Dual-branch Robust Unlearnable Examples
Pith reviewed 2026-07-01 00:33 UTC · model grok-4.3
The pith
Dual-branch optimization in spatial and color domains plus model ensembles produces robust unlearnable examples.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
DUNE separately optimizes perturbations in the spatial and color domains to establish the mapping between perturbations and shift-induced labels. This design extends the perturbation domain to increase noise intensity for improving robustness and drives the models to learn perturbation-oriented features with degraded generalization, thereby achieving unlearnability. An unlearnability-enhancing ensemble strategy aggregates diverse pre-trained models during the dual-branch optimization, yielding greater robustness than twelve state-of-the-art schemes under seven mainstream defenses on CIFAR-10 and ImageNet.
What carries the argument
Dual-branch perturbation optimization that separately handles spatial and color domains while aggregating an ensemble of pre-trained models during training.
If this is right
- Models trained on DUNE-protected samples show lower test accuracy than those using prior unlearnable examples when the same defenses are applied.
- Separate spatial and color optimization increases the effective intensity of the added perturbations.
- The ensemble of pre-trained models during optimization improves the transfer of the unlearnable effect across different model architectures.
- The method is verified to work on both CIFAR-10 and ImageNet under multiple attack scenarios.
Where Pith is reading between the lines
- Robust unlearnable examples of this form could serve as a practical tool for individuals or organizations to shield image collections from large-scale unauthorized scraping and training.
- The dual-domain idea might extend naturally to other data types such as audio or video where separate perturbation channels could be defined.
- Defenders may need to develop countermeasures that jointly consider perturbations across multiple visual domains rather than single-domain attacks.
Load-bearing premise
Separately optimizing perturbations in spatial and color domains while using model ensembles during optimization will produce perturbations whose effectiveness holds against defenses beyond the seven tested ones.
What would settle it
A defense outside the seven tested ones that allows models trained on DUNE examples to reach test accuracy comparable to clean-data training would falsify the robustness claim.
Figures
read the original abstract
Unlearnable examples (UEs) aim to compromise model training by injecting imperceptible perturbations to clean samples. However, existing UE schemes exhibit limited robustness against advanced defenses due to their heuristic design or narrowly scoped domain perturbations. To address this, we propose \texttt{DUNE}, a \underline{\textbf{D}}ual-branch \underline{\textbf{UN}}learnable \underline{\textbf{E}}nsemble perturbation optimization approach. Specifically, \texttt{DUNE} separately optimizes perturbations in the spatial and color domains to establish the mapping between perturbations and shift-induced labels. This design extends the perturbation domain to increase noise intensity for improving robustness and drives the models to learn perturbation-oriented features with degraded generalization, thereby achieving unlearnability. To strengthen \texttt{DUNE}'s performance, we further propose an unlearnability-enhancing ensemble strategy that aggregates diverse pre-trained models during the dual-branch optimization. Extensive experiments on benchmark datasets CIFAR-10 and ImageNet verify that \texttt{DUNE}'s robustness outperforms 12 SOTA UE schemes under 7 mainstream defenses, yielding a lower average test accuracy of 14.95% to 50.82%.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes DUNE, a dual-branch unlearnable ensemble perturbation optimization method. It separately optimizes perturbations in the spatial and color domains while aggregating an ensemble of pre-trained models to map perturbations to shift-induced labels, aiming to increase noise intensity, force learning of perturbation-oriented features, and produce robust unlearnable examples. Extensive experiments on CIFAR-10 and ImageNet are claimed to show that DUNE outperforms 12 SOTA UE schemes under 7 mainstream defenses, with average test accuracies ranging from 14.95% to 50.82%.
