Unintended Memorization in SSL Models

Updated 30 June 2025

Unintended memorization is the phenomenon where SSL models retain specific image details, enabling reconstruction from non-distinctive inputs.
Empirical analysis shows that up to 15% of training samples can be memorized, with label inference accuracy reaching 95% on high-confidence cases.
Mitigation strategies like hyperparameter tuning, guillotine regularization, and model scaling can significantly reduce these privacy risks.

Unintended memorization refers to the phenomenon where machine learning models, especially self-supervised and generative models, encode information about individual training samples so specifically that this information can be recovered or inferred from limited or seemingly innocuous inputs—even when such recall is neither necessary for the learning objective nor the result of statistical correlation alone. In the context of self-supervised learning (SSL), unintended memorization can pose severe privacy risks: for instance, the ability to reconstruct or identify training content from partial or non-distinctive inputs reveals vulnerabilities not detected by traditional evaluation metrics.

1. Definition and Phenomenon of Déjà Vu Memorization

Unintended memorization in SSL is defined as the model's capacity to retain such specific information about individual training images that aspects particular to those images can be reconstructed or inferred from portions that, by themselves, contain none of those aspects. Formally, déjà vu memorization is said to occur when a model enables the recovery of image-specific information from a crop or view that excludes that information, surpassing what can be predicted from data correlations alone. For example, given just a background crop (e.g., water or grass) from a training image, a sufficiently memorizing SSL model may permit inference or even visual reconstruction of the specific foreground object (such as a particular swan)—a feat unattainable through correlation-based inference.

This stands in contrast to standard statistical correlation, where the model could only suggest a likely foreground class (such as "aquatic bird" for water), rather than retrieve the actual instance observed during training.

2. Methodology for Empirical Analysis

To systematically analyze déjà vu memorization, a controlled experimental framework is employed:

Dataset Splitting: The core dataset (ImageNet) is divided into three parts: a target set (A), used to train model SSL_A; a reference set (B), for training SSL_B with the same configuration but different data; and a public set (X), withheld from all training, used for k-nearest neighbor (KNN) searches and as a source of conditional image decoding.
Test for Memorization vs. Correlation: For each image in A, a background "periphery" crop—excluding the main object based on bounding box annotation—is used to obtain a representation from SSL_A and from SSL_B. Two evaluations are conducted:
1. Label Inference: A KNN classifier is used: the SSL embedding of the crop is compared to embeddings from the public set X; the most common label among the nearest neighbors becomes the predicted foreground.
2. Conditional Visualization: The embedding is input to a generative model (RCDM), using the average of the KNN representations, to reconstruct the likely original image.
3. Quantification: The "déjà vu score" is the difference in label inference accuracy between SSL_A and SSL_B at a given confidence percentile. Additional disaggregation categorizes samples as memorized, correlated, misrepresented, or unassociated.
Ablations: Multiple architectures (VICReg, Barlow Twins, SimCLR, BYOL, DINO), varying training epochs, set sizes, and regularization configurations, are examined to assess the prevalence and sensitivity of memorization.

This methodology enables clear separation between information attainable due to dataset-wide statistical correlation and that arising from specific memorization.

3. Empirical Findings and Analysis

The paper finds that déjà vu memorization is common across diverse SSL algorithms, with several salient patterns:

Prevalence: For state-of-the-art algorithms such as VICReg and Barlow Twins, up to 15% or more of the training set can be memorized—meaning their foreground label can be accurately inferred from a background-only crop by a model trained on the image, but not by a similarly trained model without access to it. Among the top 1% most confidently memorized samples, label inference accuracy approaches 95%, far exceeding random chance for 1000-way classification.
Amplifying Factors: Increased training epochs, larger model architectures, and certain objective hyperparameters (e.g., low invariance strength in VICReg; default temperature in SimCLR) noticeably exacerbate memorization. Projector heads in joint-embedding architectures concentrate memorization; removing them ("guillotine regularization") reduces the phenomenon.
Variation Across Criteria: VICReg and Barlow Twins show the highest levels of memorization; SimCLR and BYOL are more robust but still susceptible, depending on training choices.
Insensitivity to Dataset Scale: Memorization does not decrease with dataset size; even with half of ImageNet for training, a substantial rate persists.
Standard Metrics Fail to Reveal Risk: Frequently-used overfitting measures (e.g., linear probe train-test gap) do not correspond to memorization rates: déjà vu memorization can increase even as the train-test gap shrinks.
Granularity of Memorized Content: Models can memorize and recall not just labels, but also fine-grained image details—species subtypes, spatial configurations, color attributes—not included in the training targets.

