Yanru Xiao,Cong Wang,Xing Gao

DOI: https://doi.org/10.1109/cvpr42600.2020.00967

2020-01-01

Computer Vision and Pattern Recognition

Abstract:With the rapid growth of visual content, deep learning to hash is gaining popularity in the image retrieval community recently. Although it greatly facilitates search efficiency, privacy is also at risks when images on the web are retrieved at a large scale and exploited as a rich mine of personal information. An adversary can extract private images by querying similar images from the targeted category for any usable model. Existing methods based on image processing preserve privacy at a sacrifice of perceptual quality. In this paper, we propose a new mechanism based on adversarial examples to "stash'' private images in the deep hash space while maintaining perceptual similarity. We first find that a simple approach of hamming distance maximization is not robust against brute-force adversaries. Then we develop a new loss function by maximizing the hamming distance to not only the original category, but also the centers from all the classes, partitioned into clusters of various sizes. The extensive experiment shows that the proposed defense can harden the attacker's efforts by 2-7 orders of magnitude, without significant increase of computational overhead and perceptual degradation. We also demonstrate 30-60% transferability in hash space with a black-box setting. The code is available at: https://github.com/sugarruy/hashstash

Yuheng Zhang,Ruoxi Jia,Hengzhi Pei,Wenxiao Wang,Bo Li,Dawn Song

DOI: https://doi.org/10.1109/CVPR42600.2020.00033

2020-01-01

Abstract:This paper studies model-inversion attacks, in which the access to a model is abused to infer information about the training data. Since its first introduction by [7], such attacks have raised serious concerns given that training data usually contain privacy-sensitive information. Thus far, successful model-inversion attacks have only been demonstrated on simple models, such as linear regression and logistic regression. Previous attempts to invert neural networks, even the ones with simple architectures, have failed to produce convincing results. We present a novel attack method, termed the generative model-inversion attack, which can invert deep neural networks with high success rates. Rather than reconstructing private training data from scratch, we leverage partial public information, which can be very generic, to learn a distributional prior via generative adversarial networks (GANs) and use it to guide the inversion process. Moreover, we theoretically prove that a model's predictive power and its vulnerability to inversion attacks are indeed two sides of the same coin-highly predictive models are able to establish a strong correlation between features and labels, which coincides exactly with what an adversary exploits to mount the attacks. Our extensive experiments demonstrate that the proposed attack improves identification accuracy over the existing work by about 75% for reconstructing face images from a state-of-the-art face recognition classifier. We also show that differential privacy, in its canonical form, is of little avail to defend against our attacks.

Sitan Chen,Xiaoxiao Li,Zhao Song,Danyang Zhuo

DOI: https://doi.org/10.48550/arXiv.2011.11181

2021-03-25

Abstract:In this work, we examine the security of InstaHide, a scheme recently proposed by [Huang, Song, Li and Arora, ICML'20] for preserving the security of private datasets in the context of distributed learning. To generate a synthetic training example to be shared among the distributed learners, InstaHide takes a convex combination of private feature vectors and randomly flips the sign of each entry of the resulting vector with probability 1/2. A salient question is whether this scheme is secure in any provable sense, perhaps under a plausible hardness assumption and assuming the distributions generating the public and private data satisfy certain properties. We show that the answer to this appears to be quite subtle and closely related to the average-case complexity of a new multi-task, missing-data version of the classic problem of phase retrieval. Motivated by this connection, we design a provable algorithm that can recover private vectors using only the public vectors and synthetic vectors generated by InstaHide, under the assumption that the private and public vectors are isotropic Gaussian.

