Shengyuan Pang,Yanjiao Chen,Jiangyi Deng,Jialin Wu,Yijie Bai,Wenyuan Xu

DOI: https://doi.org/10.1109/metacom62920.2024.00040

2024-01-01

Abstract:Machine learning models dazzle us with their incredible performance but may irritate us with data privacy issues. Various attacks have been proposed to peep into the sensitive training data of machine learning models, the mainstream ones being membership inference attacks and model inversion attacks. As a countermeasure, defense strategies have been devised. Nonetheless, a unified theoretical framework and evaluation testbed for training data privacy analysis is lacking. In this paper, we taxonomize representative attack methods regarding the attack objective, attack knowledge, and attack capability. As for the defense, we focus on the novel idea of turning adversarial attacks into privacy protection tools, hence the title adversarial for good. To provide an open-sourced integrated platform to evaluate different attacks and defenses. Our experiment results show that adopting adversarial example attacks and adversarial training for data privacy protection is compelling, which may motivate more efforts in transforming adversarial to good in the future.

Sicong Liu,Anshumali Shrivastava,Junzhao Du,Lin Zhong

2019-01-01

Abstract:The remarkable success of machine learning, especially deep learning, has produced a variety of cloud-based services for mobile users. Such services require an end user to send data to the service provider, which presents a serious challenge to end-user privacy. To address this concern, prior works either add noise to the data or send features extracted from the raw data. They struggle to balance between the utility and privacy because added noise reduces utility and raw data can be reconstructed from extracted features. This work represents a methodical departure from prior works: we balance between a measure of privacy and another of utility by leveraging adversarial learning to find a sweeter tradeoff. We design an encoder that optimizes against the reconstruction error (a measure of privacy), adversarially by a Decoder, and the inference accuracy (a measure of utility) by a Classifier. The result is RAN, a novel deep model with a new training algorithm that automatically extracts features for classification that are both private and useful. It turns out that adversarially forcing the extracted features to only conveys the intended information required by classification leads to an implicit regularization leading to better classification accuracy than the original model which completely ignores privacy. Thus, we achieve better privacy with better utility, a surprising possibility in machine learning! We conducted extensive experiments on five popular datasets over four training schemes, and demonstrate the superiority of RAN compared with existing alternatives.

Sicong Liu,Junzhao Du,Anshumali Shrivastava,Lin Zhong

DOI: https://doi.org/10.1145/3369816

2020-06-08

Abstract:The remarkable success of machine learning has fostered a growing number of cloud-based intelligent services for mobile users. Such a service requires a user to send data, e.g. image, voice and video, to the provider, which presents a serious challenge to user privacy. To address this, prior works either obfuscate the data, e.g. add noise and remove identity information, or send representations extracted from the data, e.g. anonymized features. They struggle to balance between the service utility and data privacy because obfuscated data reduces utility and extracted representation may still reveal sensitive information. This work departs from prior works in methodology: we leverage adversarial learning to a better balance between privacy and utility. We design a \textit{representation encoder} that generates the feature representations to optimize against the privacy disclosure risk of sensitive information (a measure of privacy) by the \textit{privacy adversaries}, and concurrently optimize with the task inference accuracy (a measure of utility) by the \textit{utility discriminator}. The result is the privacy adversarial network (\systemname), a novel deep model with the new training algorithm, that can automatically learn representations from the raw data. Intuitively, PAN adversarially forces the extracted representations to only convey the information required by the target task. Surprisingly, this constitutes an implicit regularization that actually improves task accuracy. As a result, PAN achieves better utility and better privacy at the same time! We report extensive experiments on six popular datasets and demonstrate the superiority of \systemname compared with alternative methods reported in prior work.

Machine Learning,Artificial Intelligence,Cryptography and Security

Shayan Gharib,Minh Tran,Diep Luong,Konstantinos Drossos,Tuomas Virtanen

DOI: https://doi.org/10.1109/OJSP.2023.3349113

2024-01-03

Abstract:Sound event detection systems are widely used in various applications such as surveillance and environmental monitoring where data is automatically collected, processed, and sent to a cloud for sound recognition. However, this process may inadvertently reveal sensitive information about users or their surroundings, hence raising privacy concerns. In this study, we propose a novel adversarial training method for learning representations of audio recordings that effectively prevents the detection of speech activity from the latent features of the recordings. The proposed method trains a model to generate invariant latent representations of speech-containing audio recordings that cannot be distinguished from non-speech recordings by a speech classifier. The novelty of our work is in the optimization algorithm, where the speech classifier's weights are regularly replaced with the weights of classifiers trained in a supervised manner. This increases the discrimination power of the speech classifier constantly during the adversarial training, motivating the model to generate latent representations in which speech is not distinguishable, even using new speech classifiers trained outside the adversarial training loop. The proposed method is evaluated against a baseline approach with no privacy measures and a prior adversarial training method, demonstrating a significant reduction in privacy violations compared to the baseline approach. Additionally, we show that the prior adversarial method is practically ineffective for this purpose.

