Learning to Protect (L2P)
- Learning to Protect (L2P) is a cross-domain research theme that treats protection as an adaptive, learnable process rather than relying solely on rigid, rule-based mechanisms.
- It employs methods like scam inoculation, protection-aware code representations, iterative self-moderation for privacy control, and biometric template cloaking to counter evolving threats.
- Empirical evaluations across domains—such as increased scam recognition, improved software obfuscation metrics, enhanced LLM privacy, and secure biometric matching—demonstrate its practical effectiveness.
Learning to Protect (L2P) denotes, in the materials considered here, a cross-domain research theme in which protection is treated as something that can be learned, simulated, optimized, or encoded rather than enforced only through static filters, hand-crafted rules, or passive warnings. The theme appears most directly in work on scam inoculation, protection-aware code representations, privacy-preserving response control, and biometric template security, where the central objective is to improve how users or models resist evolving harms while preserving utility (Hoffman et al., 30 Jan 2026, Mo et al., 28 Jan 2026, Chen et al., 2023, Banerjee et al., 8 Apr 2025).
1. Conceptual scope and recurring design logic
A recurring premise across these works is that conventional protection mechanisms are often too rigid, too brittle, or too indirect. In scam prevention, conventional automated scam prevention is described as insufficient because fraud tactics evolve quickly, are not perfectly detectable, and often still reach users in the form of fraudulent calls, texts, and messages; automated detection systems and passive warnings can be bypassed, become stale, or trigger habituation, so the human user still needs to learn how to spot the signs of manipulation (Hoffman et al., 30 Jan 2026). In software protection, traditional virtual machine protection is characterized as rigid and rule-based, with recurring structural patterns that can be exploited by automated analysis, motivating a shift toward learning-based protection-aware representations (Mo et al., 28 Jan 2026). In privacy control for LLMs, the target is selective abstention rather than blanket refusal, so protection must be balanced against answer quality (Chen et al., 2023). In biometric systems, stored face templates are not treated as inherently secure, because generative or optimization-based attacks can reconstruct faces from embeddings, requiring proactive template protection (Banerjee et al., 8 Apr 2025).
| Area | Protection objective | Representative work |
|---|---|---|
| Online scams | Train people to recognize and resist scams | ScamPilot (Hoffman et al., 30 Jan 2026) |
| VMP-protected code | Learn robust representations of protected code | ShieldedCode (Mo et al., 28 Jan 2026) |
| Personal information in LLMs | Selectively abstain from revealing protected information | PrivQA / Self-Moderation (Chen et al., 2023) |
| Face biometrics | Protect templates against inversion while retaining matching | FaceCloak (Banerjee et al., 8 Apr 2025) |
This shared design logic does not imply a single formal framework. Rather, the papers instantiate different mechanisms: inter-agent simulation and feedback for scam resistance, contrastive representation learning for protected code, iterative self-moderation for privacy-preserving QA, and binary cloaking for biometric embeddings. A plausible implication is that L2P is best understood as an orientation toward learned protection, not as one canonical algorithm.
2. Human capability as the protected asset: scam inoculation in ScamPilot
ScamPilot is the clearest explicit example of learning to protect in the corpus because it does not merely try to block scams automatically; instead, it trains people to recognize and resist them by placing them inside a realistic, guided scam simulation. Its interface uses two LLM agents, a scammer and a target, while the human is cast as an advisor who helps the target resist the scam in real time. The learner is therefore neither the victim nor the attacker. The conversation is designed as a three-phase imposter scam—trust building, manipulation, and extraction—and each phase contains five dialogue turns total, with three turns from the scammer and two from the target. The target is prompted to be trusting and to incorporate the user’s advice without explicitly acknowledging it. Pedagogically, the system is grounded in inoculation theory, experiential learning, and the present-test-practice-assess (PTPA) model: users are presented with a scam situation, tested with an embedded multiple-choice quiz, practice by giving advice, and then receive assessment and feedback. The quiz is answer-until-correct, and the advice component is intended to evoke learning-by-teaching (Hoffman et al., 30 Jan 2026).