Machine Learning,Cryptography and Security,Data Structures and Algorithms

Hanyu Xue,Bo Liu,Ming Ding,Li Song,Tianqing Zhu

DOI: https://doi.org/10.1109/icc40277.2020.9148656

2020-01-01

Abstract:Privacy protection attracts increasing concerns these days. People tend to believe that large social platforms will comply with the agreement to protect their privacy. However, photos uploaded by people are usually not treated to achieve privacy protection. For example, Facebook, the world's largest social platform, was found leaking photos of millions of users to commercial organizations for big data analytics. A common analytical tool used by these commercial organizations is the Deep Neural Network (DNN). Today's DNN can accurately identify people's appearance, body shape, hobbies and even more sensitive personal information, such as addresses, phone numbers, emails, bank cards and so on. To enable people to enjoy sharing photos without worrying about their privacy, we propose an algorithm that allows users to selectively protect their privacy while preserving the contextual information contained in images. The results show that the proposed algorithm can select and perturb private objects to be protected among multiple optional objects so that the DNN can only identify non-private objects in images.

Zhiying Zhu,Hang Zhou,Haoqi Hu,Qingchao Jiang,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.1109/tnse.2024.3456103

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Recent studies have demonstrated that deep neural networks show excellent performance in information hiding. Considering the tremendous progress that deep learning has made in image recognition, we explore whether neural networks can recognize invisible private images hidden in cover images. In this article, we propose a method for image recognition in the covert domain using neural networks. Our target is to hide an image inside another image with minimal visual quality loss, while at the same time, the hidden image can be recognized correctly without being recovered. In the proposed system, the hiding and recognition of secret images are all performed by neural networks. The hiding network and the recognition network are designed to specifically work as a pair. We design and jointly train preparation, hiding, and recognition networks, where given a cover and a secret image, the preparation network reduces redundant information of the secret image, the hiding network produces a stego image that is visually indistinguishable from the cover image, and the PSNR and SSIM reach 38.5 dB and 0.991 on the MNIST & CIFAR-10 dataset and 41.8 dB and 0.995 on the CelebA & Scene dataset, respectively. The recognition network can correctly identify the secret image inside the stego image which reaches 98.3% recognition accuracy on MNIST dataset and 91.6% recognition accuracy on CelebA dataset in the covert domain, less than 1% recognition decrease compared with direct recognition. In summary, our approach can successfully identify the secret image without revealing its content. Across various datasets, both the classification accuracy and the invisibility of private images are consistently satisfactory

Yujia Liu,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1155/2017/1897438

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online image sharing in social platforms can lead to undesired privacy disclosure. For example, some enterprises may detect these large volumes of uploaded images to do users’ in-depth preference analysis for commercial purposes. And their technology might be today’s most powerful learning model, deep neural network (DNN). To just elude these automatic DNN detectors without affecting visual quality of human eyes, we design and implement a novel Stealth algorithm, which makes the automatic detector blind to the existence of objects in an image, by crafting a kind of adversarial examples. It is just like all objects disappear after wearing an “invisible cloak” from the view of the detector. Then we evaluate the effectiveness of Stealth algorithm through our newly defined measurement, named privacy insurance. The results indicate that our scheme has considerable success rate to guarantee privacy compared with other methods, such as mosaic, blur, and noise. Better still, Stealth algorithm has the smallest impact on image visual quality. Meanwhile, we set a user adjustable parameter called cloak thickness for regulating the perturbation intensity. Furthermore, we find that the processed images have transferability property; that is, the adversarial images generated for one particular DNN will influence the others as well.

Zhenfei Zhao,KaYin Chau,Zheming Lu

2011-01-01

Abstract:Recently, a reversible secret sharing scheme has been developed for encrypting a secret image in a set of camouflage images. The key advantage lies in that both the secret and cover images can be accurately reconstructed during decryption. This paper proposes a high capacity data hiding scheme integrated in reversible secret sharing. In secret sharing, some extra confidential data are also hidden in camouflage images by means of a double module mechanism. As a multilevel histogram shifting strategy is employed, a high capacity can be achieved. In the decoder, not only the cover and secret images but also the confidential data can be perfectly recovered. The confidential data can be some affiliated information of the secret image or for validity authentication. Experimental results demonstrate the effectiveness of the proposed method.

