Unlearnable Event Streams (UEvs)
- UEvs are perturbed event-stream datasets designed to force models to learn artificial shortcuts rather than genuine semantic features.
- The approach integrates Event-Error-Minimizing Noise, sparsifying projections, and bilevel min-min optimization to effectively poison the training signal.
- Empirical evaluations on event-camera and time-series datasets demonstrate drastic accuracy drops while preserving data imperceptibility for authorized use.
Searching arXiv for the cited UEv and related unlearnable-examples papers to ground the article in current literature. Unlearnable Event Streams (UEvs) are perturbed event-stream datasets constructed so that unauthorized models trained on the released data fail to learn the underlying semantics, while legitimate use is intended to remain viable. In the asynchronous event-camera setting, UEvs are defined by a workflow that combines Event-Error-Minimizing Noise (), a sparsifying projection compatible with event stacks, and a retrieval strategy that reconstructs perturbed raw streams from the modified representation (Wang et al., 8 Jul 2025). A related sequential formulation extends the same unlearnability principle to time series by adding small, selectively applied error-minimizing perturbations that nullify the training signal of deep sequence learners (Jiang et al., 2024).
1. Event-stream data model and protection objective
Event cameras output asynchronous event streams rather than dense frames. A single event is a tuple
where are pixel coordinates, is the timestamp, and is the binary polarity indicating brightness increase or decrease. Over a time window, these events form a sparse spatio-temporal point cloud
This representation differs fundamentally from frame-based imagery in both sparsity and asynchrony (Wang et al., 8 Jul 2025).
The protection problem arises once an event dataset is released online. Although event data offers high dynamic range and low latency, the release of such datasets raises privacy and security concerns because malicious parties can train powerful DNNs on them for unauthorized purposes. The UEv objective is therefore to publish a modified dataset that causes downstream learners to acquire an artificial, easy-to-fit feature rather than the genuine semantic structure of the data.
The event-camera formulation adapts the broader notion of Unlearnable Examples from the image domain to asynchronous streams. The central difficulty is that extending image-style perturbations is non-trivial: events are binary and sparse, simple additive noise may destroy the polarity pattern, and event-based networks consume binned event representations rather than raw event tuples. As a result, the perturbation must be compatible with the conversion pipeline and invertible back to an event stream (Wang et al., 8 Jul 2025).
A related sequential-data viewpoint defines labeled streams with and seeks a released dataset such that any RNN trained on it achieves near-random performance on clean test streams, subject to a small perturbation budget , with 0 (Jiang et al., 2024). This suggests that UEvs are best understood as a data-protection mechanism for stream-like modalities rather than as a sensor-specific artifact.
2. Min-min optimization and shortcut formation
The asynchronous event-stream method adopts a bilevel min-min optimization. Let 1 be the clean event dataset, and let 2 denote the 3-channel event-stack representation, with values in 4 for polarity 5. Using a surrogate model 6, the optimization is
7
where 8 is cross-entropy (Wang et al., 8 Jul 2025).
The inner minimization searches for an 9-bounded noise 0 that drives the surrogate to low loss on the perturbed stack. Once 1 succeeds in driving loss below a threshold, expressed operationally as accuracy 2, the noise enforces reliance on 3-features rather than semantics. In practice, optimization alternates between updating the surrogate parameters 4 and updating 5 by one-step PGD: 6 The surrogate update includes both the task loss and a similarity loss 7, weighted by 8 and 9, where 0 encourages the model to discriminate clean versus perturbed features and thereby boosts the shortcut effect (Wang et al., 8 Jul 2025).
Two perturbation granularities are defined. Sample-wise noise 1 assigns one perturbation per stream, whereas class-wise noise 2 shares a perturbation within a class. The paper’s interpretation is explicit: 3 becomes an “easy-learnable” feature that the surrogate model captures instead of true semantics, and downstream models trained on perturbed streams inherit this reliance on the noise shortcut.
