The widespread use of personal data for training machine learning models raises significant privacy concerns, as individuals have limited control over how their public data is subsequently utilized. Availability attacks have emerged as a means for data owners to safeguard their data by desning imperceptible perturbations that degrade model performance when incorporated into training datasets. However, existing availability attacks exhibit limitations in practical applicability, particularly when only a portion of the data can be perturbed. To address this challenge, we propose a novel availability attack approach termed Parameter Matching Attack (PMA). PMA is the first availability attack that works when only a portion of data can be perturbed. PMA optimizes perturbations so that when the model is trained on a mixture of clean and perturbed data, the resulting model will approach a model designed to perform poorly. Experimental results across four datasets demonstrate that PMA outperforms existing methods, achieving significant model performance degradation when a part of the training data is perturbed. Our code is available in the supplementary.

翻译：个人数据被广泛用于训练机器学习模型引发了严重的隐私担忧，因为个体对其公开数据后续如何被利用的控制有限。可用性攻击已成为数据所有者保护其数据的一种手段，其通过设计难以察觉的扰动，当这些扰动被纳入训练数据集时会降低模型性能。然而，现有的可用性攻击在实际适用性方面存在局限，特别是在只能扰动部分数据的情况下。为应对这一挑战，我们提出了一种新颖的可用性攻击方法，称为参数匹配攻击（PMA）。PMA是首个在只能扰动部分数据时仍能生效的可用性攻击。PMA优化扰动，使得模型在混合干净数据和扰动数据上进行训练后，所得的模型会趋近于一个被设计为性能较差的模型。在四个数据集上的实验结果表明，PMA优于现有方法，在部分训练数据被扰动时实现了显著的模型性能下降。我们的代码可在补充材料中获取。