Xiuli Chai,Zhen Chen,Zhihua Gan,Yushu Zhang,Yong Tan

DOI: https://doi.org/10.1109/icspcc59353.2023.10400335

2023-01-01

Abstract:Nowadays, large numbers of private images are stored in the cloud, which may be recognized by unauthorized models, seriously threatening users' privacy security. Although adversarial example (AE) can mislead unauthorized models to protect image privacy, the irreversible perturbations added to images can also mislead the authorized models. Reversible adversarial example (RAE) provides an effective solution that misleads unauthorized models without affecting authorized ones. However, existing RAE generation methods have low attack ability and imperfect image recovery, which makes them unsatisfactory. This paper proposes an RAE generation method that is RAE based on Thumbnail Preserving Encryption (RAE-TPE), where the semantic information of the images is unchanged but the generated RAEs successfully fool traditional classification models. Through decryption, the images can be recovered losslessly. Additionally, we present a novel optimization algorithm called dual annealing evolution (DAE) to enhance the RAEs' visual quality and attack ability. The experimental results on the ImageNet dataset demonstrate that RAEs generated by RAE-TPE show excellent attack ability and robustness.

Li Chen,Shaowei Zhu,Zhaoxia Yin

DOI: https://doi.org/10.48550/arXiv.2110.02700

2023-01-02

Abstract:Adding perturbations to images can mislead classification models to produce incorrect results. Recently, researchers exploited adversarial perturbations to protect image privacy from retrieval by intelligent models. However, adding adversarial perturbations to images destroys the original data, making images useless in digital forensics and other fields. To prevent illegal or unauthorized access to sensitive image data such as human faces without impeding legitimate users, the use of reversible adversarial attack techniques is increasing. The original image can be recovered from its reversible adversarial examples. However, existing reversible adversarial attack methods are designed for traditional imperceptible adversarial perturbations and ignore the local visible adversarial perturbation. In this paper, we propose a new method for generating reversible adversarial examples based on local visible adversarial perturbation. The information needed for image recovery is embedded into the area beyond the adversarial patch by the reversible data hiding technique. To reduce image distortion, lossless compression and the B-R-G (bluered-green) embedding principle are adopted. Experiments on CIFAR-10 and ImageNet datasets show that the proposed method can restore the original images error-free while ensuring good attack performance.

Computer Vision and Pattern Recognition

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:In this study, we propose a new methodology to control how user's data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibil-ity guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, re-versible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks. (c) 2022 Elsevier Ltd. All rights reserved.

Haodong Zhang,Chi Man Pun,Xia Du

2023-06-20

Abstract:Reversible adversarial examples (RAE) combine adversarial attacks and reversible data-hiding technology on a single image to prevent illegal access. Most RAE studies focus on achieving white-box attacks. In this paper, we propose a novel framework to generate reversible adversarial examples, which combines a novel beam search based black-box attack and reversible data hiding with grayscale invariance (RDH-GI). This RAE uses beam search to evaluate the adversarial gain of historical perturbations and guide adversarial perturbations. After the adversarial examples are generated, the framework RDH-GI embeds the secret data that can be recovered losslessly. Experimental results show that our method can achieve an average Peak Signal-to-Noise Ratio (PSNR) of at least 40dB compared to source images with limited query budgets. Our method can also achieve a targeted black-box reversible adversarial attack for the first time.

Cryptography and Security

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:• Reversible adversarial example controls how user’s data is recognized by AI. • The original image can be exactly recovered from reversible adversarial example. • Reversible adversarial example still functions as adversarial example. In this study, we propose a new methodology to control how user’s data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibility guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, reversible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks.

Kejiang Chen,Xianhan Zeng,Qichao Ying,Sheng Li,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.2112.14420

2021-12-29

Abstract:Deep learning has achieved enormous success in various industrial applications. Companies do not want their valuable data to be stolen by malicious employees to train pirated models. Nor do they wish the data analyzed by the competitors after using them online. We propose a novel solution for dataset protection in this scenario by robustly and reversibly transform the images into adversarial images. We develop a reversible adversarial example generator (RAEG) that introduces slight changes to the images to fool traditional classification models. Even though malicious attacks train pirated models based on the defensed versions of the protected images, RAEG can significantly weaken the functionality of these models. Meanwhile, the reversibility of RAEG ensures the performance of authorized models. Extensive experiments demonstrate that RAEG can better protect the data with slight distortion against adversarial defense than previous methods.

Computer Vision and Pattern Recognition,Image and Video Processing

Jiacheng Zhao,Xiuming Zhao,Zhihua Gan,Xiuli Chai,Tianfeng Ma,Zhen Chen

DOI: https://doi.org/10.1007/s00530-024-01425-6

IF: 3.9

2024-01-01

Multimedia Systems

Abstract:The rise of online sharing platforms has provided people with diverse and convenient ways to share images. However, a substantial amount of sensitive user information is contained within these images, which can be easily captured by malicious neural networks. To ensure the secure utilization of authorized protected data, reversible adversarial attack techniques have emerged. Existing algorithms for generating adversarial examples do not strike a good balance between visibility and attack capability. Additionally, the network oscillations generated during the training process affect the quality of the final examples. To address these shortcomings, we propose a novel reversible adversarial network based on generative adversarial networks (RA-RevGAN). In this paper, the generator is used for noise generation to map features into perturbations of the image, while the region selection module confines these perturbations to specific areas that significantly affect classification. Furthermore, a robust attack mechanism is integrated into the discriminator to stabilize the network’s training by optimizing convergence speed and minimizing time cost. Extensive experiments have demonstrated that the proposed method ensures a high image generation rate, excellent attack capability, and superior visual quality while maintaining high classification accuracy in image restoration.

