Perturbative availability poisoning (PAP) adds small changes to images to prevent their use for model training. Current research adopts the belief that practical and effective approaches to countering such poisons do not exist. In this paper, we argue that it is time to abandon this belief. We present extensive experiments showing that 12 state-of-the-art PAP methods are vulnerable to Image Shortcut Squeezing (ISS), which is based on simple compression. For example, on average, ISS restores the CIFAR-10 model accuracy to $81.73\%$, surpassing the previous best preprocessing-based countermeasures by $37.97\%$ absolute. ISS also (slightly) outperforms adversarial training and has higher generalizability to unseen perturbation norms and also higher efficiency. Our investigation reveals that the property of PAP perturbations depends on the type of surrogate model used for poison generation, and it explains why a specific ISS compression yields the best performance for a specific type of PAP perturbation. We further test stronger, adaptive poisoning, and show it falls short of being an ideal defense against ISS. Overall, our results demonstrate the importance of considering various (simple) countermeasures to ensure the meaningfulness of analysis carried out during the development of availability poisons.

翻译：扰动性可用性毒化（PAP）通过向图像添加微小扰动，阻止其用于模型训练。当前研究普遍认为，尚不存在实用且有效的对抗此类毒化方法。本文主张应摒弃这一观点。我们通过大量实验表明，12种最先进的PAP方法均易受基于简单压缩的图像捷径压缩（ISS）攻击。例如，ISS平均将CIFAR-10模型准确率恢复至81.73%，绝对提升相较此前最优预处理防御方法高出37.97%。ISS还（略微）优于对抗训练，对未见过扰动范数具有更高泛化能力，且效率更高。我们的研究揭示，PAP扰动的特性取决于生成毒化时所用替代模型的类型，这解释了为何特定ISS压缩对特定PAP扰动类型能取得最佳性能。我们进一步测试了更强的自适应毒化方法，发现其难以成为对抗ISS的理想防御。总体而言，我们的结果证明了在开发可用性毒化方法时考虑多种（简单）防御手段的重要性，以确保分析结果的有效性。