pith. sign in

arxiv: 2406.02883 · v2 · pith:TTVHCVIMnew · submitted 2024-06-05 · 💻 cs.LG · cs.CR

Nonlinear Transformations Against Unlearnable Datasets

Thushari Hapuarachchi , Jing Lin , Kaiqi Xiong , Mohamed Rahouti , Gitte Ost This is my paper

Pith reviewed 2026-05-25 09:04 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords unlearnable datasetsnonlinear transformationsdata protectiondeep neural networksCIFAR10privacyadversarial poisoningmachine learning security
0
0 comments X

The pith

Nonlinear transformations enable deep neural networks to learn from data designed to be unlearnable by twelve protection methods.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that a nonlinear transformation framework allows deep neural networks to learn effectively from examples created by twelve different unlearnable data protection methods. These methods include Deepconfuse, error-minimizing, autoregressive, and others intended to stop unauthorized data scraping for training models. The approach achieves test accuracy improvements ranging from 0.34 percent to 249.59 percent over a linear separable technique on CIFAR10 datasets, with over 100 percent gains for Autoregressive and REM methods. This indicates that existing protections are not sufficient to prevent models from learning the data.

Core claim

The paper establishes through experiments that a deep neural network can effectively learn from the data traditionally considered unlearnable produced by twelve approaches using a nonlinear transformation framework. This yields accuracy improvements from 0.34% to 249.59% on unlearnable CIFAR10 datasets compared to the linear separable technique, with over 100% gains for the Autoregressive and REM approaches, except for One-Pixel Shortcut. The findings indicate these protection approaches are inadequate for preventing unauthorized data use in machine learning models.

What carries the argument

The nonlinear transformation framework applied to unlearnable examples before model training to recover learnability.

If this is right

  • The twelve data protection approaches fail to block learning once nonlinear transformations are applied to the examples.
  • More robust protection mechanisms are required to prevent unauthorized access to data for machine learning.
  • The proposed nonlinear framework surpasses the linear separable technique in recovering accuracy across most tested methods.
  • Protection adequacy varies by method, with One-Pixel Shortcut remaining resistant while others show large gains.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Protection methods would need to be redesigned to resist nonlinear preprocessing if they are to remain effective.
  • This result connects to broader questions about whether any fixed data transformation can permanently block learning by adaptive models.
  • Testing new protection schemes against nonlinear attacks in addition to linear ones would strengthen their evaluation.
  • The findings imply that privacy tools based on unlearnable examples may require ongoing updates as attack methods advance.

Load-bearing premise

The linear separable technique provides the relevant baseline for demonstrating improvement by the nonlinear framework.

What would settle it

Running the nonlinear framework on the same unlearnable CIFAR10 datasets and finding test accuracy no higher than that achieved by the linear separable technique would falsify the claim.

Figures

Figures reproduced from arXiv: 2406.02883 by Gitte Ost, Jing Lin, Kaiqi Xiong, Mohamed Rahouti, Thushari Hapuarachchi.

Figure 1
Figure 1. Figure 1: The proposed framework consisting of Nonlinear Transformations, Model Selection, Model Training, Model Validation, and Model Testing. α is the expected or prede￾fined accuracy. To examine and identify each nonlinear trans￾formation, we propose a framework that consists of Nonlinear Transformations, Model Selection, Model Training, Model Validation, and Model Test￾ing, depicted in [PITH_FULL_IMAGE:figures/… view at source ↗
Figure 2
Figure 2. Figure 2: Graphical illustration of the proposed procedure for breaking an unlearnable dataset. In each iteration [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: An illustration of nonlinear transformation techniques. [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: An illustration of the color channels. Erode: This is a commonly used image￾processing technique introduced in mathematical morphology. This technique was initially defined for binary images (black and white), but it was later extended to grayscale images. Erosion reduces bright areas of an image and replaces them with dark regions (Haralick et al., 1987). Consider A and B as sets in Z 2 , where A is consi… view at source ↗
Figure 5
Figure 5. Figure 5: The training and validation accuracy of the model trained with unlearnable data created by NTGA. [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The training and validation accuracies of models trained with unlearnable CIFAR-10 crafted by other approaches. [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Unlearnable MNIST, CIFAR-10, and ImageNet examples generated by NTGA. [PITH_FULL_IMAGE:figures/full_fig_p021_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Visualization of the unlearnable CIFAR-10 images crafted by the other eleven approaches. [PITH_FULL_IMAGE:figures/full_fig_p023_8.png] view at source ↗
read the original abstract

