English

Autoregressive Perturbations for Data Poisoning

Machine Learning 2022-10-17 v3 Cryptography and Security

Abstract

The prevalence of data scraping from social media as a means to obtain datasets has led to growing concerns regarding unauthorized use of data. Data poisoning attacks have been proposed as a bulwark against scraping, as they make data "unlearnable" by adding small, imperceptible perturbations. Unfortunately, existing methods require knowledge of both the target architecture and the complete dataset so that a surrogate network can be trained, the parameters of which are used to generate the attack. In this work, we introduce autoregressive (AR) poisoning, a method that can generate poisoned data without access to the broader dataset. The proposed AR perturbations are generic, can be applied across different datasets, and can poison different architectures. Compared to existing unlearnable methods, our AR poisons are more resistant against common defenses such as adversarial training and strong data augmentations. Our analysis further provides insight into what makes an effective data poison.

Keywords

Cite

@article{arxiv.2206.03693,
  title  = {Autoregressive Perturbations for Data Poisoning},
  author = {Pedro Sandoval-Segura and Vasu Singla and Jonas Geiping and Micah Goldblum and Tom Goldstein and David W. Jacobs},
  journal= {arXiv preprint arXiv:2206.03693},
  year   = {2022}
}

Comments

Accepted to NeurIPS 2022. Code available at https://github.com/psandovalsegura/autoregressive-poisoning

R2 v1 2026-06-24T11:43:01.818Z