, rather than being concentrated in localized areas. As shown below, our perturbations achieve an average entropy of 6.02 on CIFAR-10, markedly higher than other baseline methods while keeping comparable data quality (as the PSNR and SSIM metrics show below). This global coverage reduces reliance on object shapes of specific samples and enhances the transferability of unlearnability across diverse scenarios.

W2: We add an ablation study on generator depth by training generators with 2, 4, 8, and 16 residual blocks on CIFAR-10, and evaluating their effectiveness on CIFAR-10, CIFAR-100, and SVHN. Results are shown below:

We observe that all variants achieve test accuracy close to the random guess level (10% for CIFAR-10/SVHN, 1% for CIFAR-100). This indicates that the method is insensitive to the depths of the generator.

W3&Q1: We clarify that our generated perturbations are indeed class-wise. Specifically, we first generate perturbations for each sample, then we average the perturbations for each class and add the same perturbations for samples within the same class. This is also in accordance with the Perturbation-Label Coupling (PLC) mechanism that aligns perturbation embeddings with CLIP-encoded class-specific label embeddings. The class-wise perturbations are thus encouraged to cluster towards corresponding class labels, establishing direct and close associations between perturbations and labels.

W4&Q2: We appreciate your insightful comment. While we acknowledge that pre-trained models may inherit biases or vulnerabilities from their training data, we believe the impact on our method is minimal. Specifically, PLC does not use CLIP for prediction; it only leverages CLIP’s frozen text embeddings as a class-level prior to guide the clustering of class-wise perturbations. This indirect integration limits the propagation of CLIP-specific biases into our model.

To evaluate whether our approach is sensitive to potential biases from CLIP's pretraining data, we conduct ablation experiments using different CLIP checkpoints trained on different corpora (YFCC-15M, CC12M, and LAION-400M). We also include an alternative multi-modal model (BLIP). All models are solely used to extract label embeddings in the PLC procedure. The results are summarized below:

Across all settings, the generated unlearnable examples consistently reduce model performance to random guess level (10% for CIFAR-10/SVHN, 1% for CIFAR-100). This indicates that our approach is not reliant on any specific CLIP variant or pretraining corpus, but instead leverages the general semantic alignment inherent in multimodal embeddings. As a result, the PLC mechanism is robust to dataset-specific artifacts and potential biases arising from large-scale web-based pretraining data.

Q3: We clarify that we follow existing UE works [1, 2, 3] to evaluate each defense strategy individually. Defenses such as Cutout, CutMix, and Mixup are mutually exclusive by design, so we apply them independently.

[1] Image Shortcut Squeezing: Countering Perturbative Availability Poisons with Compression. ICML 2023.

[2] Purify unlearnable examples via rate-constrained variational autoencoders. ICML 2024.

[3] Detection and defense of unlearnable examples. AAAI 2024.

We thank reviewer Dthy for the positive feedback and valuable suggestions. Below we provide responses to each weakness and question.

W1: We will elaborate on the motivation behind each module and the joint roles below.

(1) Overall Motivation. Existing UE methods generate perturbations that are highly dependent on specific training data, which results in substantial performance drops when applied to unseen data. To address this issue, we aim to generate unlearnable examples that remain effective across various scenarios. To do so, we design the Versatile Transferable Generator, and incorporate Adversarial Domain Augmentation and Perturbation-Label Coupling to improve transferability by enhancing effectiveness under distribution shifts and reducing reliance on specific data to craft shortcuts.

(2) Motivation of Adversarial Domain Augmentation. ADA aims at synthesizing worst-case out-of-distribution samples, which compels the perturbation generator to craft perturbations that remain effective for a more robust surrogate model. As a result, the optimized perturbation generator possesses better transferability and is capable of introducing unlearnability under distribution shifts.

(3) Motivation of Perturbation-label Coupling. PLC aims at reducing UE's reliance on specific data when introducing shortcuts, playing a collaborative role in transferring perturbations to unseen samples. Its direct perturbation-label alignment is achieved without relying on data semantics, which improves the effectiveness of the perturbation generator with unseen data.

Overall, VTG is superior in transferability to diverse scenarios by leveraging ADA's generalizability over distribution shifts and PLC's less reliance on specific data. We will revise the motivation accordingly in the updated paper for better clarification.