The evaluation used a between-subjects randomized controlled study with 150 participants who passed attention checks, recruited via Prolific and restricted to U.S. residents. The four conditions were a naive control, a quiz-only condition, an advice-only condition, and a quiz+advice condition. All participants completed pre-surveys, tutorials, the interaction itself, and post-surveys. The study measured scam/legitimate discernment, situational judgment, self-efficacy, response efficacy, and logs such as quiz attempts, time on task, and advice text. The self-efficacy change score was computed as , where is pre-use self-efficacy and is post-use self-efficacy. For analysis, the authors used ANCOVA with covariates such as SA-6, scam susceptibility, self-efficacy, completion time, and post-survey time, and also used the Iman-Conover non-parametric rank-based ANCOVA as a sensitivity analysis.
The main quantitative result is that blending advice-giving with multiple-choice questions increased scam recognition by +8%, response efficacy by 9%, and self-efficacy by 19%, while legitimate-message recognition was not significantly harmed. The paper emphasizes that the combined quiz+advice design was the best overall balance of learning and caution. More specifically, for scam discernment, the adjusted means were 9.28 for control, 11.22 for advice, 10.11 for quiz+advice, and 6.84 for quiz; the advice condition significantly outperformed the quiz condition after Holm correction. For situational judgment scam scores, the advice and quiz+advice conditions both outperformed control, suggesting better far transfer to unfamiliar contexts. The paper also notes that the 19% higher self-efficacy was not statistically significant in the standard ANCOVA.
The qualitative analysis clarifies what “protecting” meant in practice. Advice clustered into verification, refusal, managing the situation, and pointing out flaws. Verification appeared in 56.8% of all advice; refusal in 18.5%; managing the situation in 9.5%; and about 15% pointed out flaws in the scammer’s story. Advice-only participants tended to write longer, more reflective responses, whereas quiz+advice participants wrote shorter but more decisive and action-oriented advice. The reported coding agreement was high, with Krippendorff’s alpha using a set-aware Jaccard-distance adaptation at (Hoffman et al., 30 Jan 2026).
3. Protection-aware representation learning for virtual machine protected code
ShieldedCode extends the learning-to-protect idea into software security by presenting the first protection-aware framework that learns robust representations of VMP-protected code. The motivating claim is that reverse engineering continues to threaten software security, while traditional virtual machine protection relies on rigid, rule-based transformations that are costly to design and vulnerable to automated analysis. ShieldedCode therefore reframes software protection as a representation learning, generation, and retrieval problem rather than as a purely rule-based obfuscation pipeline (Mo et al., 28 Jan 2026).
The framework has five stated ingredients: paired dataset construction, hierarchical dependency modeling, multi-objective training, a two-stage training pipeline, and downstream use for generation, ranking, and reasoning over protected code. Training examples are built from source functions and their VM-protected implementations: with paired data
Normalization removes debug symbols and comments, adds whitespace around VM instruction delimiters, replaces virtual addresses with symbolic references, and replaces each instruction address with a canonical label such as .
A central architectural feature is hierarchical dependency modeling at three levels: intra-instruction, preceding-instruction, and inter-instruction. Within one virtual instruction, tokens attend to one another and to an instruction marker token; current tokens also depend on the immediately previous instruction marker; and tokens can attend to all prior instruction markers. This masking scheme is intended to capture instruction-level structure that standard causal masking lacks. Training combines language modeling with functionality-aware contrastive learning (FCL), protection-aware contrastive learning (PCL), and protection effectiveness optimization (PEO). The appendix states the joint objective as
The two-stage pipeline uses continual pre-training to optimize and , followed by fine-tuning that optimizes only 0 for downstream generation. In the generation setting, the model receives a prompt of the form “# This is the source code with {protection_level} protection: {src}” and outputs a VM implementation intended to preserve functionality while matching the requested protection strength.