Hao Zhang,Quanshi Zhang,Liyao Xiang,Haotian Ma,Yifan Zhang

2019-01-28

Abstract:This paper proposes a generic method to revise traditional neural networks for privacy protection. Our method is designed to prevent inversion attacks, i.e., avoiding recovering private information from intermediate-layer features of a neural network. Our method transforms real-valued features of an intermediate layer into complex-valued features, in which private information is hidden in a random phase of the transformed features. To prevent the adversary from recovering the phase, we adopt an adversarial-learning algorithm to generate the complex-valued feature. More crucially, the transformed feature can be directly processed by the deep neural network, but without knowing the true phase, people cannot recover either the input information or the prediction result. Preliminary experiments with various neural networks (including the LeNet, the VGG, and residual networks) on different datasets have shown that our method can successfully defend feature inversion attacks while preserving learning accuracy.

Mathematics,Computer Science

Zhenyu Guan,Junpeng Jing,Xin Deng,Mai Xu,Lai Jiang,Zhou Zhang,Yipeng Li

DOI: https://doi.org/10.1109/tpami.2022.3141725

IF: 23.6

2023-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Multiple image hiding aims to hide multiple secret images into a single cover image, and then recover all secret images perfectly. Such high-capacity hiding may easily lead to contour shadows or color distortion, which makes multiple image hiding a very challenging task. In this paper, we propose a novel multiple image hiding framework based on invertible neural network, namely DeepMIH. Specifically, we develop an invertible hiding neural network (IHNN) to innovatively model the image concealing and revealing as its forward and backward processes, making them fully coupled and reversible. The IHNN is highly flexible, which can be cascaded as many times as required to achieve the hiding of multiple images. To enhance the invisibility, we design an importance map (IM) module to guide the current image hiding based on the previous image hiding results. In addition, we find that the image hidden in the high-frequency sub-bands tends to achieve better hiding performance, and thus propose a low-frequency wavelet loss to constrain that no secret information is hidden in the low-frequency sub-bands. Experimental results show that our DeepMIH significantly outperforms other state-of-the-art methods, in terms of hiding invisibility, security and recovery accuracy on a variety of datasets.

Weiheng Chai,Brian Testa,Huantao Ren,Asif Salekin,Senem Velipasalar

2024-02-15

Abstract:Deep neural networks are extensively applied to real-world tasks, such as face recognition and medical image classification, where privacy and data protection are critical. Image data, if not protected, can be exploited to infer personal or contextual information. Existing privacy preservation methods, like encryption, generate perturbed images that are unrecognizable to even humans. Adversarial attack approaches prohibit automated inference even for authorized stakeholders, limiting practical incentives for commercial and widespread adaptation. This pioneering study tackles an unexplored practical privacy preservation use case by generating human-perceivable images that maintain accurate inference by an authorized model while evading other unauthorized black-box models of similar or dissimilar objectives, and addresses the previous research gaps. The datasets employed are ImageNet, for image classification, Celeba-HQ dataset, for identity classification, and AffectNet, for emotion classification. Our results show that the generated images can successfully maintain the accuracy of a protected model and degrade the average accuracy of the unauthorized black-box models to 11.97%, 6.63%, and 55.51% on ImageNet, Celeba-HQ, and AffectNet datasets, respectively.

Computer Vision and Pattern Recognition,Machine Learning

Qiushi Li,Yan Zhang,Ju Ren,Qi Li,Yaoxue Zhang

2024-04-05

Abstract:Image data have been extensively used in Deep Neural Network (DNN) tasks in various scenarios, e.g., autonomous driving and medical image analysis, which incurs significant privacy concerns. Existing privacy protection techniques are unable to efficiently protect such data. For example, Differential Privacy (DP) that is an emerging technique protects data with strong privacy guarantee cannot effectively protect visual features of exposed image dataset. In this paper, we propose a novel privacy-preserving framework VisualMixer that protects the training data of visual DNN tasks by pixel shuffling, while not injecting any noises. VisualMixer utilizes a new privacy metric called Visual Feature Entropy (VFE) to effectively quantify the visual features of an image from both biological and machine vision aspects. In VisualMixer, we devise a task-agnostic image obfuscation method to protect the visual privacy of data for DNN training and inference. For each image, it determines regions for pixel shuffling in the image and the sizes of these regions according to the desired VFE. It shuffles pixels both in the spatial domain and in the chromatic channel space in the regions without injecting noises so that it can prevent visual features from being discerned and recognized, while incurring negligible accuracy loss. Extensive experiments on real-world datasets demonstrate that VisualMixer can effectively preserve the visual privacy with negligible accuracy loss, i.e., at average 2.35 percentage points of model accuracy loss, and almost no performance degradation on model training.

