Pith. sign in

REVIEW 2 major objections 1 cited by

Reviewed by Pith at T0; open to challenge.

T0 means a machine referee read the full paper against a public rubric. The mark states how deep the mechanical check went, never who wrote it. the ladder, T0–T4 →

T0 review · grok-4.3

Dual-branch optimization in spatial and color domains plus model ensembles produces robust unlearnable examples.

2026-07-01 00:33 UTC pith:YEM54AE6

load-bearing objection DUNE's dual-branch spatial-color optimization with ensemble aggregation gives a measurable robustness bump on the tested defenses, but the gains rest on non-adaptive evaluation. the 2 major comments →

arxiv 2605.01718 v2 pith:YEM54AE6 submitted 2026-05-03 cs.CV

Dual-branch Robust Unlearnable Examples

classification cs.CV
keywords unlearnable examplesdual-branch optimizationperturbation robustnessensemble strategyspatial color domainsCIFAR-10ImageNetdata protection
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents DUNE as a method to generate unlearnable examples that hold up better against defenses. It optimizes perturbations separately in the spatial domain and the color domain while using an ensemble of pre-trained models. This setup maps perturbations to altered labels, pushes models toward learning perturbation-specific features, and increases noise strength. Experiments on CIFAR-10 and ImageNet show lower average test accuracy than twelve prior methods when seven common defenses are applied. The approach matters for any setting where data owners want to block unauthorized model training from their images.

Core claim

DUNE separately optimizes perturbations in the spatial and color domains to establish the mapping between perturbations and shift-induced labels. This design extends the perturbation domain to increase noise intensity for improving robustness and drives the models to learn perturbation-oriented features with degraded generalization, thereby achieving unlearnability. An unlearnability-enhancing ensemble strategy aggregates diverse pre-trained models during the dual-branch optimization, yielding greater robustness than twelve state-of-the-art schemes under seven mainstream defenses on CIFAR-10 and ImageNet.

What carries the argument

Dual-branch perturbation optimization that separately handles spatial and color domains while aggregating an ensemble of pre-trained models during training.

Load-bearing premise

Separately optimizing perturbations in spatial and color domains while using model ensembles during optimization will produce perturbations whose effectiveness holds against defenses beyond the seven tested ones.

What would settle it

A defense outside the seven tested ones that allows models trained on DUNE examples to reach test accuracy comparable to clean-data training would falsify the robustness claim.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Models trained on DUNE-protected samples show lower test accuracy than those using prior unlearnable examples when the same defenses are applied.
  • Separate spatial and color optimization increases the effective intensity of the added perturbations.
  • The ensemble of pre-trained models during optimization improves the transfer of the unlearnable effect across different model architectures.
  • The method is verified to work on both CIFAR-10 and ImageNet under multiple attack scenarios.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Robust unlearnable examples of this form could serve as a practical tool for individuals or organizations to shield image collections from large-scale unauthorized scraping and training.
  • The dual-domain idea might extend naturally to other data types such as audio or video where separate perturbation channels could be defined.
  • Defenders may need to develop countermeasures that jointly consider perturbations across multiple visual domains rather than single-domain attacks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 0 minor

Summary. The paper proposes DUNE, a dual-branch unlearnable ensemble perturbation optimization method. It separately optimizes perturbations in the spatial and color domains while aggregating an ensemble of pre-trained models to map perturbations to shift-induced labels, aiming to increase noise intensity, force learning of perturbation-oriented features, and produce robust unlearnable examples. Extensive experiments on CIFAR-10 and ImageNet are claimed to show that DUNE outperforms 12 SOTA UE schemes under 7 mainstream defenses, with average test accuracies ranging from 14.95% to 50.82%.