Sound,Cryptography and Security,Machine Learning,Audio and Speech Processing

Na Ruan,Jikun Chen,Tu Huang,Zekun Sun,Jie Li

DOI: https://doi.org/10.1109/TMC.2024.3405548

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:The performance of deep learning models highly depends on the amount of training data. It is common practice for today's data holders to merge their datasets and train models collaboratively, which yet poses a threat to data privacy. Different from existing methods such as secure multi-party computation (MPC) and federated learning (FL), we find representation learning has unique advantages in collaborative learning due to its low privacy budget, wide applicability to tasks and lower communication overhead. However, data representations face the threat of model inversion attacks. In this article, we formally define the collaborative learning scenario, and present ARS (for adversarial representation sharing), a collaborative learning framework wherein users share representations of data to train models, and add imperceptible adversarial noise to data representations against reconstruction or attribute extraction attacks. By theoretical analysis and evaluating ARS in different contexts, we demonstrate that our mechanism is effective against model inversion attacks, and can achieve great utility and low communication complexity while preserving data privacy. Moreover, the ARS framework has wide applicability, which can be easily extended to the vertical data partitioning scenario and utilized in different tasks.

Zhenyu Wu,Zhangyang Wang,Zhaowen Wang,Hailin Jin

DOI: https://doi.org/10.48550/arXiv.1807.08379

2020-10-23

Abstract:This paper aims to improve privacy-preserving visual recognition, an increasingly demanded feature in smart camera applications, by formulating a unique adversarial training framework. The proposed framework explicitly learns a degradation transform for the original video inputs, in order to optimize the trade-off between target task performance and the associated privacy budgets on the degraded video. A notable challenge is that the privacy budget, often defined and measured in task-driven contexts, cannot be reliably indicated using any single model performance, because a strong protection of privacy has to sustain against any possible model that tries to hack privacy information. Such an uncommon situation has motivated us to propose two strategies, i.e., budget model restarting and ensemble, to enhance the generalization of the learned degradation on protecting privacy against unseen hacker models. Novel training strategies, evaluation protocols, and result visualization methods have been designed accordingly. Two experiments on privacy-preserving action recognition, with privacy budgets defined in various ways, manifest the compelling effectiveness of the proposed framework in simultaneously maintaining high target task (action recognition) performance while suppressing the privacy breach risk.

Computer Vision and Pattern Recognition

Zhibo Wang,He Wang,Shuaifan Jin,Wenwen Zhang,Jiahui Hu,Yan Wang,Peng Sun,Wei Yuan,Kaixin Liu,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2305.05391

2023-05-08

Abstract:Face recognition service providers protect face privacy by extracting compact and discriminative facial features (representations) from images, and storing the facial features for real-time recognition. However, such features can still be exploited to recover the appearance of the original face by building a reconstruction network. Although several privacy-preserving methods have been proposed, the enhancement of face privacy protection is at the expense of accuracy degradation. In this paper, we propose an adversarial features-based face privacy protection (AdvFace) approach to generate privacy-preserving adversarial features, which can disrupt the mapping from adversarial features to facial images to defend against reconstruction attacks. To this end, we design a shadow model which simulates the attackers' behavior to capture the mapping function from facial features to images and generate adversarial latent noise to disrupt the mapping. The adversarial features rather than the original features are stored in the server's database to prevent leaked features from exposing facial information. Moreover, the AdvFace requires no changes to the face recognition network and can be implemented as a privacy-enhancing plugin in deployed face recognition systems. Extensive experimental results demonstrate that AdvFace outperforms the state-of-the-art face privacy-preserving methods in defending against reconstruction attacks while maintaining face recognition accuracy.