Automated scraping stands out as a common method for collecting data in deep learning models without the authorization of data owners. Recent studies have begun to tackle the privacy concerns associated with this data collection method. Notable approaches include Deepconfuse, error-minimizing, error-maximizing (also known as adversarial poisoning), Neural Tangent Generalization Attack, synthetic, autoregressive, One-Pixel Shortcut, Self-Ensemble Protection, Entangled Features, Robust Error-Minimizing, Hypocritical, and TensorClog. The data generated by those approaches, called "unlearnable" examples, are prevented "learning" by deep learning models. In this research, we investigate and devise an effective nonlinear transformation framework and conduct extensive experiments to demonstrate that a deep neural network can effectively learn from the data/examples traditionally considered unlearnable produced by the above twelve approaches. The resulting approach improves the ability to break unlearnable data compared to the linear separable technique recently proposed by researchers. Specifically, our extensive experiments show that the improvement ranges from 0.34% to 249.59% for the unlearnable CIFAR10 datasets generated by those twelve data protection approaches, except for One-Pixel Shortcut. Moreover, the proposed framework achieves over 100% improvement of test accuracy for Autoregressive and REM approaches compared to the linear separable technique. Our findings suggest that these approaches are inadequate in preventing unauthorized uses of data in machine learning models. There is an urgent need to develop more robust protection mechanisms that effectively thwart an attacker from accessing data without proper authorization from the owners.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes a nonlinear transformation framework that enables deep neural networks to learn from unlearnable examples generated by twelve data protection methods (Deepconfuse, error-minimizing, error-maximizing, NTGA, synthetic, autoregressive, One-Pixel Shortcut, Self-Ensemble Protection, Entangled Features, REM, Hypocritical, TensorClog) on CIFAR-10. It reports that the framework improves test accuracy over the linear separable technique by 0.34%–249.59% (with >100% gains on Autoregressive and REM), except for One-Pixel Shortcut, and concludes that existing protections are inadequate against unauthorized data use.

Significance. If the results hold under stronger baselines and full experimental controls, the work would indicate that current unlearnable-example generators are vulnerable to nonlinear recovery methods, strengthening the case for more robust data-protection techniques in machine learning.

major comments (2)
  1. [Abstract and §4] Abstract and §4: The headline improvements (0.34%–249.59%) and the claim that the twelve protection methods are inadequate rest solely on comparison to the linear separable technique. No justification is given for why this is the relevant or strongest baseline, nor are results reported against other plausible comparators such as standard augmentations, other poisoning-recovery heuristics, or direct optimization attacks. If a stronger baseline exists, the reported gains and the adequacy conclusion do not follow.
  2. [Abstract] Abstract: The manuscript states specific numerical improvements from extensive experiments yet supplies no methods, error bars, dataset details, training protocols, or statistical tests in the visible text. This prevents assessment of whether the claimed gains are reproducible or statistically meaningful.
minor comments (1)
  1. [Abstract] The abstract would be clearer if it briefly outlined the form of the proposed nonlinear transformations rather than only stating their empirical effect.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thoughtful comments on our manuscript. We address each of the major comments below and indicate where revisions will be made to strengthen the paper.

read point-by-point responses

  1. Referee: [Abstract and §4] The headline improvements (0.34%–249.59%) and the claim that the twelve protection methods are inadequate rest solely on comparison to the linear separable technique. No justification is given for why this is the relevant or strongest baseline, nor are results reported against other plausible comparators such as standard augmentations, other poisoning-recovery heuristics, or direct optimization attacks. If a stronger baseline exists, the reported gains and the adequacy conclusion do not follow.