The sequential formulation in the time-series setting makes the same conceptual distinction from adversarial attacks. Rather than a min-max objective, UE generation is described as a bi-level min-min problem: 4 with the final poisoned stream given by
5
This framing matters because UEvs are not intended to induce immediate test-time misclassification; they are designed to poison the training signal itself (Jiang et al., 2024).
3. Event-Error-Minimizing Noise, projection, and retrieval
Directly adding continuous noise to an event stack breaks the binary-polarity pattern. The asynchronous event-stream method therefore introduces a projection
6
where 7 and 8 are the mean and half-range of raw 9, and 0 balances stealth versus effectiveness (Wang et al., 8 Jul 2025).
The projected values 1 are chosen to combine with original stack values 2. Their operational role is to delete, leave, or generate events. This is the central compatibility mechanism: the perturbation is sparse, polarity-compatible, and remains expressible in the event-stack representation used by downstream event-based networks.
The full procedure initializes 3 randomly, alternates surrogate training and PGD noise updates until the surrogate accuracy on perturbed stacks reaches the target 4, then projects the noise, clips the resulting stack to 5, and reconstructs the unlearnable raw stream 6 via timestamp retrieval. The output is an unlearnable dataset 7 (Wang et al., 8 Jul 2025).
The key hyperparameters reported for this pipeline are stack channels 8, surrogate training epochs 9, batch size 0, PGD steps 1, 2, 3, projection balance 4, and target accuracy 5. The method’s significance lies in preserving compatibility with the raw-stream and stack-based processing chain. A plausible implication is that this compatibility requirement is the main distinction between UEvs for event cameras and unlearnable perturbations in dense domains.
4. Empirical results on asynchronous event-camera datasets
The event-stream study evaluates UEvs on N-Caltech101, CIFAR10-DVS, DVS128 Gesture, and N-ImageNet, using ResNet-18/50, VGG16, DenseNet121, EfficientNet-B1, ViT-B, and Swin-B. Protection strength is measured by test accuracy on perturbed versus clean data, where lower perturbed accuracy indicates stronger defense. Imperceptibility is measured by PSNR, SSIM, and MSE computed on event stacks (Wang et al., 8 Jul 2025).
On N-Caltech101 with ResNet-18, the clean test accuracy is 6. Event pollution baselines—coordinate shift, timestamp shift, polarity inversion, pattern injection, and block shuffle—yield perturbed accuracies of approximately 7 to 8. By contrast, class-wise noise 9 produces 0 accuracy, corresponding to a 1 drop, and sample-wise noise 2 produces 3, corresponding to a 4 drop (Wang et al., 8 Jul 2025).
The paper further reports that all seven architectures suffer more than a 5 accuracy drop under 6 or 7. Imperceptibility remains comparatively strong: PSNR is approximately 8 for 9 and 0 for 1; SSIM is 2 and 3; MSE is 4 and 5. The pollution baselines yield 6 or visible distortions (Wang et al., 8 Jul 2025).
Ablation results refine the picture. Removing the similarity loss 7 raises perturbed accuracy from 8 to 9. Mixed noise configurations, written as 0 or 1, remain effective while increasing stealthiness or flexibility. The defense is reported as robust under standard augmentations, including random shift, flip, crop, and EventDrop. Alternative attacks such as FGSM, CW, and MIFGSM also yield low test accuracy, below 2. Varying the time-bin size by 3 or 4, or changing representation to event frame or time surface, has minor effect (Wang et al., 8 Jul 2025).
These findings support the paper’s conclusion that UEvs provide strong protection while remaining visually restrained in the event-stack domain. The concrete numerical pattern also clarifies a frequent misunderstanding: lower perceptibility metrics do not, in this setting, automatically imply weaker protection, because the defense mechanism depends on the learnability of the injected shortcut rather than on conspicuous corruption.