Computer Vision and Pattern Recognition

Jikun Chen,Feng Qiang,Na Ruan

DOI: https://doi.org/10.48550/arXiv.2203.14299

2022-03-27

Abstract:The performance of deep learning models highly depends on the amount of training data. It is common practice for today's data holders to merge their datasets and train models collaboratively, which yet poses a threat to data privacy. Different from existing methods such as secure multi-party computation (MPC) and federated learning (FL), we find representation learning has unique advantages in collaborative learning due to the lower communication overhead and task-independency. However, data representations face the threat of model inversion attacks. In this article, we formally define the collaborative learning scenario, and quantify data utility and privacy. Then we present ARS, a collaborative learning framework wherein users share representations of data to train models, and add imperceptible adversarial noise to data representations against reconstruction or attribute extraction attacks. By evaluating ARS in different contexts, we demonstrate that our mechanism is effective against model inversion attacks, and achieves a balance between privacy and utility. The ARS framework has wide applicability. First, ARS is valid for various data types, not limited to images. Second, data representations shared by users can be utilized in different tasks. Third, the framework can be easily extended to the vertical data partitioning scenario.

Cryptography and Security,Machine Learning

Zhibo Wang,Wei Yuan,Xiaoyi Pang,Jingxin Li,Huajie Shao

DOI: https://doi.org/10.23919/jcc.2022.07.023

2022-01-01

China Communications

Abstract:With the rapid developments of Internet of Things（IoT） and proliferation of embedded devices, large volume of personal data are collected,which however, might carry massive private information about attributes that users do not want to share.Many privacy-preserving methods have been proposed to prevent privacy leakage by perturbing raw data or extracting task-oriented features at local devices. Unfortunately, they would suffer from significant privacy leakage and accuracy drop when applied to other tasks as they are designed and optimized for predefined tasks. In this paper, we propose a novel task-free privacy-preserving data collection method via adversarial representation learning, called TF-ARL, to protect private attributes specified by users while maintaining data utility for unknown downstream tasks. To this end, we first propose a privacy adversarial learning mechanism（PAL） to protect private attributes by optimizing the feature extractor to maximize the adversary’s prediction uncertainty on private attributes, and then design a conditional decoding mechanism（ConDec） to maintain data utility for downstream tasks by minimizing the conditional reconstruction error from the sanitized features. With the joint learning of PAL and ConDec, we can learn a privacy-aware feature extractor where the sanitized features maintain the discriminative information except privacy. Extensive experimental results on real-world datasets demonstrate the effectiveness of TF-ARL.

Binghui Zhang,Sayedeh Leila Noorbakhsh,Yun Dong,Yuan Hong,Binghui Wang

2024-12-15

Abstract:Machine learning models are vulnerable to both security attacks (e.g., adversarial examples) and privacy attacks (e.g., private attribute inference). We take the first step to mitigate both the security and privacy attacks, and maintain task utility as well. Particularly, we propose an information-theoretic framework to achieve the goals through the lens of representation learning, i.e., learning representations that are robust to both adversarial examples and attribute inference adversaries. We also derive novel theoretical results under our framework, e.g., the inherent trade-off between adversarial robustness/utility and attribute privacy, and guaranteed attribute privacy leakage against attribute inference adversaries.

Machine Learning,Cryptography and Security

Zhongzheng Ren,Yong Jae Lee,Michael S. Ryoo

DOI: https://doi.org/10.48550/arXiv.1803.11556

2018-03-30

Computer Vision and Pattern Recognition

Abstract:There is an increasing concern in computer vision devices invading users' privacy by recording unwanted videos. On the one hand, we want the camera systems to recognize important events and assist human daily lives by understanding its videos, but on the other hand we want to ensure that they do not intrude people's privacy. In this paper, we propose a new principled approach for learning a video \emph{face anonymizer}. We use an adversarial training setting in which two competing systems fight: (1) a video anonymizer that modifies the original video to remove privacy-sensitive information while still trying to maximize spatial action detection performance, and (2) a discriminator that tries to extract privacy-sensitive information from the anonymized videos. The end result is a video anonymizer that performs pixel-level modifications to anonymize each person's face, with minimal effect on action detection performance. We experimentally confirm the benefits of our approach compared to conventional hand-crafted anonymization methods including masking, blurring, and noise adding. Code, demo, and more results can be found on our project page https://jason718.github.io/project/privacy/main.html.