Cryptography and Security

Liyao Xiang,Haotian Ma,Hao Zhang,Yifan Zhang,Jie Ren,Quanshi Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09546

IF: 5.414

2019-01-28

Machine Learning

Abstract:Previous studies have found that an adversary attacker can often infer unintended input information from intermediate-layer features. We study the possibility of preventing such adversarial inference, yet without too much accuracy degradation. We propose a generic method to revise the neural network to boost the challenge of inferring input attributes from features, while maintaining highly accurate outputs. In particular, the method transforms real-valued features into complex-valued ones, in which the input is hidden in a randomized phase of the transformed features. The knowledge of the phase acts like a key, with which any party can easily recover the output from the processing result, but without which the party can neither recover the output nor distinguish the original input. Preliminary experiments on various datasets and network structures have shown that our method significantly diminishes the adversary's ability in inferring about the input while largely preserves the resulting accuracy.

Yuexin Xiang,Tiantian Li,Wei Ren,Tianqing Zhu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.engappai.2023.107180

2021-05-19

Abstract:To ensure the privacy of sensitive data used in the training of deep learning models, a number of privacy-preserving methods have been designed by the research community. However, existing schemes are generally designed to work with textual data, or are not efficient when a large number of images is used for training. Hence, in this paper we propose a lightweight and efficient approach to preserve image privacy while maintaining the availability of the training set. Specifically, we design the pixel block mixing algorithm for image classification privacy preservation in deep learning. To evaluate its utility, we use the mixed training set to train the ResNet50, VGG16, InceptionV3 and DenseNet121 models on the WIKI dataset and the CNBC face dataset. Experimental findings on the testing set show that our scheme preserves image privacy while maintaining the availability of the training set in the deep learning models. Additionally, the experimental results demonstrate that we achieve good performance for the VGG16 model on the WIKI dataset and both ResNet50 and DenseNet121 on the CNBC dataset. The pixel block algorithm achieves fairly high efficiency in the mixing of the images, and it is computationally challenging for the attackers to restore the mixed training set to the original training set. Moreover, data augmentation can be applied to the mixed training set to improve the training's effectiveness.

Computer Vision and Pattern Recognition,Image and Video Processing

Ruohan Meng,Chenyu Yi,Yi Yu,Siyuan Yang,Bingquan Shen,Alex C. Kot

2024-06-25

Abstract:Ensuring data privacy and protection has become paramount in the era of deep learning. Unlearnable examples are proposed to mislead the deep learning models and prevent data from unauthorized exploration by adding small perturbations to data. However, such perturbations (e.g., noise, texture, color change) predominantly impact low-level features, making them vulnerable to common countermeasures. In contrast, semantic images with intricate shapes have a wealth of high-level features, making them more resilient to countermeasures and potential for producing robust unlearnable examples. In this paper, we propose a Deep Hiding (DH) scheme that adaptively hides semantic images enriched with high-level features. We employ an Invertible Neural Network (INN) to invisibly integrate predefined images, inherently hiding them with deceptive perturbations. To enhance data unlearnability, we introduce a Latent Feature Concentration module, designed to work with the INN, regularizing the intra-class variance of these perturbations. To further boost the robustness of unlearnable examples, we design a Semantic Images Generation module that produces hidden semantic images. By utilizing similar semantic information, this module generates similar semantic images for samples within the same classes, thereby enlarging the inter-class distance and narrowing the intra-class distance. Extensive experiments on CIFAR-10, CIFAR-100, and an ImageNet subset, against 18 countermeasures, reveal that our proposed method exhibits outstanding robustness for unlearnable examples, demonstrating its efficacy in preventing unauthorized data exploitation.

