The Devil's Advocate: Shattering the Illusion of Unexploitable Data using Diffusion Models

by   Hadi M. Dolatabadi, et al.

Protecting personal data against the exploitation of machine learning models is of paramount importance. Recently, availability attacks have shown great promise to provide an extra layer of protection against the unauthorized use of data to train neural networks. These methods aim to add imperceptible noise to clean data so that the neural networks cannot extract meaningful patterns from the protected data, claiming that they can make personal data "unexploitable." In this paper, we provide a strong countermeasure against such approaches, showing that unexploitable data might only be an illusion. In particular, we leverage the power of diffusion models and show that a carefully designed denoising process can defuse the ramifications of the data-protecting perturbations. We rigorously analyze our algorithm, and theoretically prove that the amount of required denoising is directly related to the magnitude of the data-protecting perturbations. Our approach, called AVATAR, delivers state-of-the-art performance against a suite of recent availability attacks in various scenarios, outperforming adversarial training. Our findings call for more research into making personal data unexploitable, showing that this goal is far from over.


page 2

page 8

page 17

page 18

page 19

page 22

page 24

page 25


Re-thinking Data Availablity Attacks Against Deep Neural Networks

The unauthorized use of personal data for commercial purposes and the cl...

Denoising Diffusion Probabilistic Models as a Defense against Adversarial Attacks

Neural Networks are infamously sensitive to small perturbations in their...

Robust Evaluation of Diffusion-Based Adversarial Purification

We question the current evaluation practice on diffusion-based purificat...

Anonymizing Machine Learning Models

There is a known tension between the need to analyze personal data to dr...

Adversarial Counterfactual Visual Explanations

Counterfactual explanations and adversarial attacks have a related goal:...

Enhance Diffusion to Improve Robust Generalization

Deep neural networks are susceptible to human imperceptible adversarial ...

Please sign up or login with your details

Forgot password? Click here to reset