    Authors: The linear separable technique is the most relevant baseline for our study because it is the recently proposed method specifically designed to recover learnability from unlearnable examples using linear transformations. Our contribution focuses on showing that nonlinear transformations can achieve substantial improvements over this linear approach. We will revise the manuscript to explicitly justify the choice of this baseline in the introduction and Section 4. While we did not compare against all possible alternative recovery methods, our experiments demonstrate the effectiveness of the proposed nonlinear framework relative to the linear baseline across twelve protection methods. If additional space allows, we can discuss other potential comparators in the revised version. revision: partial

  2. Referee: [Abstract] The manuscript states specific numerical improvements from extensive experiments yet supplies no methods, error bars, dataset details, training protocols, or statistical tests in the visible text. This prevents assessment of whether the claimed gains are reproducible or statistically meaningful.

    Authors: The abstract is intended as a concise summary of the key findings. Comprehensive details on methods, experimental protocols, dataset information (CIFAR-10), training procedures, and results including any error bars or statistical information are provided in the full manuscript, particularly in Sections 3 (Methodology) and 4 (Experiments). We believe the results are reproducible based on the provided details and will ensure cross-references from the abstract to these sections are clear in the revision if needed. revision: no

Circularity Check

0 steps flagged

No circularity: purely empirical comparison with no derivations or self-referential predictions

full rationale

The paper reports experimental test-accuracy gains of a nonlinear transformation framework versus one named prior baseline (linear separable technique) on CIFAR-10 unlearnable datasets. No equations, first-principles derivations, fitted parameters renamed as predictions, or uniqueness theorems appear in the supplied text. The central claim is an empirical statement that is externally falsifiable by re-running the experiments; it does not reduce to its own inputs by construction. Self-citation is not invoked as load-bearing support for any mathematical step.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical derivations, free parameters, axioms, or new entities are described in the abstract; the contribution appears to be an empirical framework whose details are not visible here.

pith-pipeline@v0.9.0 · 5821 in / 1265 out tokens · 56627 ms · 2026-05-25T09:04:47.740238+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. SoK: A Comprehensive Analysis of the Current Status of Neural Tangent Generalization Attacks with Research Directions

    cs.LG 2026-05 accept novelty 3.0

    NTGA is the first clean-label generalization attack under black-box settings but is vulnerable to adversarial training and image transformations, with newer attacks outperforming it.

Reference graph

Works this paper leans on

46 extracted references · 46 canonical work pages · cited by 1 Pith paper · 1 internal anchor

  1. [1]

    write newline

    " write newline "" before.all 'output.state := FUNCTION n.dashify 't := "" t empty not t #1 #1 substring "-" = t #1 #2 substring "--" = not "--" * t #2 global.max substring 't := t #1 #1 substring "-" = "-" * t #2 global.max substring 't := while if t #1 #1 substring * t #2 global.max substring 't := if while FUNCTION word.in bbl.in ":" * " " * FUNCTION f...

    work page

  2. [2]

    write newline

    " write newline "" before.all 'output.state := FUNCTION n.dashify 't := "" t empty not t #1 #1 substring "-" = t #1 #2 substring "--" = not "--" * t #2 global.max substring 't := t #1 #1 substring "-" = "-" * t #2 global.max substring 't := while if t #1 #1 substring * t #2 global.max substring 't := if while FUNCTION word.in bbl.in ":" * " " * FUNCTION f...

    work page

  3. [3]

    Deep Learning using Rectified Linear Units (ReLU)

    author Agarap, A.F. , year 2018 . title Deep learning using rectified linear units ( ReLU ) . journal CoRR volume abs/1803.08375 . http://arxiv.org/abs/1803.08375 arXiv:1803.08375

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  4. [4]

