Learnability Lock: Authorized Learnability Control Through Adversarial Invertible Transformations

TL;DR

This paper introduces a learnability lock mechanism using adversarial invertible transformations to control data access for training deep learning models, allowing authorized unlocking while preventing unauthorized learning.

Contribution

It proposes a novel learnability lock method that employs invertible transformations to protect data from unauthorized training while enabling authorized access through a key.

Findings

Successfully prevents unauthorized model training on protected data.

Enables data to be unlocked and used normally with the correct key.

Effective on visual classification tasks with minimal visual feature loss.

Abstract

Owing much to the revolution of information technology, the recent progress of deep learning benefits incredibly from the vastly enhanced access to data available in various digital formats. However, in certain scenarios, people may not want their data being used for training commercial models and thus studied how to attack the learnability of deep learning models. Previous works on learnability attack only consider the goal of preventing unauthorized exploitation on the specific dataset but not the process of restoring the learnability for authorized cases. To tackle this issue, this paper introduces and investigates a new concept called "learnability lock" for controlling the model's learnability on a specific dataset with a special key. In particular, we propose adversarial invertible transformation, that can be viewed as a mapping from image to image, to slightly modify data samples so that they become "unlearnable" by machine learning models with negligible loss of visual features. Meanwhile, one can unlock the learnability of the dataset and train models normally using the corresponding key. The proposed learnability lock leverages class-wise perturbation that applies a universal transformation function on data samples of the same label. This ensures that the learnability can be easily restored with a simple inverse transformation while remaining difficult to be detected or reverse-engineered. We empirically demonstrate the success and practicability of our method on visual classification tasks.