Cryptography and Security,Computer Vision and Pattern Recognition

Xin Zhou,Yi Lu,Ruotian Ma,Tao Gui,Qi Zhang,Xuanjing Huang

DOI: https://doi.org/10.18653/v1/2023.findings-emnlp.244

2023-01-01

Abstract:Pre-trained language models (PLMs) are often deployed as cloud services, enabling users to upload textual data and perform inference remotely. However, users’ personal text often contains sensitive information, and sharing such data directly with the service providers can lead to serious privacy leakage. To address this problem, we introduce a novel privacy-preserving inference framework called MixPi , which prevents plaintext leakage during the inference phase. Inspired by k -anonymity, MixPi aims to obfuscate a user’s private input by mixing it with multiple other inputs, thereby confounding potential privacy attackers. To achieve this, our approach involves: (1) proposing a novel encryption module, Privacy Mixer, which encrypts input from three distinct dimensions: mixing, representation, and position. (2) adopting a pre-trained Multi-input Multi-output network to handle mixed representations and obtain multiple predictions. (3) employing a Privacy Demixer to ensure only the user can decrypt the real output among the multiple predictions. Furthermore, we explore different ways to automatically generate synthetic inputs required for mixing. Experimental results on token and sentence classification tasks demonstrate that MixPi greatly surpasses existing privacy-preserving methods in both performance and privacy.

Ming Li,Zhaoli Yang,Tao Wang,Yushu Zhang,Wenying Wen

DOI: https://doi.org/10.1109/tcsvt.2024.3448351

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In recent years, the uploading of massive personal images has increased the security risks, mainly including privacy breaches and copyright infringement. Adversarial examples provide a novel solution for protecting image privacy, as they can evade the detection by deep neural network (DNN)-based recognizers. However, the perturbations in the adversarial examples typically meaningless and therefore cannot be extracted as traceable information to support copyright protection. In this paper, we designed a dual protection scheme for image privacy and copyright via traceable adversarial examples. Specifically, a traceable adversarial model is proposed, which can be used to embed the invisible copyright information into images for copyright protection while fooling DNN-based recognizers for privacy protection. Inspired by the training method of generative adversarial networks (GANs), a new dynamic adversarial training strategy is designed, which allows our model for achieving stable multi-objective learning. Experimental results show that our scheme is exceptionally robust in the face of a variety of noise conditions and image processing methods, while exhibiting good model migration and defense robustness.

Weina Dong,Jia Liu,Lifeng Chen,Wenquan Sun,Xiaozhong Pan,Yan Ke

2024-10-14

Abstract:Multi-image hiding, which embeds multiple secret images into a cover image and is able to recover these images with high quality, has gradually become a research hotspot in the field of image steganography. However, due to the need to embed a large amount of data in a limited cover image space, issues such as contour shadowing or color distortion often arise, posing significant challenges for multi-image hiding. In this paper, we propose StegaINR4MIH, a novel implicit neural representation steganography framework that enables the hiding of multiple images within a single implicit representation function. In contrast to traditional methods that use multiple encoders to achieve multi-image embedding, our approach leverages the redundancy of implicit representation function parameters and employs magnitude-based weight selection and secret weight substitution on pre-trained cover image functions to effectively hide and independently extract multiple secret images. We conduct experiments on images with a resolution of from three different datasets: CelebA-HQ, COCO, and DIV2K. When hiding two secret images, the PSNR values of both the secret images and the stego images exceed 42. When hiding five secret images, the PSNR values of both the secret images and the stego images exceed 39. Extensive experiments demonstrate the superior performance of the proposed method in terms of visual quality and undetectability.

