DATABench: Evaluating Dataset Auditing in Deep Learning from an Adversarial Perspective

TL;DR

This paper evaluates the robustness of dataset auditing methods in deep learning against adversarial attacks, introduces a comprehensive benchmark, and highlights the need for more secure auditing techniques.

Contribution

It introduces DATABench, a new benchmark with attack strategies and evaluation of existing auditing methods under adversarial conditions.

Findings

Existing auditing methods lack robustness against adversarial attacks.

DATABench includes 17 evasion and 5 forgery attacks for comprehensive evaluation.

Current methods are insufficiently reliable in adversarial scenarios.

Abstract

The widespread application of Deep Learning across diverse domains hinges critically on the quality and composition of training datasets. However, the common lack of disclosure regarding their usage raises significant privacy and copyright concerns. Dataset auditing techniques, which aim to determine if a specific dataset was used to train a given suspicious model, provide promising solutions to addressing these transparency gaps. While prior work has developed various auditing methods, their resilience against dedicated adversarial attacks remains largely unexplored. To bridge the gap, this paper initiates a comprehensive study evaluating dataset auditing from an adversarial perspective. We start with introducing a novel taxonomy, classifying existing methods based on their reliance on internal features (IF) (inherent to the data) versus external features (EF) (artificially introduced for auditing). Subsequently, we formulate two primary attack types: evasion attacks, designed to conceal the use of a dataset, and forgery attacks, intending to falsely implicate an unused dataset. Building on the understanding of existing methods and attack objectives, we further propose systematic attack strategies: decoupling, removal, and detection for evasion; adversarial example-based methods for forgery. These formulations and strategies lead to our new benchmark, DATABench, comprising 17 evasion attacks, 5 forgery attacks, and 9 representative auditing methods. Extensive evaluations using DATABench reveal that none of the evaluated auditing methods are sufficiently robust or distinctive under adversarial settings. These findings underscore the urgent need for developing a more secure and reliable dataset auditing method capable of withstanding sophisticated adversarial manipulation. Code is available in https://github.com/shaoshuo-ss/DATABench.