Protecting personal data against the exploitation of machine learning models is of paramount importance. Recently, availability attacks have shown great promise to provide an extra layer of protection against the unauthorized use of data to train neural networks. These methods aim to add imperceptible noise to clean data so that the neural networks cannot extract meaningful patterns from the protected data, claiming that they can make personal data "unexploitable." In this paper, we provide a strong countermeasure against such approaches, showing that unexploitable data might only be an illusion. In particular, we leverage the power of diffusion models and show that a carefully designed denoising process can defuse the ramifications of the data-protecting perturbations. We rigorously analyze our algorithm, and theoretically prove that the amount of required denoising is directly related to the magnitude of the data-protecting perturbations. Our approach, called AVATAR, delivers state-of-the-art performance against a suite of recent availability attacks in various scenarios, outperforming adversarial training. Our findings call for more research into making personal data unexploitable, showing that this goal is far from over.

翻译：保护个人数据免受机器学习模型利用至关重要。近期，可用性攻击展现出巨大潜力，可为防止神经网络未经授权使用数据提供额外保护层。这些方法旨在向干净数据添加难以察觉的噪声，使神经网络无法从受保护数据中提取有效模式，并宣称可实现个人数据的“不可利用性”。本文针对此类方法提出了强力反制措施，证明“不可利用数据”可能只是幻象。具体而言，我们借助扩散模型的能力，证明精心设计的去噪过程可消解数据保护扰动带来的影响。我们对算法进行了严谨分析，从理论上证明所需去噪强度与数据保护扰动的幅度直接相关。所提方法AVATAR在多种场景下针对近期一系列可用性攻击展现出最先进性能，优于对抗训练。我们的研究结果表明，实现个人数据不可利用的目标远未达成，亟需更多深入探索。