Computer Vision and Pattern Recognition,Cryptography and Security

Suyuan Liu,Lan Zhang,Haikuo Yu,Jiahui Hou,Kaiwen Guo,Xiang-Yang Li

DOI: https://doi.org/10.1145/3560905.3568514

2022-01-01

Abstract:Obfuscation technologies have been well established for on-device image privacy protection, including pixelization, blurring, scribbling, sticker-covering, and inpainting. Despite their remarkable resistance to human observation, recent studies find that some of them are vulnerable to attacks by neural network-based recognition methods. In this work, we reveal the risk of privacy re-disclosure post image protection. Given an obfuscation-protected image, the privacy information includes 1) where the obfuscated region is and 2) what the hidden privacy-related objects are. Thus we focus on uncovering categories of privacy-related objects to evaluate the effectiveness of obfuscation technologies. Under severe obfuscation, unfortunately, even powerful object recognition models can hardly infer hidden privacy information. Inspired by the human observation process, we carefully craft a scheme HideSeeker, composed of feature-extraction, relation-graph-learning, and object-inference, to explore the contextual information of obfuscated regions and their relationships. HideSeeker can efficiently and effectively uncover the categories of hidden private objects in obfuscated images. We conduct comprehensive evaluations over two datasets containing 14206 images in total: laboratory-generated and publicly available obfuscated images. Our results demonstrate that HideSeeker successfully uncovers privacy-related objects with inference accuracy of up to 82.17%, and 77.72% on average no matter which obfuscation was applied, while the SOTA method can achieve an average accuracy of 42.3%. For images protected by inpainting, accuracy is improved from 24.67% to 78.16%.

Mingfu Xue,Shichang Sun,Zhiyu Wu,Can He,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1016/j.jisa.2021.102993

IF: 4.96

2021-12-01

Journal of Information Security and Applications

Abstract:People are always interested in sharing photos on social platforms. However, undesirable privacy leakage may occur due to such online photo sharing. Advanced deep neural network (DNN) based object detectors can easily steal users’ personal information exposed in shared photos. In this paper, we propose a novel adversarial example based privacy-preserving technique for social images against object detectors-based privacy stealing. Specifically, we propose an Object Disappearance Algorithm to craft two kinds of adversarial social images to fool the object detector. One can hide all the objects in the social images from being detected by an object detector, and the other can make the customized sensitive objects be misclassified by the object detector. Experimental results show that, the proposed method can effectively protect the privacy of social images, while the quality of these images is not affected. The privacy-preserving success rates of the proposed method on MS-COCO and PASCAL VOC 2007 datasets are high up to 96.1% and 99.3%, respectively, and the privacy leakage rates on these two datasets are as low as 0.57% and 0.07%, respectively. Compared with common image processing methods (low brightness, noise, blur, mosaic and JPEG compression) and the existing work, the proposed method can achieve much more powerful performance in protecting the privacy of social images, while not affecting the quality of social images.

computer science, information systems

Fusheng Hao,Fengxiang He,Yikai Wang,Fuxiang Wu,Jing Zhang,Jun Cheng,Dacheng Tao

2023-06-06

Abstract:Massive human-related data is collected to train neural networks for computer vision tasks. A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data. To reconcile this conflict, this paper proposes an efficient privacy-preserving learning paradigm, where images are first encrypted to become ``human-imperceptible, machine-recognizable'' via one of the two encryption strategies: (1) random shuffling to a set of equally-sized patches and (2) mixing-up sub-patches of the images. Then, minimal adaptations are made to vision transformer to enable it to learn on the encrypted images for vision tasks, including image classification and object detection. Extensive experiments on ImageNet and COCO show that the proposed paradigm achieves comparable accuracy with the competitive methods. Decrypting the encrypted images requires solving an NP-hard jigsaw puzzle or an ill-posed inverse problem, which is empirically shown intractable to be recovered by various attackers, including the powerful vision transformer-based attacker. We thus show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information. The code is available at \url{<a class="link-external link-https" href="https://github.com/FushengHao/PrivacyPreservingML" rel="external noopener nofollow">this https URL</a>.}

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning