Unlearnable examples (ULEs) aim to protect data from unauthorized usage for training DNNs. Existing work adds $\ell_\infty$-bounded perturbations to the original sample so that the trained model generalizes poorly. Such perturbations, however, are easy to eliminate by adversarial training and data augmentations. In this paper, we resolve this problem from a novel perspective by perturbing only one pixel in each image. Interestingly, such a small modification could effectively degrade model accuracy to almost an untrained counterpart. Moreover, our produced \emph{One-Pixel Shortcut (OPS)} could not be erased by adversarial training and strong augmentations. To generate OPS, we perturb in-class images at the same position to the same target value that could mostly and stably deviate from all the original images. Since such generation is only based on images, OPS needs significantly less computation cost than the previous methods using DNN generators. Based on OPS, we introduce an unlearnable dataset called CIFAR-10-S, which is indistinguishable from CIFAR-10 by humans but induces the trained model to extremely low accuracy. Even under adversarial training, a ResNet-18 trained on CIFAR-10-S has only 10.61% accuracy, compared to 83.02% by the existing error-minimizing method.

翻译：无法学习的样本旨在保护数据免于被未经授权用于训练深度神经网络。现有方法在原始样本上添加$\ell_\infty$有界扰动，导致训练后的模型泛化性能较差。然而，此类扰动容易通过对抗训练和数据增强消除。本文从全新视角解决该问题：仅对每张图像的一个像素进行扰动。有趣的是，如此微小的修改能有效将模型准确率降至接近未训练状态。此外，我们生成的\textit{单像素捷径（OPS）}无法被对抗训练和强数据增强消除。为生成OPS，我们对同类别图像中相同位置的像素施加相同的目标值，使其能够最大程度且稳定地偏离所有原始图像。由于该生成过程仅基于图像本身，OPS相比先前使用深度神经网络生成器的方法，计算成本显著降低。基于OPS，我们引入名为CIFAR-10-S的不可学习数据集，该数据集与CIFAR-10在人类视觉上无法区分，但能使训练后的模型准确率极低。即便在对抗训练下，在CIFAR-10-S上训练的ResNet-18准确率仅为10.61%，而现有误差最小化方法训练的模型准确率为83.02%。