Model Immunization from a Condition Number Perspective

We thank the reviewer for the thoughtful and encouraging feedback. We are glad the reviewer found the theoretical formulation sound, the proposed regularizers technically solid, and the empirical results convincing. We address the specific concerns and questions below.

Q12. Manipulating the condition number of objective functions seems computationally expensive. Could the authors justify how the proposed method could be generalized to an even larger scale?

The computational cost depends on two main factors: the number of samples and the complexity of computing singular values. For the first, in large-scale problems, the Hessian of the full dataset can be approximated using only a minibatch. For the second, as the reviewer points out, the proposed method requires only the maximum or minimum singular value of the regularized matrix, which (particularly in high-dimensional settings) can be efficiently computed using techniques such as the Lanczos algorithm [1,2] or randomized SVD [3,4]. These approaches reduce the computational complexity from $\mathcal{O}(d^3)$ for a full SVD of a $d \times d$ matrix to $\mathcal{O}_k(d^2)$, with the rank-dependent factor absorbed into $\mathcal{O}_k$. This reduction is beneficial given the typically low-rank structure of Hessian matrices.

[1] Cullum and Willoughby. Lanczos algorithms for large symmetric eigenvalue computations: Vol. I: Theory. Society for Industrial and Applied Mathematics, 2002. [2] Golub and Van Loan. Matrix computations. JHU press, 2013. [3] Halko et. al. "Finding structure with randomness: Probabilistic algorithms for constructing approximate matrix decompositions." SIAM review, 2011. [4] Tropp. "Randomized algorithms for matrix computations." 2020.

Q13. How would the model perform on tasks other than the primary task and the harmful task?

Thanks for pointing out this interesting direction. We now additionally report the ratio between condition numbers with and without immunization, i.e., Eq. 15 (i) but for all digits, for a model with $D_{\tt P}$ = digit 0 and $D_{\tt H}$ = digit 1.

For digits other than $D_{\tt P}$ and $D_{\tt H}$, we observe that the ratio remains close to 1, indicating that immunization does not affect the condition number of the features on other tasks.

For a theoretical perspective, following the reasoning in Sec. 3.1, the performance on other tasks is intuitively related to the correlation with $D_{\tt H}$, i.e., the relative angle between the singular vectors.

We thank the reviewer for the thoughtful review and respond to questions below.

Q5. Generative task

We consider the immunization against linear probing (Sec. 3). For generative tasks, linear probing is not commonly used for transfer learning. Instead, other techniques, e.g., LoRA, are more common. Nevertheless, we now report on immunization against linear probing for a generative model.

We experiment with CVAE on the MNIST dataset. Let $D_{\tt P}$ be digit 0 images and $D_{\tt H}$ be digit 1 images. The CVAE uses MLP for both the encoder and decoder. The last layer of the decoder is used for linear probing, and all other layers are treated as the feature extractor. The loss $\mathcal{L}$ is the negative ELBO.

As in the paper, we report RIR to evaluate immunization. To evaluate generation quality, we report the accuracy of a digit classifier (with 99.3% acc. on the MNIST test set).

In Tab R1, our approach successfully immunizes the model against $D_{\tt H}$ without hurting the performance on $D_{\tt P}$, as indicated by a large RIR and acc. of 100% on the generated images.

In Tab R2, we report linear probing on $D_{\tt H}$ across different epochs on models w/ and w/o immunization. We observe that the acc. of the model w/o immunization gradually learns to generate $D_{\tt H}$ (digit 1), while the immunized model struggles to learn $D_{\tt H}$ (digit 1).

Tab R1. Results of immunizing CVAE on MNIST.

Tab R2. Acc. of generation on $D_{\tt H}$ w/ and w/o immunization.

Q6. Test acc. on $D_{\tt H}$ for deep nets v.s. fine-tuning epochs

The acc. on $D_{\tt P}$ is fixed as reported in Tab.3 in our paper. In Tab. R3 & R4, we further report the linear probed (fine-tuned) results on different feature extractors and provide the test acc. on $D_{\tt H}$ during the first 20 epochs of linear probing (fine-tuning). Here, $D_{\tt H}$ refers to the Stanford Cars dataset. The acc. are reported every 5 epochs. As shown, our method exhibits the slowest convergence rate with on both ResNet18 and ViT; indicated by the lowest acc. compared with baselines. We will include a plot visualizing these results in the paper.

Tab R3. Test acc. on $D_{\tt H}$ with ResNet18 as the backbone.

