2023
DOI: 10.48550/arxiv.2303.08500
|View full text |Cite
Preprint
|
Sign up to set email alerts
|

The Devil's Advocate: Shattering the Illusion of Unexploitable Data using Diffusion Models

Abstract: Protecting personal data against the exploitation of machine learning models is of paramount importance. Recently, availability attacks have shown great promise to provide an extra layer of protection against the unauthorized use of data to train neural networks. These methods aim to add imperceptible noise to clean data so that the neural networks cannot extract meaningful patterns from the protected data, claiming that they can make personal data "unexploitable." In this paper, we provide a strong countermea… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
13
0

Year Published

2023
2023
2024
2024

Publication Types

Select...
2
1

Relationship

0
3

Authors

Journals

citations
Cited by 3 publications
(13 citation statements)
references
References 34 publications
0
13
0
Order By: Relevance
“…This defense mechanism operates in a black-box manner, without prior knowledge of the attack settings (e.g., the target label, poison rate and trigger functions), as well as any known benign or poisoned samples from the given data. We assume that the defender has access to pre-trained diffusion models representing identical or similar distributions (consistent with prior studies (Nie et al 2022;Xiao et al 2023;May et al 2023;Shi et al 2023;Dolatabadi, Erfani, and Leckie 2023;Jiang et al 2023)), which can be sourced as off-the-shelf models or trained using data provided from authoritative and trustworthy communities and institutions. Beyond this assumption, our experiments also validate the effectiveness of DATAELIXIR using diffusion models trained on disparate data and even poisoned data.…”
Section: Threat Modelmentioning
confidence: 98%
“…This defense mechanism operates in a black-box manner, without prior knowledge of the attack settings (e.g., the target label, poison rate and trigger functions), as well as any known benign or poisoned samples from the given data. We assume that the defender has access to pre-trained diffusion models representing identical or similar distributions (consistent with prior studies (Nie et al 2022;Xiao et al 2023;May et al 2023;Shi et al 2023;Dolatabadi, Erfani, and Leckie 2023;Jiang et al 2023)), which can be sourced as off-the-shelf models or trained using data provided from authoritative and trustworthy communities and institutions. Beyond this assumption, our experiments also validate the effectiveness of DATAELIXIR using diffusion models trained on disparate data and even poisoned data.…”
Section: Threat Modelmentioning
confidence: 98%
“…Countermeasures against UEs have only been attempted very recently [7,24,33]. Adversarial Training (AT) [21] has been shown to partially resist UE protection, but robust UE soon broke through this countermeasure [11,44].…”
Section: Related Work 21 Unlearnable Examplesmentioning
confidence: 99%
“…However, these methods are associated with specific training schemes, which limits the use of unauthorized data for other training schemes and tasks. The recent arXiv paper [7] applies diffusion models to counter UEs. The major differences to our approach are that we propose a new joint-conditional diffusion model instead of a naive application of the diffusion model, tackling the trade-off between perturbation purification and image semantic retaining.…”
Section: Related Work 21 Unlearnable Examplesmentioning
confidence: 99%
“…Sandoval-Segura et al (2023) suggests that the orthogonal projection technique is effective against class-wise attacks. Diffusion models have been proposed to purify unlearnable perturbations (Jiang et al, 2023;Dolatabadi et al, 2023). Qin et al (2023a) introduced a benchmark for availability attacks.…”
Section: A Additional Related Workmentioning
confidence: 99%
“…12, the larger the poisoning budgets, the better the attack performance. On the defense side against availability attacks, AT (Madry et al, 2018) and AdvCL (Kim et al, 2020)) applied adversarial training in supervised learning and contrastive learning respectively; ISS (Liu et al, 2023b) and UEraser (Qin et al, 2023b) leveraged designed data augmentations to eliminate supervised unlearnability; AVATAR (Dolatabadi et al, 2023) employed a diffusion model to purify poisoned data. In Table 13, we evaluate our attacks through these defense methods as well as SimCLR with Cutout (DeVries & Taylor, 2017), Random noise, and Gaussian Blur.…”
Section: C4 Strength and Gapsmentioning
confidence: 99%