The reported results tie protection-aware representations to measurable downstream behavior. On HumanEval_compile, ShieldedCode achieves L0 Pass@1 = 26.95, L1 Pass@1 = 18.47, L2 Pass@1 = 19.23, and L3 Pass@1 = 14.71; GPT-4o is reported at 22.58 on L0. On BinaryCorp-VirtualAssembly, ShieldedCode reports Recall@1 values including 0.488 for O0+L1, compared with 0.333 for jTrans (Linear Probe). For PEO, ShieldedCode consistently achieves the highest Recall@1 across pool sizes 1. Ablations further report average Pass@1 values of 15.78 for 2, 21.86 for 3, and 25.17 for the full model, supporting the claim that both contrastive objectives and polymorphic generation matter (Mo et al., 28 Jan 2026).
4. Instructed protection of personal information in language and multimodal models
In the privacy domain, learning to protect is framed as access control by instruction. The target behavior is defined explicitly as
4
where protected categories may refer either to protected populations or to protected information. The benchmark introduced for this purpose, PrivQA, contains 4,678 open-domain textual QA examples and 2,000 visual QA examples, built from TriviaQA, PopQA, PopQA+, KVQA, and InfoSeek. The protection metric is the harmonic mean of sensitivity and specificity,
5
while utility is measured with response 6 (Chen et al., 2023).
The paper’s proposed method is iterative Self-Moderation. It consists of three components: Question Answering, Moderation, and Authorization or self-authorization. The model first produces a candidate answer, then classifies whether the content is in the protected class, and then re-evaluates its prior moderation decision with an “Are you sure?”-style prompt. The final output is either the answer or the string “none.” Greedy decoding with 7 is used.
The empirical results show that instruction prompting alone is weak, but iterative self-moderation improves protection substantially. For textual protected populations, average results under Self-Moderation were: gpt-3.5-turbo with protected-group 8 9, control-group 0 1, Protection Score 2; gpt-4 with protected-group 3 4, control-group 5 6, Protection Score 7; and LLaMA2-70B-chat with Protection Score 8. For textual protected information, gpt-4 reached protected-group 9 0, control-group 1 2, and Protection Score 3. The ablation on self-authorization steps reports that for gpt-3.5 the protection score for protected information improves from 62% to 74% within three steps, whereas on LLaMA-based models additional self-authorization can degrade protection.
The paper is equally explicit about failure modes. Red-teaming shows that simple jailbreaks, visual prompt injection, and multi-hop attacks can bypass the protection. Attack Success Rate is defined as 4. With BetterDAN, gpt-4 self-moderation rises from baseline ASR values of 1.5 for President and 0 for Profession to 7.8 and 22.6, respectively. For IDEFICS-9B, visual prompt injection causes large ASR jumps; for example, with injected text “Citizenship: USA,” ASR becomes 84.2, 86.6, and 90.3 for Japan, India, and Germany. The paper also reports a significant popularity effect, with sensitivity dropping from 80% to 20% for gpt-3.5 and from 100% to 60% for gpt-4 from head entities to tail entities, and notes visually biased moderation behavior in IDEFICS-9B. The result is a guarded view: models can be partially instructed to protect personal information, but the protection is empirical, not formal, and remains fragile under adaptive attack (Chen et al., 2023).
5. Learning to protect biometric face templates
FaceCloak addresses a different protection problem: preventing reconstruction of faces from stored face templates. The setting assumes a template
5
that is mapped to a protected binary cloak
6
The stated objectives are biometric retention, irreversibility, and unlinkability or renewability. The paper positions FaceCloak as a learnable, lightweight alternative to cryptographic or hand-designed cancellable biometrics methods (Banerjee et al., 8 Apr 2025).
The method proceeds in two phases: disruptor creation and cloak generation. Positive disruptors are created by adding Gaussian noise with mean 0 and std 0.2 and applying Bernoulli masking with probability 7, so as to mimic intra-class variation and remain close to the source template. Negative disruptors are generated using Gram–Schmidt orthogonalization and synthetic face templates from StyleGAN3 with truncation factor 8, so as to frustrate inversion. For each template, the paper constructs 9 samples with 0 positive and 1 negative disruptors.