Significance. If the reported robustness generalizes beyond the tested defenses and datasets, the dual-branch domain extension combined with ensemble aggregation would constitute a meaningful empirical advance in unlearnable example generation, addressing the limited robustness of prior heuristic or single-domain methods.
major comments (2)
- [Abstract] Abstract: the central outperformance claim (lower average test accuracy of 14.95%–50.82% against 7 defenses) is load-bearing for the paper's contribution, yet the abstract provides no information on experimental protocol, statistical tests, error bars, or whether baselines were re-implemented with identical hyperparameters; without these details the data cannot be verified to support the robustness superiority assertion.
- [Abstract] The robustness evaluation is restricted to the 7 listed defenses on CIFAR-10/ImageNet. No results are reported for adaptive attacks that (a) know the dual-branch structure, (b) jointly optimize perturbations across both domains, or (c) train victim models outside the ensemble; this omission directly undermines the generalization of the headline claim that the method produces intrinsically robust UEs.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on our manuscript. We address the two major comments point-by-point below, proposing revisions where they strengthen the presentation without altering the core claims.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central outperformance claim (lower average test accuracy of 14.95%–50.82% against 7 defenses) is load-bearing for the paper's contribution, yet the abstract provides no information on experimental protocol, statistical tests, error bars, or whether baselines were re-implemented with identical hyperparameters; without these details the data cannot be verified to support the robustness superiority assertion.
Authors: We agree that the abstract would benefit from additional context on the evaluation protocol. The main text (Section 4.1) details that all 12 baselines were re-implemented using the authors' original code and identical hyperparameters where available, with results averaged over three random seeds and standard deviations reported in Tables 1–4. We will revise the abstract to note that experiments follow the standard UE evaluation protocol with re-implemented baselines and refer readers to the experimental section for full statistical details. revision: yes
-
Referee: [Abstract] The robustness evaluation is restricted to the 7 listed defenses on CIFAR-10/ImageNet. No results are reported for adaptive attacks that (a) know the dual-branch structure, (b) jointly optimize perturbations across both domains, or (c) train victim models outside the ensemble; this omission directly undermines the generalization of the headline claim that the method produces intrinsically robust UEs.
Authors: This comment correctly identifies a scope limitation in the robustness evaluation. Our experiments follow the standard protocol used across prior UE works by testing the seven listed defenses; we did not include adaptive attacks that exploit knowledge of the dual-branch design or ensemble. We will add an explicit limitations paragraph in the revised manuscript acknowledging this and framing the reported gains as improvements under established non-adaptive defenses. revision: partial
- Evaluation against adaptive attacks that know the dual-branch structure, jointly optimize across domains, or train victim models outside the ensemble
Circularity Check
No circularity: empirical optimization method validated on external benchmarks
full rationale
The paper describes an empirical procedure (dual-branch spatial/color perturbation optimization plus ensemble aggregation) and reports test accuracies against 12 baselines and 7 defenses on CIFAR-10/ImageNet. No equations, derivations, or first-principles claims appear in the provided text; performance numbers are measured outcomes, not quantities forced by construction from fitted inputs or self-citations. The central claim therefore remains independent of the method's own definitions.
Axiom & Free-Parameter Ledger
free parameters (1)
- branch balancing hyperparameters
axioms (1)
- domain assumption Perturbations optimized separately in spatial and color domains can establish mappings to shift-induced labels that degrade model generalization
Forward citations
Cited by 1 Pith paper
-
Defending Jailbreak Attacks on Large Language Models via Manifold Trajectory Kinetics
MTK detects jailbreaks by monitoring the evolution of prompt neighborhood structures on the data manifold through LLM layers, reporting 95% TPR at 5% FPR on benign and 2% on pseudo-malicious prompts plus 85% TPR under...
