pith. machine review for the scientific record. sign in

arxiv: 2605.05224 · v1 · submitted 2026-04-18 · 💻 cs.LG · cs.AI· cs.CR

Recognition: unknown

Channel-Level Semantic Perturbations: Unlearnable Examples for Diverse Training Paradigms

Bo Wang , Jia Ni , Mengnan Zhao , Zhan Qin , Kui Ren
Authors on Pith no claims yet

Pith reviewed 2026-05-10 07:02 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CR
keywords unlearnable examplespretraining-finetuningsemantic perturbationsdata privacyadversarial examplesmachine learning securitytransfer learning
0
0 comments X

The pith

Confining unlearnable-example perturbations to a semantically valid subspace preserves their effectiveness when models load and freeze pretrained weights.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines why prior unlearnable examples lose their protective power once training shifts to the common pretraining-then-finetuning workflow. It identifies semantic filtering as the cause: frozen shallow layers from pretraining preserve the original data semantics and discard the distracting noise that earlier methods rely on. The authors therefore develop a generation process that produces perturbations only inside channels that already carry valid semantic content. This keeps the deceptive signal from being stripped away even when early layers remain frozen or when pretraining itself emphasizes semantics.

Core claim

Existing unlearnable examples fail under pretraining-finetuning because frozen pretrained shallow layers filter out non-semantic noise while retaining data semantics. Shallow Semantic Camouflage counters this by restricting perturbation generation to a semantically valid subspace, so the added signal survives the filtering and continues to obstruct feature learning across from-scratch training, shallow-layer freezing, and semantic-focused pretraining.

What carries the argument

Shallow Semantic Camouflage (SSC), a hierarchical deception strategy that confines perturbation generation to a semantically valid subspace.

If this is right

  • Unlearnable examples become usable against models that rely on pretrained backbones with frozen early layers.
  • Data owners can protect samples even when attackers employ semantic-focused pretraining before finetuning.
  • The same channel-level semantic confinement works for both shallow-layer freezing and full pretrain-finetune pipelines.
  • Performance of the protected data stays low across multiple challenging training setups that previously defeated prior methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Perturbation design may need to be matched to the specific hierarchy of features already learned by common pretrained networks.
  • The same subspace-restriction idea could be tested on other transfer-learning regimes such as self-supervised pretraining on unlabeled data.
  • Data-protection tools might eventually require users to specify which pretrained model an adversary is likely to start from.

Load-bearing premise

Semantic filtering by frozen pretrained shallow layers is the dominant reason prior unlearnable examples fail, and restricting perturbations to a semantically valid subspace will evade that filtering.

What would settle it

Train a model with its shallow layers frozen on data protected by the proposed perturbations and measure downstream test accuracy; accuracy near that of clean data would show the unlearnability was not preserved.

Figures

Figures reproduced from arXiv: 2605.05224 by Bo Wang, Jia Ni, Kui Ren, Mengnan Zhao, Zhan Qin.

Figure 1
Figure 1. Figure 1: Protection effect of UEs against unauthorized use. To [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Evaluation of cross-weight robustness in black-box set [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Perturbation transmission analysis. Solid bars represent [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Illustration of the Semantic Filtering Effect. This figure [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Spectral analysis of UEs. (a) Radial PSD of various examples, where the [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Overview of the proposed Hierarchical Deception framework via Shallow Semantic Camouflage. After creating noise [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Feature perturbation responses in shallow layers of [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
read the original abstract