    , author Marchand, E

    author Chaumette, F. , author Marchand, E. , author Melchior, N. , author Saunier, A. , author Spindler, F. , author Tallonneau, R. , year 2012 . title Image manipulation and processing . journal ViSP tutorial, Lagadic project

    work page 2012

  5. [5]

    , author Ma, J

    author Chen, F. , author Ma, J. , year 2009 . title An empirical identification method of gaussian blur parameter for image deblurring . journal IEEE Trans. Signal Process. volume 57 , pages 2467--2478 . :10.1109/TSP.2009.2018358

    work page doi:10.1109/tsp.2009.2018358 2009

  6. [6]

    , author Yuan, G

    author Chen, S. , author Yuan, G. , author Cheng, X. , author Gong, Y. , author Qin, M. , author Wang, Y. , author Huang, X. , year 2022 . title Self-ensemble protection: Training checkpoints are good data protectors . journal arXiv preprint arXiv:2211.12005

    work page arXiv 2022

  7. [7]

    , author Gu, A

    author Dao, T. , author Gu, A. , author Ratner, A. , author Smith, V. , author De Sa, C. , author R \'e , C. , year 2019 . title A kernel theory of modern data augmentation , in: booktitle International Conference on Machine Learning , organization PMLR . pp. pages 1528--1537

    work page 2019

  8. [8]

    , author Dong, W

    author Deng, J. , author Dong, W. , author Socher, R. , author Li, L. , author Li, K. , author Fei - Fei, L. , year 2009 . title Imagenet: A large-scale hierarchical image database , in: booktitle IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR ) Miami, Florida, USA , publisher IEEE Computer Society . pp. pages 248--255 ....

    work page doi:10.1109/cvpr.2009.5206848 2009

  9. [9]

    , author Cai, Q

    author Feng, J. , author Cai, Q. , author Zhou, Z. , year 2019 . title Learning to confuse: Generating training time adversarial data with auto-encoder , in: editor Wallach, H.M. , editor Larochelle, H. , editor Beygelzimer, A. , editor d'Alch \' e - Buc, F. , editor Fox, E.B. , editor Garnett, R. (Eds.), booktitle Advances in Neural Information Processin...

    work page 2019

  10. [10]

    , author Goldblum, M

    author Fowl, L. , author Goldblum, M. , author Chiang, P. , author Geiping, J. , author Czaja, W. , author Goldstein, T. , year 2021 . title Adversarial examples make strong poisons , in: editor Ranzato, M. , editor Beygelzimer, A. , editor Dauphin, Y.N. , editor Liang, P. , editor Vaughan, J.W. (Eds.), booktitle Advances in Neural Information Processing ...

    work page 2021

  11. [11]

    , author He, F

    author Fu, S. , author He, F. , author Liu, Y. , author Shen, L. , author Tao, D. , year 2022 . title Robust unlearnable examples: Protecting data privacy against adversarial learning , in: booktitle The Tenth International Conference on Learning Representations (ICLR) , publisher OpenReview.net

    work page 2022

  12. [12]

    , author Caprini, L

    author Gervasi, O. , author Caprini, L. , author Maccherani, G. , year 2013 . title Virtual exhibitions on the web: From a 2d map to the virtual world , in: editor Murgante, B. , editor Misra, S. , editor Carlini, M. , editor Torre, C.M. , editor Nguyen, H. , editor Taniar, D. , editor Apduhan, B.O. , editor Gervasi, O. (Eds.), booktitle Computational Sci...

    work page doi:10.1007/978-3-642-39637-3 2013

  13. [13]

    , author Woods, R.E

    author Gonzalez, R.C. , author Woods, R.E. , year 2008 . title Digital image processing . publisher Prentice Hall , address Upper Saddle River, N.J

    work page 2008

  14. [14]

    , author Sternberg, S.R

    author Haralick, R.M. , author Sternberg, S.R. , author Zhuang, X. , year 1987 . title Image analysis using mathematical morphology . journal IEEE Trans. Pattern Anal. Mach. Intell. volume 9 , pages 532--550 . :10.1109/TPAMI.1987.4767941

    work page doi:10.1109/tpami.1987.4767941 1987

  15. [16]