Xiaofeng Ding,Hongbiao Fang,Zhilin Zhang,Kim-Kwang Raymond Choo,Hai Jin

DOI: https://doi.org/10.1109/tkde.2020.2997604

IF: 9.235

2020-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Deep learning is increasingly popular, partly due to its widespread application potential, such as in civilian, government and military domains. Given the exacting computational requirements, cloud computing has been utilized to host user data and model. However, such an approach has potential privacy implications. Therefore, in this paper, we propose a method to protect user’s privacy in the inference phase of deep learning workflow. Specifically, we use an intermediate layer to separate the entire neural network into two parts, which are respectively deployed on the user device and the cloud server. The encoder, deployed on the user device, is used for raw data transformation, which removes the need for users to upload raw data to the cloud directly. However, we also demonstrate there exists potential for privacy leakage in the intermediate features of the neural network through two concrete experiments. In other words, the encoder on its own does not provide adequate privacy protection. Therefore, we also propose an approach to achieve Privacy-preserving Feature Extraction based on Adversarial Training (P-FEAT), where the goal of privacy attacking tasks and the goal of target tasks are adversarial in terms of sensitive attributes. By imposing privacy constraints during the feature extraction, we can reduce the contribution of the extracted features to the privacy leakage. In this way, privacy protection capability of the encoder can be further strengthened. We then demonstrate the effectiveness of P-FEAT using a large number of experiments, whose findings show that P-FEAT can significantly reduce the threats of privacy attacking tasks while maintaining high accuracy of the target tasks.

Aneesh Sreevallabh Chivukula,Xinghao Yang,Bo Liu,Wei Liu,Wanlei Zhou

DOI: https://doi.org/10.1007/978-3-030-99772-4_7

2023-01-01

Abstract:While adversarial examples (AEs) or adversarial perturbations (APs) are usually treated as a security risk up to date, they can also serve as privacy protection tools when facing deep learning-based privacy attacks. This chapter will first introduce a privacy model for visual data, one of the most important types of data in deep learning applications. Then we will discuss AP-based privacy protection mechanisms that incorporate different levels of privacy. While the research on this topic is still in its infancy stage, this chapter will overview the state-of-the-art works and shed light on future research.

Milad Nasr,Reza Shokri,Amir Houmansadr

DOI: https://doi.org/10.48550/arXiv.1807.05852

IF: 5.414

2018-07-16

Machine Learning

Abstract:Machine learning models leak information about the datasets on which they are trained. An adversary can build an algorithm to trace the individual members of a model's training dataset. As a fundamental inference attack, he aims to distinguish between data points that were part of the model's training set and any other data points from the same distribution. This is known as the tracing (and also membership inference) attack. In this paper, we focus on such attacks against black-box models, where the adversary can only observe the output of the model, but not its parameters. This is the current setting of machine learning as a service in the Internet. We introduce a privacy mechanism to train machine learning models that provably achieve membership privacy: the model's predictions on its training data are indistinguishable from its predictions on other data points from the same distribution. We design a strategic mechanism where the privacy mechanism anticipates the membership inference attacks. The objective is to train a model such that not only does it have the minimum prediction error (high utility), but also it is the most robust model against its corresponding strongest inference attack (high privacy). We formalize this as a min-max game optimization problem, and design an adversarial training algorithm that minimizes the classification loss of the model as well as the maximum gain of the membership inference attack against it. This strategy, which guarantees membership privacy (as prediction indistinguishability), acts also as a strong regularizer and significantly generalizes the model. We evaluate our privacy mechanism on deep neural networks using different benchmark datasets. We show that our min-max strategy can mitigate the risk of membership inference attacks (close to the random guess) with a negligible cost in terms of the classification error.

Zhigang Su,Dawei Zhou,Decheng Liu,Nannan Wang,Zhen Wang,Xinbo Gao

DOI: https://doi.org/10.48550/arXiv.2209.15304

2022-01-01

Abstract:With the development of online artificial intelligence systems, many deep neural networks (DNNs) have been deployed in cloud environments. In practical applications, developers or users need to provide their private data to DNNs, such as faces. However, data transmitted and stored in the cloud is insecure and at risk of privacy leakage. In this work, inspired by Type-I adversarial attack, we propose an adversarial attack-based method to protect visual privacy of data. Specifically, the method encrypts the visual information of private data while maintaining them correctly predicted by DNNs, without modifying the model parameters. The empirical results on face recognition tasks show that the proposed method can deeply hide the visual information in face images and hardly affect the accuracy of the recognition models. In addition, we further extend the method to classification tasks and also achieve state-of-the-art performance.

Computer Science

Minghui Li,Jiangxiong Wang,Hao Zhang,Ziqi Zhou,Shengshan Hu,Xiaobing Pei

2024-07-18

Abstract:The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.