The unauthorized use of personal data in model training has emerged as a growing privacy threat. Unlearnable examples (UEs) address this issue by embedding imperceptible perturbations into benign examples to obstruct feature learning. However, existing studies mainly evaluate UEs under from-scratch training settings, leaving their behavior under the widely adopted pretraining-finetuning (PF) paradigm largely unexplored. In this work, we provide the first systematic investigation of unlearnable examples across diverse training paradigms. Our analysis reveals that loading and freezing pretrained weights significantly weakens the effectiveness of existing UEs methods. We further explain these findings through semantic filtering: while UEs tend to induce models to overfit non-semantic noise, thereby weakening their semantic extraction capabilities, under the PF paradigm, frozen shallow layers preserve data semantics, effectively filtering out distracting information like unlearnable noise. Guided by these insights, we propose a hierarchical deception strategy, Shallow Semantic Camouflage (SSC), that confines the generation process to a semantically valid subspace, aiming to bypass the semantic suppression introduced by pretrained weights. Extensive experiments demonstrate that our method consistently preserves data unlearnability even under challenging training paradigms, such as shallow-layer freezing and semantic-focused pretraining (SF-Pretrain), bridging the critical gap in pretrain-based unlearnable learning.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that existing unlearnable examples (UEs) lose effectiveness under pretraining-finetuning (PF) paradigms because frozen pretrained shallow layers perform semantic filtering that discards non-semantic noise. It proposes Shallow Semantic Camouflage (SSC), a hierarchical deception strategy that confines perturbation generation to a semantically valid subspace to bypass this filtering. Extensive experiments are said to demonstrate that SSC preserves data unlearnability under PF settings including shallow-layer freezing and semantic-focused pretraining (SF-Pretrain).

Significance. If validated, the work would be significant for extending UE research beyond from-scratch training to the dominant PF paradigm, addressing a practical gap in protecting personal data from unauthorized use in pretrained models. The semantic filtering insight and SSC method could guide more robust privacy defenses if the causal mechanism is isolated and the approach generalizes.

major comments (2)
  1. [Analysis of findings (preceding §4)] The central claim that semantic filtering is the primary cause of UE failure under PF lacks isolating controls. Experiments compare PF versus from-scratch training but do not ablate other PF-specific factors (e.g., optimization landscape conditioning, gradient magnitudes through frozen layers, or pretraining statistics), leaving the causal explanation under-supported even if SSC shows empirical gains.
  2. [§4 (SSC proposal)] The SSC method description does not specify how the semantically valid subspace is constructed or enforced (e.g., via particular loss terms, channel-level constraints, or projection steps), making it difficult to assess whether it truly bypasses semantic suppression or simply alters perturbation statistics.
minor comments (2)
  1. [Title and Abstract] The title refers to 'Channel-Level Semantic Perturbations' while the abstract and text emphasize 'Shallow Semantic Camouflage (SSC)'; clarify the precise relationship and whether channel-level operations are the core mechanism.
  2. [Abstract] The abstract states 'extensive experiments' but provides no metrics, baselines, or ablation tables; ensure the full experimental section includes quantitative results, statistical significance, and controls for the PF variants tested.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and detailed comments, which highlight important areas for strengthening the causal claims and methodological clarity in our work. We address each major comment below and have planned revisions to the manuscript accordingly.

read point-by-point responses

  1. Referee: [Analysis of findings (preceding §4)] The central claim that semantic filtering is the primary cause of UE failure under PF lacks isolating controls. Experiments compare PF versus from-scratch training but do not ablate other PF-specific factors (e.g., optimization landscape conditioning, gradient magnitudes through frozen layers, or pretraining statistics), leaving the causal explanation under-supported even if SSC shows empirical gains.

    Authors: We agree that our primary experimental contrast between PF and from-scratch training, while demonstrating a consistent degradation in UE effectiveness under frozen pretrained weights, does not fully isolate semantic filtering from other potential PF-specific factors such as changes in the optimization landscape or gradient magnitudes. This is a fair observation on the strength of the causal evidence. In the revised manuscript, we will add targeted ablations that examine gradient flow through frozen layers and variations in pretraining statistics to better support the semantic filtering explanation. revision: yes

  2. Referee: [§4 (SSC proposal)] The SSC method description does not specify how the semantically valid subspace is constructed or enforced (e.g., via particular loss terms, channel-level constraints, or projection steps), making it difficult to assess whether it truly bypasses semantic suppression or simply alters perturbation statistics.