Significance. If the reported robustness generalizes beyond the tested defenses and datasets, the dual-branch domain extension combined with ensemble aggregation would constitute a meaningful empirical advance in unlearnable example generation, addressing the limited robustness of prior heuristic or single-domain methods.

major comments (2)
  1. [Abstract] Abstract: the central outperformance claim (lower average test accuracy of 14.95%–50.82% against 7 defenses) is load-bearing for the paper's contribution, yet the abstract provides no information on experimental protocol, statistical tests, error bars, or whether baselines were re-implemented with identical hyperparameters; without these details the data cannot be verified to support the robustness superiority assertion.
  2. [Abstract] The robustness evaluation is restricted to the 7 listed defenses on CIFAR-10/ImageNet. No results are reported for adaptive attacks that (a) know the dual-branch structure, (b) jointly optimize perturbations across both domains, or (c) train victim models outside the ensemble; this omission directly undermines the generalization of the headline claim that the method produces intrinsically robust UEs.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback on our manuscript. We address the two major comments point-by-point below, proposing revisions where they strengthen the presentation without altering the core claims.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central outperformance claim (lower average test accuracy of 14.95%–50.82% against 7 defenses) is load-bearing for the paper's contribution, yet the abstract provides no information on experimental protocol, statistical tests, error bars, or whether baselines were re-implemented with identical hyperparameters; without these details the data cannot be verified to support the robustness superiority assertion.

    Authors: We agree that the abstract would benefit from additional context on the evaluation protocol. The main text (Section 4.1) details that all 12 baselines were re-implemented using the authors' original code and identical hyperparameters where available, with results averaged over three random seeds and standard deviations reported in Tables 1–4. We will revise the abstract to note that experiments follow the standard UE evaluation protocol with re-implemented baselines and refer readers to the experimental section for full statistical details. revision: yes

  2. Referee: [Abstract] The robustness evaluation is restricted to the 7 listed defenses on CIFAR-10/ImageNet. No results are reported for adaptive attacks that (a) know the dual-branch structure, (b) jointly optimize perturbations across both domains, or (c) train victim models outside the ensemble; this omission directly undermines the generalization of the headline claim that the method produces intrinsically robust UEs.

    Authors: This comment correctly identifies a scope limitation in the robustness evaluation. Our experiments follow the standard protocol used across prior UE works by testing the seven listed defenses; we did not include adaptive attacks that exploit knowledge of the dual-branch design or ensemble. We will add an explicit limitations paragraph in the revised manuscript acknowledging this and framing the reported gains as improvements under established non-adaptive defenses. revision: partial

standing simulated objections not resolved
  • Evaluation against adaptive attacks that know the dual-branch structure, jointly optimize across domains, or train victim models outside the ensemble

Circularity Check

0 steps flagged

No circularity: empirical optimization method validated on external benchmarks

full rationale

The paper describes an empirical procedure (dual-branch spatial/color perturbation optimization plus ensemble aggregation) and reports test accuracies against 12 baselines and 7 defenses on CIFAR-10/ImageNet. No equations, derivations, or first-principles claims appear in the provided text; performance numbers are measured outcomes, not quantities forced by construction from fitted inputs or self-citations. The central claim therefore remains independent of the method's own definitions.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on standard assumptions in adversarial machine learning about the ability of gradient-based optimization to link perturbations to degraded generalization; no new entities are postulated.

free parameters (1)
  • branch balancing hyperparameters
    The dual-branch optimization requires weights or schedules to combine spatial and color perturbations, though values are not stated in the abstract.
axioms (1)
  • domain assumption Perturbations optimized separately in spatial and color domains can establish mappings to shift-induced labels that degrade model generalization
    This premise is invoked to justify extending the perturbation domain for improved robustness.

pith-pipeline@v0.9.1-grok · 5742 in / 1349 out tokens · 38696 ms · 2026-07-01T00:33:36.999804+00:00 · methodology

0 comments
read the original abstract

Unlearnable examples (UEs) aim to compromise model training by injecting imperceptible perturbations to clean samples. However, existing UE schemes exhibit limited robustness against advanced defenses due to their heuristic design or narrowly scoped domain perturbations. To address this, we propose \texttt{DUNE}, a \underline{\textbf{D}}ual-branch \underline{\textbf{UN}}learnable \underline{\textbf{E}}nsemble perturbation optimization approach. Specifically, \texttt{DUNE} separately optimizes perturbations in the spatial and color domains to establish the mapping between perturbations and shift-induced labels. This design extends the perturbation domain to increase noise intensity for improving robustness and drives the models to learn perturbation-oriented features with degraded generalization, thereby achieving unlearnability. To strengthen \texttt{DUNE}'s performance, we further propose an unlearnability-enhancing ensemble strategy that aggregates diverse pre-trained models during the dual-branch optimization. Extensive experiments on benchmark datasets CIFAR-10 and ImageNet verify that \texttt{DUNE}'s robustness outperforms 12 SOTA UE schemes under 7 mainstream defenses, yielding a lower average test accuracy of 14.95% to 50.82%.

