Unlearnable example attacks are data poisoning techniques that can be used to safeguard public data against unauthorized use for training deep learning models. These methods add stealthy perturbations to the original image, thereby making it difficult for deep learning models to learn from these training data effectively. Current research suggests that adversarial training can, to a certain degree, mitigate the impact of unlearnable example attacks, while common data augmentation methods are not effective against such poisons. Adversarial training, however, demands considerable computational resources and can result in non-trivial accuracy loss. In this paper, we introduce the UEraser method, which outperforms current defenses against different types of state-of-the-art unlearnable example attacks through a combination of effective data augmentation policies and loss-maximizing adversarial augmentations. In stark contrast to the current SOTA adversarial training methods, UEraser uses adversarial augmentations, which extends beyond the confines of $ \ell_p $ perturbation budget assumed by current unlearning attacks and defenses. It also helps to improve the model's generalization ability, thus protecting against accuracy loss. UEraser wipes out the unlearning effect with error-maximizing data augmentations, thus restoring trained model accuracies. Interestingly, UEraser-Lite, a fast variant without adversarial augmentations, is also highly effective in preserving clean accuracies. On challenging unlearnable CIFAR-10, CIFAR-100, SVHN, and ImageNet-subset datasets produced with various attacks, it achieves results that are comparable to those obtained during clean training. We also demonstrate its efficacy against possible adaptive attacks. Our code is open source and available to the deep learning community: https://github.com/lafeat/ueraser.

翻译：无法学习的样本攻击是一种数据投毒技术，可用于保护公共数据免遭未经授权用于训练深度学习模型。这些方法向原始图像添加隐蔽扰动，从而使深度学习模型难以有效从这些训练数据中学习。现有研究表明，对抗训练在一定程度上可以缓解无法学习样本攻击的影响，而常见的数据增强方法对此类投毒无效。然而，对抗训练需要大量计算资源，并可能导致显著的精度损失。本文引入了UEraser方法，通过结合有效的数据增强策略和最大化损失的对抗性增强，该方法在防御不同类型的最先进无法学习样本攻击方面超越了现有防御方法。与当前最先进的对抗训练方法形成鲜明对比的是，UEraser使用对抗性增强，突破了当前无法学习攻击和防御所假设的$\ell_p$扰动预算限制。它还有助于提升模型的泛化能力，从而防止精度损失。UEraser通过最大化误差的数据增强消除无法学习效果，从而恢复训练模型的精度。有趣的是，UEraser-Lite（一种不含对抗性增强的快速变体）在保持干净精度方面也高度有效。在使用多种攻击生成的有挑战性的无法学习CIFAR-10、CIFAR-100、SVHN和ImageNet子集数据集上，它取得了与干净训练相当的结果。我们还证明了其对可能的自适应攻击的有效性。我们的代码是开源的，可供深度学习社区使用：https://github.com/lafeat/ueraser。