    , author Marcu, A

    author Harris, E. , author Marcu, A. , author Painter, M. , author Niranjan, M. , author Pr \" u gel - Bennett, A. , author Hare, J.S. , year 2020 b. title Understanding and enhancing mixed sample data augmentation . journal CoRR volume abs/2002.12047 . http://arxiv.org/abs/2002.12047 arXiv:2002.12047

    work page arXiv 2020

  16. [17]

    , author Zha, K

    author He, H. , author Zha, K. , author Katabi, D. , year 2022 . title Indiscriminate poisoning attacks on unsupervised contrastive learning . journal CoRR volume abs/2202.11202 . http://arxiv.org/abs/2202.11202 arXiv:2202.11202

    work page arXiv 2022

  17. [18]

    , author Ma, X

    author Huang, H. , author Ma, X. , author Erfani, S.M. , author Bailey, J. , author Wang, Y. , year 2021 . title Unlearnable examples: Making personal data unexploitable , in: booktitle 9th International Conference on Learning Representations (ICLR) , Virtual Event, Austria , publisher OpenReview.net

    work page 2021

  18. [19]

    , author Hongler, C

    author Jacot, A. , author Hongler, C. , author Gabriel, F. , year 2018 . title Neural tangent kernel: Convergence and generalization in neural networks , in: editor Bengio, S. , editor Wallach, H.M. , editor Larochelle, H. , editor Grauman, K. , editor Cesa - Bianchi, N. , editor Garnett, R. (Eds.), booktitle Advances in Neural Information Processing Syst...

    work page 2018

  19. [20]

    , author Oprea, A

    author Jagielski, M. , author Oprea, A. , author Biggio, B. , author Liu, C. , author Nita-Rotaru, C. , author Li, B. , year 2018 . title Manipulating machine learning: Poisoning attacks and countermeasures for regression learning , in: booktitle IEEE Symposium on Security and Privacy (S&P) , organization IEEE . pp. pages 19--35

    work page 2018

  20. [21]

    , author Liang, P

    author Koh, P.W. , author Liang, P. , year 2017 . title Understanding black-box predictions via influence functions , in: booktitle International conference on machine learning , organization PMLR . pp. pages 1885--1894

    work page 2017

  21. [22]

    , author Satria, A.T

    author Komarudin, A. , author Satria, A.T. , author Atmadja, W. , year 2015 . title Designing license plate identification through digital images with opencv . journal Procedia Computer Science volume 59 , pages 468--472

    work page 2015

  22. [23]

    , author Hinton, G

    author Krizhevsky, A. , author Hinton, G. , et al., year 2009 . title Learning multiple layers of features from tiny images . journal Technical report

    work page 2009

  23. [24]

    , author Cortes, C

    author LeCun, Y. , author Cortes, C. , year 2010 . title MNIST handwritten digit database . journal ATT Labs

    work page 2010

  24. [25]

    , author Zhao, Z

    author Liu, Z. , author Zhao, Z. , author Larson, M. , year 2023 . title Image shortcut squeezing: Countering perturbative availability poisons with compression . journal arXiv preprint arXiv:2301.13838

    work page arXiv 2023

  25. [26]

    , author Makelov, A

    author Madry, A. , author Makelov, A. , author Schmidt, L. , author Tsipras, D. , author Vladu, A. , year 2018 . title Towards deep learning models resistant to adversarial attacks , in: booktitle 6th International Conference on Learning Representations (ICLR) , Vancouver, BC, Canada, Conference Track Proceedings , publisher OpenReview.net

    work page 2018

  26. [27]

    , author Gao, X

    author Qin, T. , author Gao, X. , author Zhao, J. , author Ye, K. , author Xu, C.Z. , year 2023 . title Learning the unlearnable: Adversarial augmentations suppress unlearnable example attacks . journal arXiv preprint arXiv:2303.15127

    work page arXiv 2023

  27. [28]