5. Sequential and time-series formulations
A neighboring line of work extends unlearnability from images to time series and summarizes it in terms of “Unlearnable Event Streams” for labeled streams 5 processed by RNNs (Jiang et al., 2024). The downstream learner is trained by empirical risk minimization,
6
and the released dataset is constructed so that models trained on 7 perform near-randomly on clean data.
The distinctive mechanism in this formulation is selective segment-wise perturbation. A binary control vector 8 specifies where the noise is applied, yielding the objective
9
with 0. In practice, the imperceptibility constraint is 1, and Eq. 5 acts as a regularizer that forces the RNN to see “no signal” in the protected segments (Jiang et al., 2024).
The theoretical justification given is gradient-based: by driving 2 for each poisoned sample, the gradient contribution 3 from that sample vanishes. Over training, the RNN never learns to discriminate patterns in the protected segments; when evaluated on clean data, performance therefore collapses toward chance. This account closely parallels the shortcut interpretation used in the event-camera literature, although the perturbation locus differs.
Empirically, classification experiments use a vanilla RNN with three 64-unit hidden layers, batch size 4, Adam with learning rate 5, noise learning rate 6, 7 per sample, warm-start 8 epochs, and total 9 epochs. Across 00 univariate UCR and 01 multivariate MTS datasets, masking alone drops accuracy by approximately 02, UAP by approximately 03, whereas the UEv method with only 04 noise causes an approximately 05 drop; with 06 noise, accuracy falls below 07, and with 08 noise below 09. Multivariate streams often fall below 10 accuracy (Jiang et al., 2024).
For generation tasks, the setup trains RGAN or QGAN on class-0 samples only, with 11 of those samples perturbed, and evaluates with Train on Synthetic, Test on Real using LSTM or FCN classifiers. Generators trained on clean data yield TSTR accuracies of approximately 12 to 13, whereas generators trained on UEvs produce synthetic streams that give below 14 accuracy, an average drop greater than 15 (Jiang et al., 2024). This suggests that unlearnability can affect both discriminative and generative downstream usage.
6. Utility preservation, limitations, and future directions
The event-camera study states that perturbations are sparse and imperceptible in the event-stack domain and that, for authorized users who know the original streams or have proprietary reconstruction keys, the noise can be filtered or ignored, preserving legitimate performance (Wang et al., 8 Jul 2025). In the time-series setting, a closely related utility claim is that by protecting only key segments through 16, the rest of the stream remains fully learnable for legitimate tasks (Jiang et al., 2024). In both cases, the intended operating point is not universal data destruction but selective denial of unauthorized learning.
Best-practice guidance is also explicit. For new event datasets, one should choose a representative surrogate 17, such as ResNet-18, and limit its training to 18 steps to avoid overfitting; tune 19 and 20 to trade off stealth versus strength; choose class-wise noise for scalability and sample-wise noise for slightly stronger defense; and validate under target adversarial training or augmentations (Wang et al., 8 Jul 2025). The time-series work similarly emphasizes model mismatch tolerance, stating that UEvs require only rough knowledge of the target RNN and that noise generated on one architecture transfers to others (Jiang et al., 2024).
Limitations and countermeasures are not absent from the literature. The time-series paper notes that UEvs can be partially undone by strong countermeasures such as “UEraser” aggressive data augmentation, and that they rely on a small perturbation budget, since extremely noisy settings may degrade both privacy and downstream utility (Jiang et al., 2024). This qualifies any interpretation of UEvs as an absolute protection mechanism.
Future directions identified in the event-camera work include improving noise generation efficiency via a generative noise network, exploring defense-aware noise, and extending to other event tasks such as detection and segmentation via foundation-model surrogates (Wang et al., 8 Jul 2025). The time-series work points to theoretical analysis of convergence and generalization under UEv poisoning, certified guarantees in the style of randomized smoothing for segment-wise unlearnability, and federated or collaborative settings in which users protect their own data in a pooled stream (Jiang et al., 2024). Taken together, these directions indicate that UEvs are evolving from a narrowly defined poisoning construction into a broader framework for consent-based data protection in streaming machine learning.