Figures

Figures reproduced from arXiv: 2605.01718 by Changsong Jiang, Hangtao Zhang, Li Zeng, Wenbo Pan, Xianlong Wang, Xiaohua Jia, Ziqi Zhou.

Figure 1
Figure 1. Figure 1: Overview of UEs. Existing UE schemes fail to compro￾mise DNNs due to insufficient robustness, whereas our proposed scheme DUNE remains robust under these SOTA defenses. et al., 2025; Sun et al., 2024; Wu et al., 2025) are proposed to make data "unlearnable" for deep learning models via adding imperceptible perturbations to clean images, thereby compromising model performance. At a high level, UEs (Wu et al… view at source ↗
Figure 2
Figure 2. Figure 2: Quantitative UE robustness (in test accuracy, %) under five defenses with CIFAR-10 (Krizhevsky & Hinton, 2009) trained on ResNet18 (He et al., 2016). A point’s proximity to the outer boundary signifies lower UE robustness, highlighting the limited robustness in existing UE schemes. mark datasets and models, demonstrating that DUNE achieves superior robustness over 12 SOTA UE ap￾proaches under both existing… view at source ↗
Figure 4
Figure 4. Figure 4: An intuitive understanding of DUNE’s objective that pushes features toward the shift-induced class in a class-wise way. 2024a), leading to the minimization of Eq. (1)’s expectation term, i.e., UEs lack robustness against defenses. A typical UE design. Beyond achieving UE objectives in Eqs. (1) and (2), several studies (Fu et al., 2022; Sadasivan et al., 2023; Meng et al., 2024) also increase the robustness… view at source ↗
Figure 5
Figure 5. Figure 5: The framework of DUNE. schemes (Huang et al., 2021; Fu et al., 2022; Chen et al., 2023) optimize perturbations within a single domain, which confines them to a limited feature space and causes non￾smooth and locally oscillating structures as shown in [PITH_FULL_IMAGE:figures/full_fig_p004_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The luminance adjustment effect of applying identical pixel shifts and random pixel shifts to R, G, and B channels. luminance and alternating current (AC) components where spatial perturbations concentrate their energy (Guo et al., 2025). Therefore, to promote orthogonality between dual￾domain perturbations for enhancing robustness, the color branch aims to optimize perturbations for altering luminance tar… view at source ↗
Figure 7
Figure 7. Figure 7: Hyper-parameter sensitivity analysis. The impact of hyperparameters β, T, N, and M on the test accuracy results (%) of the ResNet18 classifier trained on DUNE-generated CIFAR-10 dataset. 10.08% on VGG19, with robustness performance (under AT (Tao et al., 2021), ISS (Liu et al., 2023), COIN (Li et al., 2025)) also reduced by 5.17%-16.29%. These results indi￾cate that UEE module plays a crucial role in impro… view at source ↗
Figure 8
Figure 8. Figure 8: Adaptive defenses. DUNE performance under the two types of adaptive defenses on CIFAR-10. Resistance of DUNE. The robustness of DUNE is evaluated under varying adaptive defense strengths across 4 model architectures, as demonstrated in [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Defending Jailbreak Attacks on Large Language Models via Manifold Trajectory Kinetics

    cs.CR 2026-06 unverdicted novelty 6.0

    MTK detects jailbreaks by monitoring the evolution of prompt neighborhood structures on the data manifold through LLM layers, reporting 95% TPR at 5% FPR on benign and 2% on pseudo-malicious prompts plus 85% TPR under...