Reference graph
Works this paper leans on
-
[1]
A., Paleka, D., Pearce, W., Anderson, H., Terzis, A., Thomas, K., and Tramèr, F
Carlini, N., Jagielski, M., Choquette-Choo, C. A., Paleka, D., Pearce, W., Anderson, H., Terzis, A., Thomas, K., and Tramèr, F. Poisoning web-scale training datasets is practical. InPro- ceedings of the 2024 IEEE Symposium on Security and Privacy (S&P’24), pp. 407–425. IEEE,
2024
-
[2]
Imagenet: A large-scale hierarchical image database
Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., and Fei-Fei, L. Imagenet: A large-scale hierarchical image database. In Proceedings of the 2009 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’09), pp. 248–255,
2009
-
[3]
Dolatabadi, H. M., Erfani, S., and Leckie, C. The devil’s advocate: Shattering the illusion of unexploitable data using diffusion models.arXiv preprint arXiv:2303.08500,
-
[4]
Deep residual learn- ing for image recognition
He, K., Zhang, X., Ren, S., and Sun, J. Deep residual learn- ing for image recognition. InProceedings of the 2016 IEEE/CVF Conference on Computer Vision and Pattern Recog- nition (CVPR’16), pp. 770–778,
2016
-
[5]
Huang, G., Liu, Z., Van Der Maaten, L., and Weinberger, K. Q. Densely connected convolutional networks. InProceedings of the 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’17), pp. 4700–4708,
2017
-
[6]
E-LPIPS: Robust Perceptual Image Similarity via Random Transformation Ensembles
Kettunen, M., Härkönen, E., and Lehtinen, J. E-lpips: robust per- ceptual image similarity via random transformation ensembles. arXiv preprint arXiv:1906.03973,
work page internal anchor Pith review Pith/arXiv arXiv 1906
-
[7]
Qin, T., Gao, X., Zhao, J., Ye, K., and Xu, C.-Z. Learning the unlearnable: Adversarial augmentations suppress unlearnable example attacks.arXiv preprint arXiv:2303.15127,
-
[8]
S., Soltanolkotabi, M., and Feizi, S
Sadasivan, V . S., Soltanolkotabi, M., and Feizi, S. Cuda: Convolution-based unlearnable datasets. InProceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’23), pp. 3862–3871,
2023
-
[9]
Shen, X., Cai, Y ., Ning, R., Xin, C., and Wu, H. Df-logit: Data- free logic-gated backdoor attacks in vision transformers.arXiv preprint arXiv:2602.03040,
-
[10]
Very Deep Convolutional Networks for Large-Scale Image Recognition
Simonyan, K. and Zisserman, A. Very deep convolutional networks for large-scale image recognition.arXiv preprint arXiv:1409.1556,
work page internal anchor Pith review Pith/arXiv arXiv
-
[11]
Tro- janrobot: Physical-world backdoor attacks against vlm-based robotic manipulation,
Wang, X., Hu, S., Zhang, Y ., Zhou, Z., Zhang, L. Y ., Xu, P., Wan, W., and Jin, H. Eclipse: Expunging clean-label indiscriminate poisons via sparse diffusion purification. InProceedings of the 29th European Symposium on Research in Computer Security (ESORICS’24), 2024a. Wang, X., Li, M., Liu, W., Zhang, H., Hu, S., Zhang, Y ., Zhou, Z., and Jin, H. Unlea...
-
[12]
Yu, Y ., Wang, Y ., Xia, S., Yang, W., Lu, S., Tan, Y .-P., and Kot, A. C. Purify unlearnable examples via rate-constrained varia- tional autoencoders.arXiv preprint arXiv:2405.01460, 2024a. Yu, Y ., Zheng, Q., Yang, S., Yang, W., Liu, J., Lu, S., Tan, Y .-P., Lam, K.-Y ., and Kot, A. Unlearnable examples detection via iterative filtering. InProceedings o...
-
[13]
Zhang, H., Hu, S., Wang, Y ., Zhang, L. Y ., Zhou, Z., Wang, X., Zhang, Y ., and Chen, C. Detector collapse: Backdooring object detection to catastrophic overload or blindness.arXiv preprint arXiv:2404.11357,
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.