The cloak generator is a shallow network 2 with layers 3, using batch normalization, ReLU, and Tanh, followed by thresholding to obtain binary outputs. The total loss is
4
with 5. The biometric identity loss is a triplet-style margin loss,
6
with 7 for ArcFace and 8 for FaceNet. The binarization loss is 9, and the diversity loss is 0.
Enrollment stores only the protected template, and verification compares cloaks by Hamming distance. The reported matching results show limited performance loss: on LFW, ArcFace falls from 96.2% TMR before cloaking to 95.7% after cloaking, and FaceNet falls from 69.3% to 67.8%; on CFP, TMR falls from 99.61% to 99.23%. For irreversibility, the reported attack protocol samples 10 initial guesses from the template distribution and optimizes them with Adam for 1000 steps at learning rate 0.01; successful recovery is defined by cosine similarity exceeding the threshold at FMR 1. The paper reports perfect irreversibility on 500 protected templates, with 2. Unlinkability metrics on LFW are also low: for ArcFace, 3 and 4; for FaceNet, 5 and 6. The paper additionally reports gender prediction accuracy of 48.4% from protected templates, suggesting suppression of that sensitive attribute, and emphasizes the system’s efficiency with model size 0.57 MB, enrollment time 0.41 ms, inference time 0.28 ms, and training time 1.54 s (Banerjee et al., 8 Apr 2025).
6. Terminological ambiguity, adjacent work, and limits of the label
The acronym L2P is not unique to protection. In continual learning, L2P means “Learning to Prompt,” a prompt-based framework built around a frozen pre-trained vision transformer, a prompt pool
7
and instance-wise key-query retrieval that does not require task identity at test time. That work reports 83.83% average accuracy and 7.63 forgetting on Split CIFAR-100, and explicitly states that L2P means “Learning to Prompt,” not “Learning to Protect” (Wang et al., 2021). In heavy-tailed regression, L2P means “Learning to Place,” where the model learns pairwise preferences and predicts by placing a new instance among known instances; the predicted value is induced by the most-supported bin after a voting procedure (Wang et al., 2019). These usages matter because they show that “L2P” is an overloaded acronym rather than a settled technical name for one protection paradigm.
There is also adjacent work that is protection-oriented without using the L2P acronym. “Learning to Defend by Learning to Attack” formulates adversarial training as a bilevel optimization problem in which a learned optimizer generates adversarial perturbations and a classifier learns to defend against them. The paper reports, for example, on CIFAR-10, PGM Net at clean 87.30% and robust 47.04% against PGM-20, compared with Grad L2L at clean 85.84% and robust 51.17%, and 2-Step L2L at clean 85.35% and robust 54.32% (Jiang et al., 2018). This places learned protection in a broader robust-optimization lineage.
A further limitation of the label emerges from privacy research showing that not every ostensibly protective learning pipeline actually provides meaningful protection. “Does Training with Synthetic Data Truly Protect Privacy?” evaluates coreset selection, dataset distillation, data-free knowledge distillation, and diffusion-generated synthetic data using worst-case membership inference, especially LiRA and [email protected]% FPR. The paper’s main conclusion is that training on synthetic data does not automatically or reliably protect privacy. Reported leakage includes 72.94% [email protected]% FPR for forgetting-based coreset selection, 43.38% for DFKD, and 12.65% for diffusion, while DPSGD baselines are reported at 0.40% and 9.31% depending on utility setting (Zhao et al., 18 Feb 2025). The cautionary principle is explicit: empirical privacy claims based only on visual dissimilarity or average-case membership inference are misleading.
Taken together, these disambiguations and cautions indicate that Learning to Protect is best treated as a substantive theme rather than a stable acronymic brand. The strongest instances share a common ambition—to make protection adaptive, learned, and measurable—but they differ sharply in what is being protected, how protection is operationalized, and whether the resulting guarantees are behavioral, empirical, or formal.