Unlearnable Examples Give a False Sense of Security: Piercing through Unexploitable Data with Learnable Examples

TL;DR

This paper reveals that unlearnable examples (UEs) do not provide true security and introduces learnable unauthorized examples (LEs) with a diffusion model to effectively counter UEs across different learning scenarios.

Contribution

It formally defines LEs as a new threat and proposes a diffusion-based purification method to convert UEs into LEs, providing a robust countermeasure.

Findings

LEs effectively counter UEs in supervised and unsupervised settings

The diffusion model successfully purifies UEs into LEs

The proposed method outperforms existing defenses against UEs

Abstract

Safeguarding data from unauthorized exploitation is vital for privacy and security, especially in recent rampant research in security breach such as adversarial/membership attacks. To this end, \textit{unlearnable examples} (UEs) have been recently proposed as a compelling protection, by adding imperceptible perturbation to data so that models trained on them cannot classify them accurately on original clean distribution. Unfortunately, we find UEs provide a false sense of security, because they cannot stop unauthorized users from utilizing other unprotected data to remove the protection, by turning unlearnable data into learnable again. Motivated by this observation, we formally define a new threat by introducing \textit{learnable unauthorized examples} (LEs) which are UEs with their protection removed. The core of this approach is a novel purification process that projects UEs onto the manifold of LEs. This is realized by a new joint-conditional diffusion model which denoises UEs conditioned on the pixel and perceptual similarity between UEs and LEs. Extensive experiments demonstrate that LE delivers state-of-the-art countering performance against both supervised UEs and unsupervised UEs in various scenarios, which is the first generalizable countermeasure to UEs across supervised learning and unsupervised learning. Our code is available at \url{https://github.com/jiangw-0/LE_JCDP}.