    , author Zeng, Y

    author Qiu, H. , author Zeng, Y. , author Guo, S. , author Zhang, T. , author Qiu, M. , author Thuraisingham, B. , year 2021 . title Deepsweep: An evaluation framework for mitigating DNN backdoor attacks using data augmentation , in: booktitle Proceedings of the ACM Asia Conference on Computer and Communications Security , pp. pages 363--377

    work page 2021

  28. [29]

    , author Abidin, T.F

    author Rahmatullah, P. , author Abidin, T.F. , author Misbullah, A. , et al., year 2021 . title Effectiveness of data augmentation in multi-class face recognition , in: booktitle 2021 5th International Conference on Informatics and Computational Sciences (ICICoS) , organization IEEE . pp. pages 64--68

    work page 2021

  29. [30]

    , author Soltanolkotabi, M

    author Sadasivan, V.S. , author Soltanolkotabi, M. , author Feizi, S. , year 2023 a. title Cuda: Convolution-based unlearnable datasets , in: booktitle Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pp. pages 3862--3871

    work page 2023

  30. [31]

    , author Soltanolkotabi, M

    author Sadasivan, V.S. , author Soltanolkotabi, M. , author Feizi, S. , year 2023 b. title FUN : Filter-based unlearnable datasets

    work page 2023

  31. [32]

    , author Singla, V

    author Segura, P.S. , author Singla, V. , author Geiping, J. , author Goldblum, M. , author Goldstein, T. , year 2023 . title What can we learn from unlearnable datasets? , in: editor Oh, A. , editor Naumann, T. , editor Globerson, A. , editor Saenko, K. , editor Hardt, M. , editor Levine, S. (Eds.), booktitle Advances in Neural Information Processing Sys...

    work page 2023

  32. [33]

    , author Singla, V

    author Segura, P.S. , author Singla, V. , author Geiping, J. , author Goldblum, M. , author Goldstein, T. , author Jacobs, D.W. , year 2022 . title Autoregressive perturbations for data poisoning . journal CoRR volume abs/2206.03693 . :10.48550/arXiv.2206.03693, http://arxiv.org/abs/2206.03693 arXiv:2206.03693

    work page doi:10.48550/arxiv.2206.03693 2022

  33. [34]

    , author Zhu, X

    author Shen, J. , author Zhu, X. , author Ma, D. , year 2019 . title Tensorclog: An imperceptible poisoning attack on deep neural network applications . journal IEEE Access volume 7 , pages 41498--41506 . https://doi.org/10.1109/ACCESS.2019.2905915, :10.1109/ACCESS.2019.2905915

    work page doi:10.1109/access.2019.2905915 2019

  34. [35]

    , author Stronati, M

    author Shokri, R. , author Stronati, M. , author Song, C. , author Shmatikov, V. , year 2017 . title Membership inference attacks against machine learning models , in: booktitle IEEE Symposium on Security and Privacy (SP) , San Jose, CA, USA , publisher IEEE Computer Society . pp. pages 3--18 . :10.1109/SP.2017.41

    work page doi:10.1109/sp.2017.41 2017

  35. [36]

    , author Zisserman, A

    author Simonyan, K. , author Zisserman, A. , year 2015 . title Very deep convolutional networks for large-scale image recognition , in: editor Bengio, Y. , editor LeCun, Y. (Eds.), booktitle 3rd International Conference on Learning Representations (ICLR) , San Diego, CA, USA, Conference Track Proceedings

    work page 2015

  36. [37]

    , author Hinton, G

    author Srivastava, N. , author Hinton, G. , author Krizhevsky, A. , author Sutskever, I. , author Salakhutdinov, R. , year 2014 . title Dropout: a simple way to prevent neural networks from overfitting . journal The journal of machine learning research volume 15 , pages 1929--1958

    work page 2014

  37. [38]

