Autoregressive Perturbations for Data Poisoning
This addresses the issue of unauthorized data scraping for users and platforms by providing a more practical and robust defense, though it is incremental as it builds on existing unlearnable data methods.
The authors tackled the problem of data poisoning for protecting scraped data by introducing autoregressive (AR) poisoning, a method that generates poisoned data without needing access to the full dataset or target architecture, and showed it is more resistant to defenses like adversarial training and strong data augmentations compared to existing methods.
The prevalence of data scraping from social media as a means to obtain datasets has led to growing concerns regarding unauthorized use of data. Data poisoning attacks have been proposed as a bulwark against scraping, as they make data "unlearnable" by adding small, imperceptible perturbations. Unfortunately, existing methods require knowledge of both the target architecture and the complete dataset so that a surrogate network can be trained, the parameters of which are used to generate the attack. In this work, we introduce autoregressive (AR) poisoning, a method that can generate poisoned data without access to the broader dataset. The proposed AR perturbations are generic, can be applied across different datasets, and can poison different architectures. Compared to existing unlearnable methods, our AR poisons are more resistant against common defenses such as adversarial training and strong data augmentations. Our analysis further provides insight into what makes an effective data poison.