Perturbative availability poisons (PAPs) add small changes to images to prevent their use for model training. Current research adopts the belief that practical and effective approaches to countering PAPs do not exist. In this paper, we argue that it is time to abandon this belief. We present extensive experiments showing that 12 state-of-the-art PAP methods are vulnerable to Image Shortcut Squeezing (ISS), which is based on simple compression. For example, on average, ISS restores the CIFAR-10 model accuracy to $81.73\%$, surpassing the previous best preprocessing-based countermeasures by $37.97\%$ absolute. ISS also (slightly) outperforms adversarial training and has higher generalizability to unseen perturbation norms and also higher efficiency. Our investigation reveals that the property of PAP perturbations depends on the type of surrogate model used for poison generation, and it explains why a specific ISS compression yields the best performance for a specific type of PAP perturbation. We further test stronger, adaptive poisoning, and show it falls short of being an ideal defense against ISS. Overall, our results demonstrate the importance of considering various (simple) countermeasures to ensure the meaningfulness of analysis carried out during the development of PAP methods.

翻译：扰动性可用性毒化（PAP）通过在图像中添加微小扰动来阻止其用于模型训练。当前研究普遍认为，不存在实用且有效的方法来对抗PAP。本文中，我们主张是时候摒弃这一观点了。我们通过大量实验表明，12种最先进的PAP方法均可被基于简单压缩的图像快捷压缩（ISS）攻破。例如，ISS平均将CIFAR-10模型的准确率恢复至81.73%，相比此前最优的预处理防御方法提升了37.97个百分点。ISS还（略微）优于对抗训练，且对未知扰动范数具有更强的泛化能力以及更高的效率。我们的研究发现，PAP扰动的特性取决于毒化生成过程中使用的代理模型类型，这解释了为何特定ISS压缩方法对特定PAP扰动类型能达到最优性能。我们进一步测试了更强的自适应毒化方法，结果表明该方法仍未能成为对抗ISS的理想防御。总体而言，我们的结果凸显了在开发PAP方法时考虑多种（简单）防御策略的重要意义，以确保分析过程的有效性。