    Authors: We appreciate the feedback on the need for greater specificity in the SSC description. The current manuscript introduces the idea of confining perturbations to a semantically valid subspace but does not provide sufficient detail on its construction or enforcement. We will revise §4 to include an explicit description of the subspace construction process, including any channel-level constraints, loss terms, or projection mechanisms used, along with pseudocode where appropriate. This will clarify the method's operation and distinguish it from mere statistical changes. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation relies on empirical observation and external validation

full rationale

The paper begins with an empirical observation that existing UEs weaken under PF paradigms, offers an interpretive explanation via semantic filtering (not a mathematical derivation), and introduces SSC as a heuristic response. No equations, parameter fits, or self-citations are shown to reduce the central claim to a tautology or renamed input. The method's effectiveness is asserted via experiments rather than by construction from its own definitions. This is the common case of a self-contained empirical paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract provides insufficient technical detail to identify specific free parameters, axioms, or invented entities. The SSC method likely involves hyperparameters for channel-level perturbation generation and semantic subspace constraints, but none are named or quantified here.

pith-pipeline@v0.9.0 · 5541 in / 1104 out tokens · 53968 ms · 2026-05-10T07:02:55.381518+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 8 canonical work pages · 3 internal anchors

  1. [1]

    Imagenet: A large-scale hierarchical image database,

    J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet: A large-scale hierarchical image database,” in2009 IEEE conference on computer vision and pattern recognition. Ieee, 2009, pp. 248–255

    2009

  2. [2]

    A style-based generator architecture for generative adversarial networks,

    T. Karras, S. Laine, and T. Aila, “A style-based generator architecture for generative adversarial networks,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 4401– 4410

    2019

  3. [3]

    A Common Pool of Privacy Problems: Legal and Technical Lessons from a Large-Scale Web-Scraped Machine Learning Dataset

    R. Hong, J. A. Hutson, W. Agnew, I. Huda, T. Kohno, and J. Morgen- stern, “A common pool of privacy problems: Legal and technical lessons from a large-scale web-scraped machine learning dataset,”ArXiv, vol. abs/2506.17185, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  4. [4]

    Big web data: Challenges related to data, technology, legality, and ethics,

    V . Krotov and L. Johnson, “Big web data: Challenges related to data, technology, legality, and ethics,”Business Horizons, 2022

    2022

  5. [5]

    The right to scrap data on the internet: From the us case hiqlabs, inc. v. linkedin corp. to the chatgpt scraping cases: Differences between us and eu law,

    J. T. de Silva y L ´opez de Letona, “The right to scrap data on the internet: From the us case hiqlabs, inc. v. linkedin corp. to the chatgpt scraping cases: Differences between us and eu law,”Global Privacy Law Review, 2024

    2024

  6. [6]

    Diffusion art or digital forgery? investigating data replication in diffu- sion models,

    G. Somepalli, V . Singla, M. Goldblum, J. Geiping, and T. Goldstein, “Diffusion art or digital forgery? investigating data replication in diffu- sion models,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2023, pp. 6048–6058

    2023

  7. [7]

    Privacyasst: Safeguarding user privacy in tool-using large language model agents,

    X. Zhang, H. Xu, Z. Ba, Z. Wang, Y . Hong, J. Liu, Z. Qin, and K. Ren, “Privacyasst: Safeguarding user privacy in tool-using large language model agents,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 6, pp. 5242–5258, 2024

    2024

  8. [8]

    Bag of tricks for training data extraction from language models,

    W. Yu, T. Pang, Q. Liu, C. Du, B. Kang, Y . Huang, M. Lin, and S. Yan, “Bag of tricks for training data extraction from language models,”ArXiv, vol. abs/2302.04460, 2023

    work page arXiv 2023

  9. [9]

    Deduplicating training data makes language models better,

    K. Lee, D. Ippolito, A. Nystrom, C. Zhang, D. Eck, C. Callison-Burch, and N. Carlini, “Deduplicating training data makes language models better,” pp. 8424–8445, 2021. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 13

    2021

  10. [10]

    “do you know you are tracked by photos that you didn’t take

    J. Morris, S. Newman, K. Palaniappan, J. Fan, and D. Lin, ““do you know you are tracked by photos that you didn’t take”: Large-scale location-aware multi-party image privacy protection,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 1, pp. 301–312, 2023

    2023

  11. [11]

