Do SSL Models Have Déjà Vu? A Case of Unintended Memorization in Self-supervised Learning

April 26, 2023 · Entered Twilight · 🏛 Neural Information Processing Systems

Repo contents: CODE_OF_CONDUCT.md, CONTRIBUTING.md, LICENSE, RCDM, README.md, bash_examples, configs, dejavu_utils, environment_pytorch2.yml, gen_betons.sh, gen_val_beton.sh, imagenet_partition.py, images, label_inference_attack.py, lin_probe.py, plot_quant_results.py, train_RCDM.py, train_SSL.py, visualization_RCDM.ipynb, write_ffcv_dataset.py

Authors Casey Meehan, Florian Bordes, Pascal Vincent, Kamalika Chaudhuri, Chuan Guo arXiv ID 2304.13850 Category cs.CV: Computer Vision Cross-listed cs.CR, cs.LG Citations 21 Venue Neural Information Processing Systems Repository https://github.com/facebookresearch/DejaVu ⭐ 36 Last Checked 2 months ago

Abstract

Self-supervised learning (SSL) algorithms can produce useful image representations by learning to associate different parts of natural images with one another. However, when taken to the extreme, SSL models can unintendedly memorize specific parts in individual training samples rather than learning semantically meaningful associations. In this work, we perform a systematic study of the unintended memorization of image-specific information in SSL models -- which we refer to as déjà vu memorization. Concretely, we show that given the trained model and a crop of a training image containing only the background (e.g., water, sky, grass), it is possible to infer the foreground object with high accuracy or even visually reconstruct it. Furthermore, we show that déjà vu memorization is common to different SSL algorithms, is exacerbated by certain design choices, and cannot be detected by conventional techniques for evaluating representation quality. Our study of déjà vu memorization reveals previously unknown privacy risks in SSL models, as well as suggests potential practical mitigation strategies. Code is available at https://github.com/facebookresearch/DejaVu.