Tab R4. Test acc. on $D_{\tt H}$ with ViT as the backbone.

Q7. Any other papers use RIR for evaluation?

To the best of our knowledge, we are the first to study immunization from a condition number perspective. Therefore, we are not aware of other works using RIR as an evaluation metric.

Q8. Should the dummy layer be applied to every weight parameter in deep nets?

Under the linear probing setting, the dummy layer only needs to be inserted at the last layer of the feature extractor, and the rest of the layers can be trained normally. Intuitively, we are treating a deep-net to be extracting "learnable feature" $\mathbf{x}$ followed by a linear feature extractor $\theta_L$, that is, we view a deep-net $f_{[\theta_1, \dots \theta_L]} = \mathbf{x}(\theta_1,\dots, \theta_{L-1})^\top\theta_{L}$. Note, our theoretical result is limited to linear models and does not fully justify such constructions. We believe this is an important future direction, and we believe the linear model's results provide a promising first step.

Q9. References on adversarial prompting

Thanks! We will review the suggested [1, 2] along with other related works on concept erasing methods to provide a more comprehensive view of the field.

Q10. Suggestion on proof sketch

We will adjust the length/placement of the proof sketches. This would also help to create space for the additionally suggested experiments for the main text.

Q11. Numerical stability of Reg. terms

Indeed, $\mathbf{S}$ being a diagonal matrix composed of \sigma_\min's is the only case for gradient explosion. We would note, though, that the premise of our theorems, e.g., Eq. (13), is the minimum singular value \sigma_\min being unique, which would prevent this case in theoretical derivation. In practice, even though the Hessian could be low-rank, we observed that \sigma_\max is usually much larger than \sigma_\min, in many cases to the extent of several orders of magnitude. Therefore, we did not empirically observe issues with gradient explosion.

We thank the reviewer for the positive and constructive review. We answer individual questions below.

Q1. Justification for task and dataset selection

Our experiments consist of two settings: (a) a linear model setup, where the setting matches our proposed theoretical framework, and (b) a deep-net setup, where we experimented with non-linear models despite the theoretical gap.

For linear models: For the regression task, we choose the House Price dataset as it is a widely used tabular dataset, e.g., in intro ML courses. For the classification task, we choose MNIST as it is the most basic image classification dataset. Additionally, linear models are effective on these datasets.

For deep-nets: The transfer learning setting follows from [A] (See Line 352). The chosen Stanford Cars dataset and Country211 dataset are simply the first two datasets presented in [A]'s Figure. 4 (the official ICML version), where they demonstrate linear probing to work well. We now provide experimental results on the third dataset from their Figure. 4 (Food-101) as $D_{\tt H}$ in the table below. Here the feature extractor backbone is ResNet18. We observe that the proposed method is also effective in Food-101.

• [A] Radford, Alec, et al. "Learning transferable visual models from natural language supervision." ICML 2021.

We will clarify the motivation of these setups in the experiment section.

Q2. Explanation of the experiment setup for ResNet18 and ViT

We choose to update only the last two convolutional blocks of ResNet18 and the final transformer block of the Vision Transformer (ViT) following common practices in transfer learning. For this experimental setup, we are starting the immunization with a model pre-trained on ImageNet. Typically, only the final layers are updated for efficiency reasons. We will clarify this choice.

We now provide the results of immunizing the entire ResNet18 backbone on the Stanford Cars dataset below. When training the entire backbone, we observe a similar result, but with a slightly lower immunization effect on $D_{\tt H}$ and test accuracy on $D_{\tt P}$. Note that the running time for the full model is more than twice that of only updating the last blocks.

Q3. The challenges for modeling immunization for non-linear models and generalizing the framework to non-linear models

On the theoretical front, characterizing the Hessian in arbitrary non-linear models remains challenging. In particular, the Hessian of the linear model admits a tractable form for which we can analytically relate its condition number to the singular values of the task-specific data matrix and the shared weight matrix. As a result, our theoretical guarantees on gradient updates with respect to the feature extractor $\theta$, which relies heavily on rigorous matrix analysis, are yet to be generalized to non-linear models. The proposed regularizations, however, are applicable to bounding the condition number of general matrices, including the Hessian of non-linear models.

Hence, we have tested the empirical performance of the immunization framework on various non-linear models including ResNet18 and ViT with linear probing. As demonstrated in Sec. 5.2, the results validate the practical effectiveness.