W2&Q1: We emphasize that our perturbations are visually imperceptible and do not compromise image quality, and we will make clarifications below.

(1) The imperceptibility of perturbations. We consider it from two aspects.

• Qualitative Visualizations. We have included qualitative visualizations of the perturbed images in Figure 3 of Supplementary Section 1.4, where we compared the perturbed images with clean images across seven datasets, including CIFAR-10, CIFAR-100, MNIST, MNIST-M, SVHN, SYN, and PACS. The quality of perturbed images is generally acceptable, especially on CIFAR-10 and CIFAR-100. Since we are not allowed to upload images, please see Figure 1 of [1] for visualizations of other UE methods.
• Quantitative Evaluations. To further justify the visual quality of our method, we add evaluations between perturbed and clean images using two widely adopted metrics: PSNR (Pixel Fidelity) [2] and SSIM (Structural Similarity) [3]. We report the average values computed on 100 perturbed images on CIFAR10 below. Our perturbations are relatively comparable with existing UE methods, indicating that the perturbed images maintain high visual quality.

(2) The size of the perturbations compared to other baselines. We follow the same perturbation size (8/255) as other UE methods [4, 5, 6] for fair comparison.

(3) Additional constraints besides low test accuracy. We clarify that we follow the standard protocol and use the same architectures and hyper-parameters for the classifier as existing UE works [4, 5, 6]. The classifier has good test accuracy if trained on clean data (please see Table 2, Table 3, and Table 8 in the main paper). Moreover, when a classifier is trained on perturbed images and evaluated on clean test images, the training accuracy reaches nearly 100%, showing the classifier has learned to classify training samples. However, when testing on clean test samples, its prediction approximates random guessing, indicating the drop in test performance is not due to underfitting but because it's learning shortcuts instead of real semantics.

Q2: We would like to clarify from two aspects that the Adversarial Domain Augmentation is important for optimizing transferable perturbations and is not replaceable with some standard data augmentation.

(1) The core motivation of ADA. ADA aims at mimicking worst-case scenarios across distribution shifts, so that perturbations that can mislead the more robust surrogate model optimized by ADA are able to remain effective across various scenarios.

(2) Empirical Justification. As shown in the table below, ADA consistently outperforms standard augmentations, especially for cross-task transfer (e.g., CIFAR-10 to CIFAR-100), while other augmentation strategies perform poorly in this transfer scenario. This observation highlights the effectiveness of ADA in improving the transferability of unlearnable examples.

Q3: We clarify that in Eq. (5), Concat does refer to aggregating the original and augmented samples within each mini-batch. We revise Eq. (5) as follows for better clarification:

Q4: We note that the two objectives are optimized sequentially rather than jointly. We first use Eq. (4) to optimize the domain composer $C_\mu$ to generate diversified samples, and then use Eq. (5) to train the composer $C_\mu$ and the classifier $f_\theta$ with the cross-entropy loss, which prevents $C_\mu$ from over-distorting the images to other classes.

Q5: Since we are unable to include images in the rebuttal, we clarify that the augmented samples generated by our domain composer exhibit similar visual diversity and semantic consistency as those shown in Figure 1. To support this, we compute PSNR, SSIM, and LPIPS (Perceptual Similarity) [7] over 100 randomly selected samples as below. Figure 1 examples are representative samples that contain desirable domain shifts, while Gaussian-blurred examples serve as a weaker baseline with fewer domain shifts.

These results show that the augmentations generated by the domain composer match the examples in Figure 1 in terms of fidelity, distortion, and semantic similarity, which successfully diversifies training samples to optimize more transferable perturbations.

Q6: We clarify that we use the feature extractor $z_\theta$ within the classifier $f_\theta$ to encode perturbations instead of images. We also leverage CLIP text encoder to obtain label embeddings. Both the feature extractor $z_\theta$ and CLIP text encoder are kept frozen during optimization of Eq. (9). The motivation behind PLC is to reduce reliance on specific samples when generating perturbations. As a result, strong perturbation-label associations are established, enhancing the transferability of unlearnable examples.

Q7: Yes. We clarify that the domain composer, the surrogate classifier, and the perturbation generator are all trained from scratch, while the CLIP text encoder is the only pretrained model and is kept frozen.