    Training data extraction from pre-trained language models: A survey,

    S. Ishihara, “Training data extraction from pre-trained language models: A survey,”ArXiv, vol. abs/2305.16157, 2023

    work page arXiv 2023

  12. [12]

    Re- construction of differentially private text sanitization via large language models,

    S. Pang, Z. Lu, H. Wang, P. Fu, Y . Zhou, M. Xue, and B. Li, “Re- construction of differentially private text sanitization via large language models,”2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pp. 1–17, 2024

    2025

  13. [13]

    Analyzing leakage of personally identifiable information in language models,

    N. Lukas, A. Salem, R. Sim, S. Tople, L. Wutschitz, and S. Zanella- B’eguelin, “Analyzing leakage of personally identifiable information in language models,”2023 IEEE Symposium on Security and Privacy (SP), pp. 346–363, 2023

    2023

  14. [14]

    The double-edged sword of llm-based data reconstruction: Understanding and mitigating contextual vulnerability in word-level differential privacy text sanitization,

    S. Meisenbacher, A. Klymenko, A. Bodea, and F. Matthes, “The double-edged sword of llm-based data reconstruction: Understanding and mitigating contextual vulnerability in word-level differential privacy text sanitization,”Proceedings of the 24th Workshop on Privacy in the Electronic Society, 2025

    2025

  15. [15]

    When unlearnable examples cooperate with watermarking: A dual voice data protection against unauthorized exploitation,

    Y . Ge, R. Gu, Y . Liu, L. Zhao, B. Du, and Q. Wang, “When unlearnable examples cooperate with watermarking: A dual voice data protection against unauthorized exploitation,”IEEE Transactions on Dependable and Secure Computing, pp. 1–18, 2025

    2025

  16. [16]

    Semantic deep hiding for robust unlearnable examples,

    R. Meng, C. Yi, Y . Yu, S. Yang, B. Shen, and A. C. Kot, “Semantic deep hiding for robust unlearnable examples,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 6545–6558, 2024

    2024

  17. [17]

    Provably unlearnable data examples,

    D. Wang, M. Xue, B. Li, S. Camtepe, and L. Zhu, “Provably unlearnable data examples,” inThe Network and Distributed System Security (NDSS) Symposium, 2025

    2025

  18. [18]

    Multimodal unlearnable examples: Protecting data against multimodal contrastive learning,

    A. F. N. Wanget al., “Multimodal unlearnable examples: Protecting data against multimodal contrastive learning,” inProceedings of the 32nd ACM International Conference on Multimedia. ACM, 2024, p. [page range]

    2024

  19. [19]

    Invisible backdoor attacks on deep neural networks via steganography and regularization,

    S. Li, M. Xue, B. Z. H. Zhao, H. Zhu, and X. Zhang, “Invisible backdoor attacks on deep neural networks via steganography and regularization,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 5, pp. 2088–2105, 2021

    2088

  20. [20]

    Unlearnable examples: Making personal data unexploitable,

    H. Huang, X. Ma, S. M. Erfani, J. Bailey, and Y . Wang, “Unlearnable examples: Making personal data unexploitable,” inInternational Con- ference on Learning Representations, 2021

    2021

  21. [21]

    Adversarial examples make strong poisons,

    L. Fowl, M. Goldblum, P.-Y . Chiang, J. Geiping, W. Czaja, and T. Goldstein, “Adversarial examples make strong poisons,” inAdvances in Neural Information Processing Systems, vol. 34, 2021, pp. 30 339– 30 351

    2021

  22. [22]

    What can we learn from unlearnable datasets?

    P. Sandoval-Segura, V . Singla, J. Geiping, M. Goldblum, and T. Gold- stein, “What can we learn from unlearnable datasets?”Advances in Neural Information Processing Systems, vol. 36, pp. 75 372–75 391, 2023

    2023

  23. [23]

    Towards robust rain removal against adversarial attacks: A comprehensive benchmark analysis and beyond,

    Y . Yu, W. Yang, Y .-P. Tan, and A. C. Kot, “Towards robust rain removal against adversarial attacks: A comprehensive benchmark analysis and beyond,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 6013–6022

    2022

  24. [24]

