English

Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation

Machine Learning 2025-03-11 v2 Cryptography and Security Computer Vision and Pattern Recognition

Abstract

The widespread use of publicly available datasets for training machine learning models raises significant concerns about data misuse. Availability attacks have emerged as a means for data owners to safeguard their data by designing imperceptible perturbations that degrade model performance when incorporated into training datasets. However, existing availability attacks are ineffective when only a portion of the data can be perturbed. To address this challenge, we propose a novel availability attack approach termed Parameter Matching Attack (PMA). PMA is the first availability attack capable of causing more than a 30\% performance drop when only a portion of data can be perturbed. PMA optimizes perturbations so that when the model is trained on a mixture of clean and perturbed data, the resulting model will approach a model designed to perform poorly. Experimental results across four datasets demonstrate that PMA outperforms existing methods, achieving significant model performance degradation when a part of the training data is perturbed. Our code is available in the supplementary materials.

Keywords

Cite

@article{arxiv.2407.02437,
  title  = {Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation},
  author = {Yu Zhe and Jun Sakuma},
  journal= {arXiv preprint arXiv:2407.02437},
  year   = {2025}
}

Comments

10 pages; updated, previous title <Parameter Matching Attack: Enhancing Practical Applicability of Availability Attacks>

R2 v1 2026-06-28T17:26:51.368Z