Saved in:
Bibliographic Details
Main Authors: Wang, Yihan, Lu, Yiwei, Gao, Xiao-Shan, Kamath, Gautam, Yu, Yaoliang
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.21061
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913835930091520
author Wang, Yihan
Lu, Yiwei
Gao, Xiao-Shan
Kamath, Gautam
Yu, Yaoliang
author_facet Wang, Yihan
Lu, Yiwei
Gao, Xiao-Shan
Kamath, Gautam
Yu, Yaoliang
contents Availability attacks, or unlearnable examples, are defensive techniques that allow data owners to modify their datasets in ways that prevent unauthorized machine learning models from learning effectively while maintaining the data's intended functionality. It has led to the release of popular black-box tools (e.g., APIs) for users to upload personal data and receive protected counterparts. In this work, we show that such black-box protections can be substantially compromised if a small set of unprotected in-distribution data is available. Specifically, we propose a novel threat model of protection leakage, where an adversary can (1) easily acquire (unprotected, protected) pairs by querying the black-box protections with a small unprotected dataset; and (2) train a diffusion bridge model to build a mapping between unprotected and protected data. This mapping, termed BridgePure, can effectively remove the protection from any previously unseen data within the same distribution. BridgePure demonstrates superior purification performance on classification and style mimicry tasks, exposing critical vulnerabilities in black-box data protection. We suggest that practitioners implement multi-level countermeasures to mitigate such risks.
format Preprint
id arxiv_https___arxiv_org_abs_2412_21061
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle BridgePure: Limited Protection Leakage Can Break Black-Box Data Protection
Wang, Yihan
Lu, Yiwei
Gao, Xiao-Shan
Kamath, Gautam
Yu, Yaoliang
Machine Learning
Availability attacks, or unlearnable examples, are defensive techniques that allow data owners to modify their datasets in ways that prevent unauthorized machine learning models from learning effectively while maintaining the data's intended functionality. It has led to the release of popular black-box tools (e.g., APIs) for users to upload personal data and receive protected counterparts. In this work, we show that such black-box protections can be substantially compromised if a small set of unprotected in-distribution data is available. Specifically, we propose a novel threat model of protection leakage, where an adversary can (1) easily acquire (unprotected, protected) pairs by querying the black-box protections with a small unprotected dataset; and (2) train a diffusion bridge model to build a mapping between unprotected and protected data. This mapping, termed BridgePure, can effectively remove the protection from any previously unseen data within the same distribution. BridgePure demonstrates superior purification performance on classification and style mimicry tasks, exposing critical vulnerabilities in black-box data protection. We suggest that practitioners implement multi-level countermeasures to mitigate such risks.
title BridgePure: Limited Protection Leakage Can Break Black-Box Data Protection
topic Machine Learning
url https://arxiv.org/abs/2412.21061