    Apmsa: Adversarial perturbation against model stealing attacks,

    J. Zhang, S. Peng, Y . Gao, Z. Zhang, and Q. Hong, “Apmsa: Adversarial perturbation against model stealing attacks,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1667–1679, 2023

    2023

  25. [25]

    Information-containing adversarial perturbation for combating facial manipulation systems,

    Y . Zhu, Y . Chen, X. Li, R. Zhang, X. Tian, B. Zheng, and Y . Chen, “Information-containing adversarial perturbation for combating facial manipulation systems,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 2046–2059, 2023

    2046

  26. [26]

    Robust proxy: Improving adversarial robustness by robust proxy learning,

    H. J. Lee and Y . M. Ro, “Robust proxy: Improving adversarial robustness by robust proxy learning,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 4021–4033, 2023

    2023

  27. [27]

    Robust unlearnable examples: Protecting data privacy against adversarial learning,

    S. Fu, F. He, Y . Liu, L. Shen, and D. Tao, “Robust unlearnable examples: Protecting data privacy against adversarial learning,” inInternational Conference on Learning Representations, 2022

    2022

  28. [28]

    Fooling adversarial training with inducing noise,

    Z. Wang, Y . Wang, and Y . Wang, “Fooling adversarial training with inducing noise,”arXiv preprint arXiv:2111.10130, 2021

    work page arXiv 2021

  29. [29]

    Is adversarial training really a silver bullet for mitigating data poisoning?

    R. Wen, Z. Zhao, Z. Liu, M. Backes, T. Wang, and Y . Zhang, “Is adversarial training really a silver bullet for mitigating data poisoning?” inThe Eleventh International Conference on Learning Representations, 2023

    2023

  30. [30]

    Stable unlearnable example: Enhancing the robustness of unlearnable examples via stable error-minimizing noise,

    Y . Liu, K. Xu, X. Chen, and L. Sun, “Stable unlearnable example: Enhancing the robustness of unlearnable examples via stable error-minimizing noise,” 2023. [Online]. Available: https: //arxiv.org/abs/2311.13091

    work page arXiv 2023

  31. [31]

    How well do sparse imagenet models transfer?

    E. Iofinova, A. Peste, M. Kurtz, and D. Alistarh, “How well do sparse imagenet models transfer?” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 12 266–12 276

    2022

  32. [32]

    Indiscriminate data poisoning attacks on pre-trained feature extractors,

    Y . Lu, M. Y . Yang, G. Kamath, and Y . Yu, “Indiscriminate data poisoning attacks on pre-trained feature extractors,” in2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML). IEEE, 2024, pp. 327–343

    2024

  33. [33]

    Game-theoretic unlearnable example generator,

    S. Liu, Y . Wang, and X.-S. Gao, “Game-theoretic unlearnable example generator,” inProceedings of the AAAI Conference on Artificial Intelli- gence, vol. 38, no. 19, 2024, pp. 21 349–21 358

    2024

  34. [34]

    Neural tangent generalization attacks,

    C.-H. Yuan and S.-H. Wu, “Neural tangent generalization attacks,” in International Conference on Machine Learning. PMLR, 2021, pp. 12 230–12 240

    2021

  35. [35]

    Autoregressive perturbations for data poisoning,

    P. Sandoval-Segura, V . Singla, J. Geiping, M. Goldblum, T. Goldstein, and D. Jacobs, “Autoregressive perturbations for data poisoning,”Ad- vances in Neural Information Processing Systems, vol. 35, pp. 27 374– 27 386, 2022

    2022

  36. [36]

    Versatile transferable unlearnable example generator,

    Z. Li, J. Cai, G. Xu, H. Zheng, Q. Li, F. Zhou, S. Yang, C. Ling, and B. Wang, “Versatile transferable unlearnable example generator,” in The Thirty-ninth Annual Conference on Neural Information Processing Systems, 2025

    2025

  37. [37]

    Image shortcut squeezing: Coun- tering perturbative availability poisons with compression,

    Z. Liu, Z. Zhao, and M. A. Larson, “Image shortcut squeezing: Coun- tering perturbative availability poisons with compression,” pp. 22 473– 22 487, 2023

    2023

  38. [38]