Q8: Yes. We note that the perturbation generator only receives raw images as input and produces corresponding perturbations. There are no labels or other information.

Q9: We clarify that the limitation on the scalability of our method mainly derives from the moderately increased training time compared to gradient-based methods.

For runtime comparison, we report the per-epoch training time on CIFAR-10 (50000 samples) and SVHN (73257 samples), and compare it against gradient-based baselines (EMN, TUE) and generator-based baselines (GUE, 14A). All experiments are conducted on a single NVIDIA RTX A5000 GPU. While our method has a moderately higher training cost than EMN and TUE, it holds greater transferability across various scenarios. When compared with GUE (requiring implicit gradient) and 14A (using a much larger generator, 121.13M vs. our 0.09M), our method is superior in both efficiency and transferability.

Regarding full ImageNet, our method is fully compatible with large-scale datasets like ImageNet. Due to time and computational constraints during the rebuttal period, we are currently unable to provide results using a full 1000-class ImageNet.

Q10: Yes, we used performance on the Intra-Domain test set to tune the hyper-parameters. Since our VTG targets transferability, we also used evaluations on the Cross-Task and Cross-Space scenarios.

[1] Detecting and Corrupting Convolution-based Unlearnable Examples. AAAI 2025.

[2] Scope of validity of PSNR in image/video quality assessment. Electronics Letters 2008.

[3] Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing 2004.

[4] Unlearnable Examples: Making Personal Data Unexploitable. ICLR 2021.

[5] Transferable Unlearnable Examples. ICLR 2023.

[6] Game-Theoretic Unlearnable Example Generator. AAAI 2024.

[7] Investigating loss functions for extreme super-resolution. CVPRW 2020.

We thank reviewer pQ4b for the positive feedback and valuable suggestions. Below we provide responses to each weakness and question.

W1: We would like to clarify the effectiveness of PLC from two aspects.

(1) The rationale behind Perturbation-Label Coupling. The goal of PLC is to build strong associations between perturbations and labels, thus introducing shortcuts. To achieve this, we perform direct perturbation-label alignment by aligning the perturbation $\delta$, rather than the perturbed image $x+\delta$, with the label $y$, and we name this process as Perturbation-Label Coupling. Perturbations from the same class are clustering around the corresponding labels and are distant from other classes, tricking the model to classify based on the introduced shortcuts. Therefore, PLC improves UE's transferability by reducing reliance on specific data, playing a collaborative role in promoting unlearnability across various scenarios.

(2) The role of CLIP text encoder.

We note that the CLIP text encoder serves two roles and cannot be replaced with any random encoder.

• Anchors for perturbations to align with. As mentioned above, the rationale behind PLC is to establish direct associations between perturbations and labels, where the plug-and-play CLIP text encoder holds exceptional zero-shot capability to encode class labels as anchors in the contrastive alignment paradigm, guiding the optimization of perturbations towards corresponding classes and away from other classes.
• Implicit connections with its vast image base. Another reason for using CLIP text encoder derives from its superior cross-modal associations. It is known that CLIP's label encodings are closely associated with its extensive pre-trained image base. Therefore, by aligning perturbations with CLIP-encoded labels, the perturbation generator is able to implicitly connect with unseen images, which enhances its effectiveness across unseen classes.

W2: We appreciate your observation. Our augmented images generated by the domain composer exhibit a similar degree of distributional shift and semantic consistency as the illustrative examples shown in Figure 1. Since we are not allowed to provide images in rebuttal, we provide quantitative evaluations to confirm that the composer does introduce meaningful domain-level diversity without compromising class semantics. We use PSNR (Pixel-level Fidelity) [1], SSIM (Structural Similarity) [2], and LPIPS (Perceptual Similarity) [3] to jointly assess the quality of diversified samples, ensuring they remain structurally consistent while exhibiting meaningful domain-level variation. We report average values over 100 randomly sampled augmented images, and include comparisons with both Gaussian-blurred images (as a weak baseline with few domain shifts) and the illustrative examples in Figure 1. Results are summarized below:

These results show that the augmentations generated by the domain composer match the examples in Figure 1 in terms of fidelity, distortion, and semantic similarity, which successfully diversifies training samples to optimize more transferable perturbations.