Computer Vision and Pattern Recognition,Artificial Intelligence

Hossein Abedi Khorasgani,Noman Mohammed,Yang Wang

DOI: https://doi.org/10.1007/s10207-024-00839-7

2024-04-03

International Journal of Information Security

Abstract:With the increasing popularity of machine learning (ML) in image processing, privacy concerns have emerged as a significant issue in deploying and using ML services. However, current privacy protection approaches often require computationally expensive training from scratch or extensive fine-tuning of models, posing significant barriers to the development of privacy-conscious models, particularly for smaller organizations seeking to comply with data privacy laws. In this paper, we address the privacy challenges in computer vision by investigating the effectiveness of two recent fine-tuning methods, Model Reprogramming and Low-Rank Adaptation. We adapt these techniques to provide attribute protection for pre-trained models, minimizing computational overhead and training time. Specifically, we modify the models to produce privacy-preserving latent representations of images that cannot be used to identify unintended attributes. We integrate these methods into an adversarial min–max framework, allowing us to conceal sensitive information from feature outputs without extensive modifications to the pre-trained model, but rather focusing on a small set of new parameters. We demonstrate the effectiveness of our methods by conducting experiments on the CelebA dataset, achieving state-of-the-art performance while significantly reducing computational complexity and cost. Our research provides a valuable contribution to the field of computer vision and privacy, offering practical solutions to enhance the privacy of machine learning services without compromising efficiency.

computer science, information systems, theory & methods, software engineering

Bo Liu,Ming Ding,Tianqing Zhu,Yong Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/glocom.2018.8647189

2018-01-01

Abstract:The unprecedented accuracy of deep learning methods has earned themselves as the foundation of new AI-based services on the Internet. At the same time, it presents obvious privacy issues. The deep learning aided privacy attack can dig out sensitive personal information not only from the text but also from unstructured data such as images and videos. In this paper, we proposed a framework to protect image privacy against the deep learning tools. We also propose two new metrics to measure the image privacy. Moreover, we propose two different image privacy protection schemes based on the two metrics, utilizing the adversarial example idea. The performance of our schemes is validated by simulation on a large-scale dataset. Our study shows that we can protect the image privacy by adding a small amount of noise, while the added noise has a humanly imperceptible impact on the image quality.

Eugenio Lomurno,Alberto Archetti,Francesca Ausonio,Matteo Matteucci

2023-06-06

Abstract:The remarkable proliferation of deep learning across various industries has underscored the importance of data privacy and security in AI pipelines. As the evolution of sophisticated Membership Inference Attacks (MIAs) threatens the secrecy of individual-specific information used for training deep learning models, Differential Privacy (DP) raises as one of the most utilized techniques to protect models against malicious attacks. However, despite its proven theoretical properties, DP can significantly hamper model performance and increase training time, turning its use impractical in real-world scenarios. Tackling this issue, we present Discriminative Adversarial Privacy (DAP), a novel learning technique designed to address the limitations of DP by achieving a balance between model performance, speed, and privacy. DAP relies on adversarial training based on a novel loss function able to minimise the prediction error while maximising the MIA's error. In addition, we introduce a novel metric named Accuracy Over Privacy (AOP) to capture the performance-privacy trade-off. Finally, to validate our claims, we compare DAP with diverse DP scenarios, providing an analysis of the results from performance, time, and privacy preservation perspectives.

Cryptography and Security,Machine Learning

Yuting Zhan,Alex Kyllo,Afra Mashhadi,Hamed Haddadi

DOI: https://doi.org/10.48550/arXiv.2201.07519

IF: 5.414

2022-01-19

Machine Learning

Abstract:As various mobile devices and location-based services are increasingly developed in different smart city scenarios and applications, many unexpected privacy leakages have arisen due to geolocated data collection and sharing. While these geolocated data could provide a rich understanding of human mobility patterns and address various societal research questions, privacy concerns for users' sensitive information have limited their utilization. In this paper, we design and implement a novel LSTM-based adversarial mechanism with representation learning to attain a privacy-preserving feature representation of the original geolocated data (mobility data) for a sharing purpose. We quantify the utility-privacy trade-off of mobility datasets in terms of trajectory reconstruction risk, user re-identification risk, and mobility predictability. Our proposed architecture reports a Pareto Frontier analysis that enables the user to assess this trade-off as a function of Lagrangian loss weight parameters. The extensive comparison results on four representative mobility datasets demonstrate the superiority of our proposed architecture and the efficiency of the proposed privacy-preserving features extractor. Our results show that by exploring Pareto optimal setting, we can simultaneously increase both privacy (45%) and utility (32%).