Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation
This addresses the challenge for data owners in safeguarding their data against misuse when full poisoning is not feasible, representing a significant advancement over prior work.
The paper tackles the problem of data misuse by proposing a novel availability attack called Parameter Matching Attack (PMA), which effectively degrades model performance by over 30% even when only a portion of the training data is perturbed, outperforming existing methods across four datasets.
The widespread use of publicly available datasets for training machine learning models raises significant concerns about data misuse. Availability attacks have emerged as a means for data owners to safeguard their data by designing imperceptible perturbations that degrade model performance when incorporated into training datasets. However, existing availability attacks are ineffective when only a portion of the data can be perturbed. To address this challenge, we propose a novel availability attack approach termed Parameter Matching Attack (PMA). PMA is the first availability attack capable of causing more than a 30\% performance drop when only a portion of data can be perturbed. PMA optimizes perturbations so that when the model is trained on a mixture of clean and perturbed data, the resulting model will approach a model designed to perform poorly. Experimental results across four datasets demonstrate that PMA outperforms existing methods, achieving significant model performance degradation when a part of the training data is perturbed. Our code is available in the supplementary materials.