Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation
Abstract
The widespread use of publicly available datasets for training machine learning models raises significant concerns about data misuse. Availability attacks have emerged as a means for data owners to safeguard their data by designing imperceptible perturbations that degrade model performance when incorporated into training datasets. However, existing availability attacks are ineffective when only a portion of the data can be perturbed. To address this challenge, we propose a novel availability attack approach termed Parameter Matching Attack (PMA). PMA is the first availability attack capable of causing more than a 30\% performance drop when only a portion of data can be perturbed. PMA optimizes perturbations so that when the model is trained on a mixture of clean and perturbed data, the resulting model will approach a model designed to perform poorly. Experimental results across four datasets demonstrate that PMA outperforms existing methods, achieving significant model performance degradation when a part of the training data is perturbed. Our code is available in the supplementary materials.
Cite
@article{arxiv.2407.02437,
title = {Beyond Full Poisoning: Effective Availability Attacks with Partial Perturbation},
author = {Yu Zhe and Jun Sakuma},
journal= {arXiv preprint arXiv:2407.02437},
year = {2025}
}
Comments
10 pages; updated, previous title <Parameter Matching Attack: Enhancing Practical Applicability of Availability Attacks>