W3: We value your advice and add evaluations against diffusion-based purification methods. As the code for BridgePure [4] is not publicly available, we adopt AVATAR [5], a recent representative diffusion-based defense, for comparison. As shown below, diffusion-based defense indeed exhibits strong capabilities in purifying perturbed images into trainable data, where the unlearnability of VTG degrades moderately. This is somewhat expected since VTG does not include specific mechanisms to resist diffusion-based defenses, a limitation shared by existing UE methods. Despite this challenge, VTG still outperforms other UE methods under AVATAR, demonstrating superior robustness. We consider the resistance of UEs to diffusion-based defense as an important future research direction.

Q1: We note that we use class-wise EMN perturbations and sample-wise TUE perturbations as baselines. The corresponding details for applying them to target datasets were mainly included in Supplementary 1.2. The implementation process can be categorized into two different scenarios.

(1) For target data with different numbers of classes or samples, we follow the interpolation operation introduced by TUE.

Specifically, if more classes are required, we interpolate two classes to create new class-wise perturbations:

$\delta^* = \alpha \delta_i + (1 - \alpha) \delta_j, \text{where } y_i \neq y_j.$

If more samples within one class are required, we interpolate two samples to create new sample-wise perturbations:

$\delta^* = \alpha \delta_i + (1 - \alpha) \delta_j, \text{where } y_i = y_j.$

The subscripts denote class indexes, and the number of newly created perturbations is controlled by varying $\alpha$, which is generally set as 0.5.

(2) For target data with different resolutions, we simply resample the perturbations to match the resolution of the target dataset.

[1] Scope of validity of PSNR in image/video quality assessment. Electronics Letters 2008.

[2] Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing 2004.

[3] Investigating loss functions for extreme super-resolution. CVPRW 2020.

[4] BridgePure: Limited Protection Leakage Can Break Black-Box Data Protection. arXiv 2024.

[5] The devil’s advocate: Shattering the illusion of unexploitable data using diffusion models. IEEE SaTML 2024.

We thank reviewer K9MH for the positive feedback and valuable suggestions. Below we provide responses to each weakness.

W1: We emphasize that our perturbed images exhibit comparable visual quality to existing unlearnable example (UE) methods, and remain sufficiently clear for semantic interpretation. Due to rebuttal policy, we cannot present images to compare their visual quality. However, following your suggestion, we evaluate the quality of perturbed images from two aspects.

(1) Qualitative visualizations. We have included some visualizations of the perturbed images in Figure 3 of Supplementary Section 1.4, where we compared the perturbed images with clean images across seven datasets, including CIFAR-10, CIFAR-100, MNIST, MNIST-M, SVHN, SYN, and PACS. The quality of perturbed images is generally acceptable, especially on CIFAR-10 and CIFAR-100. For comparison with other UE methods, please see visualizations in Figure 1 of [1].
(2) Quantitative Evaluations. To further justify the visual quality of our method, we evaluate the structural similarity between perturbed and clean images using two widely adopted metrics: PSNR [2] and SSIM [3]. These metrics are known to reflect both low-level pixel fidelity and high-level structural consistency. As shown in the table below, we report the average values computed on 100 image samples of CIFAR10. The quality of our perturbed images is relatively comparable to existing UE methods.

W2: We acknowledge that the generator structure introduces additional computational overhead during deployment, which we have identified as a limitation and discussed in the Conclusion section. In addition, we also compared the efficiency of VTG against two other generator-based approaches, and the results are shown in Table 9 in our supplementary. It can be observed that our generator is small in size (0.09M parameters). Owing to its lightweight structure, it also generates perturbations efficiently (requiring only 0.4 ms per image). This indicates that VTG incurs minimal computational overhead at inference while effectively introducing unlearnability across diverse scenarios. We will include above inference cost analyses in the updated paper for better presentation.

W3: We sincerely thank the reviewer for this insightful observation. We acknowledge that the theoretical analysis on the diversity of generated samples is indeed critical for a complete understanding of our transferability-focused UE framework. On the other hand, we would like to note that the theoretical analysis of UEs in the context of transferability is inherently challenging. To the best of our knowledge, no existing work has addressed this issue. We consider this a core focus of our future work.