Reference graph

Works this paper leans on

13 extracted references · 13 canonical work pages · cited by 1 Pith paper · 2 internal anchors

  1. [1]

    A., Paleka, D., Pearce, W., Anderson, H., Terzis, A., Thomas, K., and Tramèr, F

    Carlini, N., Jagielski, M., Choquette-Choo, C. A., Paleka, D., Pearce, W., Anderson, H., Terzis, A., Thomas, K., and Tramèr, F. Poisoning web-scale training datasets is practical. InPro- ceedings of the 2024 IEEE Symposium on Security and Privacy (S&P’24), pp. 407–425. IEEE,

  2. [2]

    Imagenet: A large-scale hierarchical image database

    Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., and Fei-Fei, L. Imagenet: A large-scale hierarchical image database. In Proceedings of the 2009 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’09), pp. 248–255,

  3. [3]

    M., Erfani, S., and Leckie, C

    Dolatabadi, H. M., Erfani, S., and Leckie, C. The devil’s advocate: Shattering the illusion of unexploitable data using diffusion models.arXiv preprint arXiv:2303.08500,

  4. [4]

    Deep residual learn- ing for image recognition

    He, K., Zhang, X., Ren, S., and Sun, J. Deep residual learn- ing for image recognition. InProceedings of the 2016 IEEE/CVF Conference on Computer Vision and Pattern Recog- nition (CVPR’16), pp. 770–778,

  5. [5]

    Huang, G., Liu, Z., Van Der Maaten, L., and Weinberger, K. Q. Densely connected convolutional networks. InProceedings of the 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’17), pp. 4700–4708,

  6. [6]

    E-LPIPS: Robust Perceptual Image Similarity via Random Transformation Ensembles

    Kettunen, M., Härkönen, E., and Lehtinen, J. E-lpips: robust per- ceptual image similarity via random transformation ensembles. arXiv preprint arXiv:1906.03973,

  7. [7]

    Learning the Unlearnable: Adversarial Augmentations Suppress Unlearnable Example Attacks

    Qin, T., Gao, X., Zhao, J., Ye, K., and Xu, C.-Z. Learning the unlearnable: Adversarial augmentations suppress unlearnable example attacks.arXiv preprint arXiv:2303.15127,

  8. [8]

    S., Soltanolkotabi, M., and Feizi, S

    Sadasivan, V . S., Soltanolkotabi, M., and Feizi, S. Cuda: Convolution-based unlearnable datasets. InProceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’23), pp. 3862–3871,

  9. [9]

    Df-logit: Data- free logic-gated backdoor attacks in vision transformers.arXiv preprint arXiv:2602.03040,

    Shen, X., Cai, Y ., Ning, R., Xin, C., and Wu, H. Df-logit: Data- free logic-gated backdoor attacks in vision transformers.arXiv preprint arXiv:2602.03040,

  10. [10]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    Simonyan, K. and Zisserman, A. Very deep convolutional networks for large-scale image recognition.arXiv preprint arXiv:1409.1556,

  11. [11]

    Tro- janrobot: Physical-world backdoor attacks against vlm-based robotic manipulation,

    Wang, X., Hu, S., Zhang, Y ., Zhou, Z., Zhang, L. Y ., Xu, P., Wan, W., and Jin, H. Eclipse: Expunging clean-label indiscriminate poisons via sparse diffusion purification. InProceedings of the 29th European Symposium on Research in Computer Security (ESORICS’24), 2024a. Wang, X., Li, M., Liu, W., Zhang, H., Hu, S., Zhang, Y ., Zhou, Z., and Jin, H. Unlea...

  12. [12]

    Yu, Y ., Wang, Y ., Xia, S., Yang, W., Lu, S., Tan, Y .-P., and Kot, A. C. Purify unlearnable examples via rate-constrained varia- tional autoencoders.arXiv preprint arXiv:2405.01460, 2024a. Yu, Y ., Zheng, Q., Yang, S., Yang, W., Liu, J., Lu, S., Tan, Y .-P., Lam, K.-Y ., and Kot, A. Unlearnable examples detection via iterative filtering. InProceedings o...

  13. [13]

    Detector collapse: Physical-world backdooring object detection to catas- trophic overload or blindness in autonomous driving,

    Zhang, H., Hu, S., Wang, Y ., Zhang, L. Y ., Zhou, Z., Wang, X., Zhang, Y ., and Chen, C. Detector collapse: Backdooring object detection to catastrophic overload or blindness.arXiv preprint arXiv:2404.11357,