4. Privacy Implications and Risk Assessment

The existence of déjà vu memorization introduces previously uncharted privacy risks for SSL models:

Leakage from Unremarkable Inputs: Adversaries with embedding access can retrieve or reconstruct foreground content of private/user images from innocuous background patches.
Applicability to Sensitive Domains: In applications (e.g., medical imaging, sensitive organizational datasets), background or context-only information can unintentionally leak identifying or proprietary content.
Limitations of Traditional Defenses: Standard audits and overfitting diagnostics may grossly underestimate privacy exposure, since they are not sensitive to this subtle class of memorization.

Situating déjà vu memorization among other privacy attacks, this effect is related but not identical to membership inference, attribute inference, or training data reconstruction attacks; it highlights a unique, content-specific facet of information leakage in SSL.

5. Mitigation Strategies and Practical Recommendations

The paper identifies several concrete approaches to attenuate unintended memorization in SSL models, often without meaningful loss of utility:

Hyperparameter Optimization: Increasing the invariance regularization parameter $\lambda$ in VICReg and tuning the contrastive temperature $\tau$ in SimCLR can sharply suppress memorization while maintaining downstream task performance.
Guillotine Regularization: Discarding the projector head and using only backbone representations for downstream evaluation reduces memorization substantially; in some SSL algorithms, memorization may persist but is diminished.
Model Scaling and Training Choices: Using smaller backbones (e.g., ResNet18/34 vs. ResNet101) and reducing the number of epochs both independently reduce memorization.
Fine-Tuning: Brief downstream fine-tuning can transiently reduce déjà vu memorization, though the effect may reverse with longer adaptation.
Crucial Note: These mitigation strategies, carefully selected and validated, can produce a significant drop in memorization risk without sacrificing the typical accuracy gains of SSL.

6. Evaluation Techniques and Key Formulas

To assess memorization rigorously, the following constructs are central:

Correlation Probability:

$p_\text{corr} := \mathbb{P}_{A \sim \mathcal{P}}(\mathrm{object}(A) = \text{`black swan'} \mid \mathrm{crop}(A) = \text{`water'})$

Quantifies inference achievable via dataset-level correlations.

Label Inference Accuracy: The fraction of test samples where the label implied by the KNN over the SSL embedding matches the ground truth.
Déjà Vu Score: For the $p\%$ confidence percentile,

$\text{Déjà Vu Score}(p) = \text{Acc}_{\text{SSL}_A,\text{top-}p\%} - \text{Acc}_{\text{SSL}_B,\text{top-}p\%}$

where "Acc" denotes accuracy on label inference from background crops.

Sample Partitioning: Each crop is categorized as:
- Memorized (label inferred only by SSL_A),
- Correlated (label inferred by both),
- Misrepresented (inferred only by SSL_B),
- Unassociated (by neither).
Visualization: Conditional synthesis is implemented via RCDM conditioned on the mean KNN SSL embedding.

7. Broader Context and Impact

This analysis is the first to systematically quantify unintended memorization (“déjà vu memorization”) in joint-embedding SSL models. Key implications include:

Challenge to Established Assumptions: It refutes the common belief that SSL frameworks, especially joint-embedding methods, are inherently more privacy-preserving than supervised baselines.
Deployment Guidance: SSL models intended for deployment as general-purpose feature extractors or foundation models require explicit auditing for unintended memorization, beyond standard overfitting checks.
Research Directions: Further paper is needed to understand the mechanisms that predispose some algorithms or examples to greater memorization, automate auditing, and refine mitigations. Investigation into which data points are most at risk, and why SSL criteria differ in robustness, remains an open question.

SSL models can memorize and leak image-specific details—recoverable from background regions not containing those details—posing previously unappreciated privacy risks. These vulnerabilities can be sharply reduced through parameter selection, regularization strategies, and awareness of model scale, providing a practical toolkit for both researchers and practitioners aiming to balance utility and privacy in image representation learning.

PDF Markdown Chat (Pro)