As a preliminary step toward this goal, we provide a theoretical understanding of our method through the lens of the Wasserstein distance between real samples and generated diversified samples.

Specifically, given a predictor $f$, for any distributions $\mathbb{P}_a$ and $\mathbb{P}_b$, it can be shown that for any $0<\delta<1$, the following holds with probability at least $1-\delta$ [4]: $\underset{(x,y)\sim\mathbb{P}_b}{\mathbb{E}}\mathcal{L}(f(x),y) \le \underset{(x,y)\sim\mathbb{\hat{P}}_a}{\mathbb{E}}\mathcal{L}(f(x),y)+W_d(\mathbb{\hat{P}}_a, \mathbb{\hat{P}}_b)+\mathcal{O}(\sqrt{\frac{\log (1/\delta)}{N_a}},\sqrt{\frac{\log (1/\delta)}{N_b}}),$ where $\mathcal{L}$ is a loss function (e.g., cross-entropy loss), $\mathbb{\hat{P}}$ is the empirical counterpart of $\mathbb{{P}}$ (i.e., a data set sampled from $\mathbb{{P}}$), $N_a$ and $N_b$ are, respectively, the sample size of $\mathbb{\hat{P}}_a$ and $\mathbb{\hat{P}}_b$. The inequality reveals that we can upper bound the expected loss of $\mathbb{{P}}_b$ in terms of the empirical loss on $\mathbb{\hat{P}}_a$ and their empirical Wasserstein distance $W_d(\mathbb{\hat{P}}_a, \mathbb{\hat{P}}_b)$.

For the problem studied in this work, however, we cannot estimate $W_d(\mathbb{\hat{P}}_a, \mathbb{\hat{P}}_b)$, since we only have a training set $\mathbb{\hat{P}}_a$, but the test data $\mathbb{\hat{P}}_b$ is unknown. As our objective is to enhance the transferability in various distinct scenarios, we address this issue by training a domain composer $\mathcal{C}\_{\mu}$ to synthesize the worst-case out-of-distribution [5, 6] samples: ${\mu} = \underset{\mu}{\arg\max} \mathcal{W}_d(\mathcal{C}\_{\mu}({x}), {x}).$ In practice, the computation of $\mathcal{W}_d(\mathcal{C}\_{\mu}({x}),x)$ involves a linear programming problem whose cost is prohibitive, and therefore we adopt the Sinkhorn distance [7, 8] as defined in Eq. (3) in our paper. Additionally, it can be shown that under certain conditions, the Sinkhorn distance is equivalent to the Wasserstein distance [7, 8]. Putting all together, we can show that, the following holds with probability at least $1-\delta$: $\underset{x\sim \mathcal{C}\_\mu(x)}{\mathbb{E}}\mathcal{L}(f(x),y) \le \underset{(x,y)\sim\mathbb{\hat{P}}_a}{\mathbb{E}}\mathcal{L}(f(x),y)+W_d(\mathcal{C}\_\mu(x), x)+\mathcal{O}(\sqrt{\frac{\log (1/\delta)}{N_a}}). \qquad (*)$

In summary, our domain composer leverages Wasserstein distance to generate worst-case samples and its diversity can be roughly analyzed via Eq. (*) by examining the loss on synthetic samples. On the other hand, we note that this analysis is only an initial step. For example, it does not examine how the composer $\mathcal{C}_\mu$ affects the transferability of the noise $\delta$. Besides, conducting a lower-bound analysis of the loss is also a promising direction for improving our understanding of sample diversity and noise transferability.

[1] Detecting and Corrupting Convolution-based Unlearnable Examples. AAAI 2025.

[2] Scope of validity of PSNR in image/video quality assessment. Electronics Letters 2008.

[3] Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing 2004.

[4] Theoretical Analysis of Domain Adaptation with Optimal Transport. ECML 2017

[5] Certifying Some Distributional Robustness with Principled Adversarial Training. ICLR 2018

[6] Out-of-Domain Generalization From a Single Source: An Uncertainty Quantification Approach. IEEE TPAMI 2022.

[7] Sinkhorn Distances: Lightspeed Computation of Optimal Transport. NeurIPS 2013.

[8] Learning Generative Models with Sinkhorn Divergences. AISTATS 2018.