    An overview of jpeg2000,

    M. W. Marcellin, M. J. Gormish, A. Bilgin, and M. P. Boliek, “An overview of jpeg2000,” inProceedings DCC 2000. Data Compression Conference. IEEE, 2000, pp. 523–541

    2000

  39. [39]

    Learning the unlearn- able: Adversarial augmentations suppress unlearnable example attacks,

    T. Qin, X. Gao, J. Zhao, K. Ye, and C.-Z. Xu, “Learning the unlearnable: Adversarial augmentations suppress unlearnable example attacks,”arXiv preprint arXiv:2303.15127, 2023

    work page arXiv 2023

  40. [40]

    Towards deep learning models resistant to adversarial attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” inInternational conference on learning representations, 2018

    2018

  41. [41]

    mixup: Beyond empirical risk minimization,

    H. Zhang, M. Ciss ´e, Y . N. Dauphin, and D. Lopez-Paz, “mixup: Beyond empirical risk minimization,” inProceedings of the 6th International Conference on Learning Representations, 2018

    2018

  42. [42]

    Cutmix: Reg- ularization strategy to train strong classifiers with localizable features,

    S. Yun, D. Han, S. Chun, S. J. Oh, Y . Yoo, and J. Choe, “Cutmix: Reg- ularization strategy to train strong classifiers with localizable features,” inProceedings of the IEEE/CVF International Conference on Computer Vision, 2019, pp. 6022–6031

    2019

  43. [43]

    Improved Regularization of Convolutional Neural Networks with Cutout

    T. Devries and G. W. Taylor, “Improved regularization of convolutional neural networks with cutout,” inCoRR, vol. abs/1708.04552, 2017

    work page internal anchor Pith review arXiv 2017

  44. [44]

    What can we learn from unlearnable datasets?

    P. Sandoval-Segura, S. Singla, J. Geiping, M. Goldblum, and T. Gold- stein, “What can we learn from unlearnable datasets?”Advances in Neural Information Processing Systems, vol. 36, 2024

    2024

  45. [45]

    Purify unlearnable examples via rate-constrained variational autoencoders,

    Y . Yu, Y . Wang, S. Xia, W. Yang, S. Lu, Y .-P. Tan, and A. C. Kot, “Purify unlearnable examples via rate-constrained variational autoencoders,” in International Conference on Machine Learning, 2024

    2024

  46. [46]

    The devil’s advocate: Shattering the illusion of unexploitable data using diffusion models,

    H. M. Dolatabadi, S. Erfani, and C. Leckie, “The devil’s advocate: Shattering the illusion of unexploitable data using diffusion models,” in 2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2024, pp. 358–386

    2024

  47. [47]

    Diffusion models for adversarial purification,

    W. Nie, B. Guo, Y . Huang, C. Xiao, A. Vahdat, and A. Anandkumar, “Diffusion models for adversarial purification,” inInternational Confer- ence on Machine Learning (ICML), 2022

    2022

  48. [48]

    Pridm: Effective and universal private data recovery via diffusion models,

    S. Pang, Y . Rao, Z. Lu, H. Wang, Y . Zhou, and M. Xue, “Pridm: Effective and universal private data recovery via diffusion models,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 4, pp. 3259–3274, 2025

    2025

  49. [49]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009

    2009

  50. [50]

    Tiny imagenet visual recognition challenge,

    Y . Le and X. Yang, “Tiny imagenet visual recognition challenge,”CS 231N, vol. 7, no. 7, p. 3, 2015

    2015

  51. [51]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778

    2016

  52. [52]

    Deep residual learning for image recognition,

    ——, “Deep residual learning for image recognition,” inProceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778

    2016

  53. [53]

    Densely connected convolutional networks,

    G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” inProceedings of the IEEE confer- ence on computer vision and pattern recognition, 2017, pp. 4700–4708

    2017

  54. [54]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,”arXiv preprint arXiv:1409.1556, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  55. [55]

    Availability attacks create shortcuts,

    D. Yu, H. Zhang, W. Chen, J. Yin, and T.-Y . Liu, “Availability attacks create shortcuts,” inProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2022, pp. 2367–2376

    2022