Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation

TL;DR

This paper introduces the Parameter Matching Attack (PMA), a novel availability attack that effectively degrades model performance by perturbing only part of the training data, surpassing previous methods in partial data scenarios.

Contribution

The paper presents PMA, the first availability attack capable of causing significant performance drops with only partial data perturbation, advancing data protection techniques.

Findings

PMA achieves over 30% performance degradation with partial data perturbation.

PMA outperforms existing availability attack methods across four datasets.

Experimental results confirm PMA's effectiveness in real-world scenarios.

Abstract

The widespread use of publicly available datasets for training machine learning models raises significant concerns about data misuse. Availability attacks have emerged as a means for data owners to safeguard their data by designing imperceptible perturbations that degrade model performance when incorporated into training datasets. However, existing availability attacks are ineffective when only a portion of the data can be perturbed. To address this challenge, we propose a novel availability attack approach termed Parameter Matching Attack (PMA). PMA is the first availability attack capable of causing more than a 30\% performance drop when only a portion of data can be perturbed. PMA optimizes perturbations so that when the model is trained on a mixture of clean and perturbed data, the resulting model will approach a model designed to perform poorly. Experimental results across four datasets demonstrate that PMA outperforms existing methods, achieving significant model performance degradation when a part of the training data is perturbed. Our code is available in the supplementary materials.