    , author Feng, L

    author Tao, L. , author Feng, L. , author Wei, H. , author Yi, J. , author Huang, S. , author Chen, S. , year 2022 . title Can adversarial training be manipulated by non-robust features? , in: booktitle NeurIPS . http://papers.nips.cc/paper\_files/paper/2022/hash/a94a8800a4b0af45600bab91164849df-Abstract-Conference.html

    work page 2022

  38. [39]

    , author Feng, L

    author Tao, L. , author Feng, L. , author Yi, J. , author Huang, S. , author Chen, S. , year 2021 . title Better safe than sorry: Preventing delusive adversaries with adversarial training , in: editor Ranzato, M. , editor Beygelzimer, A. , editor Dauphin, Y.N. , editor Liang, P. , editor Vaughan, J.W. (Eds.), booktitle Advances in Neural Information Proce...

    work page 2021

  39. [40]

    , author Kolmus, A

    author van Vlijmen, D. , author Kolmus, A. , author Liu, Z. , author Zhao, Z. , author Larson, M.A. , year 2022 . title Generative poisoning using random discriminators . journal CoRR volume abs/2211.01086 . https://doi.org/10.48550/arXiv.2211.01086, :10.48550/ARXIV.2211.01086, http://arxiv.org/abs/2211.01086 arXiv:2211.01086

    work page doi:10.48550/arxiv.2211.01086 2022

  40. [41]

    , author Wang, Y

    author Wang, Z. , author Wang, Y. , author Wang, Y. , year 2021 . title Fooling adversarial training with inducing noise . journal CoRR volume abs/2111.10130 . http://arxiv.org/abs/2111.10130 arXiv:2111.10130

    work page arXiv 2021

  41. [42]

    , author Zhao, Z

    author Wen, R. , author Zhao, Z. , author Liu, Z. , author Backes, M. , author Wang, T. , author Zhang, Y. , year 2023 . title Is adversarial training really a silver bullet for mitigating data poisoning? , in: booktitle The Eleventh International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023 , publisher OpenReview.net ....

    work page 2023

  42. [43]

    , author Chen, S

    author Wu, S. , author Chen, S. , author Xie, C. , author Huang, X. , year 2022 . title One-pixel shortcut: on the learning preference of deep neural networks . journal CoRR volume abs/2205.12141 . :10.48550/arXiv.2205.12141, http://arxiv.org/abs/2205.12141 arXiv:2205.12141

    work page doi:10.48550/arxiv.2205.12141 2022

  43. [44]

    , author Chen, S

    author Wu, S. , author Chen, S. , author Xie, C. , author Huang, X. , year 2023 . title One-pixel shortcut: On the learning preference of deep neural networks , in: booktitle The Eleventh International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023 , publisher OpenReview.net . https://openreview.net/pdf?id=p7G8t5FVn2h

    work page 2023

  44. [45]

    , author Zhang, H

    author Yu, D. , author Zhang, H. , author Chen, W. , author Yin, J. , author Liu, T.Y. , year 2021 . title Indiscriminate poisoning attacks are shortcuts . journal arXiv preprint arXiv:2111.00898

    work page arXiv 2021

  45. [46]

    , author Wu, S

    author Yuan, C. , author Wu, S. , year 2021 . title Neural tangent generalization attacks , in: editor Meila, M. , editor Zhang, T. (Eds.), booktitle Proceedings of the 38th International Conference on Machine Learning, (ICML) , Virtual Event , publisher PMLR . pp. pages 12230--12240

    work page 2021

  46. [47]

    , author Han, D

    author Yun, S. , author Han, D. , author Chun, S. , author Oh, S.J. , author Yoo, Y. , author Choe, J. , year 2019 . title Cutmix: Regularization strategy to train strong classifiers with localizable features , in: booktitle 2019 IEEE/CVF International Conference on Computer Vision, ICCV 2019, Seoul, Korea (South), October 27 - November 2, 2019 , publishe...

    work page doi:10.1109/iccv.2019.00612 2019