Zhen Chen,Xiuli Chai,Zhihua Gan,Binjie Wang,Yushu Zhang

DOI: https://doi.org/10.1109/jiot.2024.3373636

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Medical images on the Internet of Medical Things (IoMT) can be easily collected, recognized and analyzed by unauthorized individuals and companies using deep neural networks (DNNs). The illegal use of this data compromises patient privacy and the rights of authorized users. The reversible adversarial example (RAE) is proposed to prevent unauthorized DNNs from recognizing privacy images without affecting authorized users. Nevertheless, existing RAE methods lack research on copyright protection, and unrestricted distribution and sale of these images can seriously jeopardize the copyrights of the image owners. To address this issue, this paper proposes an RAE based on visible watermark perturbation (RAE-VWP). Specifically, we first obtain the watermark embedding region (WER) of the image by the proposed saliency map fusion algorithm and save the information of this region using the reversible data hiding technique. Then, the proposed adaptive memory harmony search algorithm is applied to optimize the position and transparency of the embedded watermark perturbation. Finally, the RAE is generated by embedding the watermark perturbation into the WER of the image using the alpha blending technique. Particularly, the ensemble watermark vaccine is proposed to defend against attacks from watermark removal networks, significantly improving the robustness of RAE-VWP. The original image can be recovered without distortion by extracting the information saved in the RAE. Numerous experiments have shown that RAE-VWP can simultaneously protect image privacy and copyright with excellent reversibility.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fan Xing,Xiaoyi Zhou,Hongli Peng,Xuefeng Fan,Wenbao Han,Yuqing Zhang

DOI: https://doi.org/10.1155/2024/6054172

IF: 8.993

2024-10-19

International Journal of Intelligent Systems

Abstract:Reversible adversarial example (RAE) is an effective cutting‐edge technology for protecting the intellectual property (IP) of datasets. However, existing RAE schemes primarily focus on the adversarial and restoration capabilities of adversarial examples (AE), with little attention paid to traceability, which is crucial for IP protection. This oversight leads to the inability to prevent authorized users from redistributing data, thereby posing significant IP security risks. To address this issue, we propose a novel approach named TAE‐RWP, wherein adversarial perturbations in AEs are treated as tools for IP verification. To enable the traceability of AEs, we introduce varying degrees of warping to the adversarial perturbations within the AEs of authorized users, utilizing the warping degree as a traceable feature. To further strengthen traceability, we adopt a technique named "random warping" to maintain the resilience of adversarial perturbations against distortions, and employ a strategy named "noise mode" to improve the verification model's capacity to recognize distortion features. Experimental results indicate that AEs generated by TAE‐RWP exhibit remarkable adversarial strength and restoration abilities, while the verification model demonstrates excellence in recognizing distortion features.

computer science, artificial intelligence

Dongdong Hou,Weiming Zhang,Zihao Zhan,Ruiqi Jiang,Yang,Nenghai Yu

DOI: https://doi.org/10.1109/icdsp.2016.7868593

2016-01-01

Abstract:Image processing is a very popular and widely used technique. In this paper, we propose a framework for realizing reversible image processing, which enables that the users can return the processed image to the original copy without loss. In the proposed method, the original image is firstly processed to get the desired target image by a classic image processing method. Then the original image is reversibly processed according to the transition probability matrix, getting the processed image similar to the target image. We take histogram equalization and gamma transform as examples to show that the proposed method can realize reversible image processing and achieve nearly the same processing effect as done by irreversible image processing tools.

Decheng Liu,Xijun Wang,Chunlei Peng,Nannan Wang,Ruiming Hu,Xinbo Gao

2023-12-28

Abstract:Adversarial attacks involve adding perturbations to the source image to cause misclassification by the target model, which demonstrates the potential of attacking face recognition models. Existing adversarial face image generation methods still can't achieve satisfactory performance because of low transferability and high detectability. In this paper, we propose a unified framework Adv-Diffusion that can generate imperceptible adversarial identity perturbations in the latent space but not the raw pixel space, which utilizes strong inpainting capabilities of the latent diffusion model to generate realistic adversarial images. Specifically, we propose the identity-sensitive conditioned diffusion generative model to generate semantic perturbations in the surroundings. The designed adaptive strength-based adversarial perturbation algorithm can ensure both attack transferability and stealthiness. Extensive qualitative and quantitative experiments on the public FFHQ and CelebA-HQ datasets prove the proposed method achieves superior performance compared with the state-of-the-art methods without an extra generative model training process. The source code is available at <a class="link-external link-https" href="https://github.com/kopper-xdu/Adv-Diffusion" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence

Pham, Van-At

DOI: https://doi.org/10.1007/s11042-024-18165-4

IF: 2.577

2024-01-16

Multimedia Tools and Applications

Abstract:In reversible image authentication (RIA) methods, it is common to use a reversible hiding method to embed the authentication code (AC) bits into each block of an original image to form a watermarking image. Since the reversible hiding methods have low embedding capacity, the authentication methods based on them have limited attack detection ability. In this paper, we use a dual-image reversible embedding method based on the central folding strategy with some slight improvements to construct an RIA method. Due to the large embedding capacity, low image distortion, no location map to be used, and AC bits generated by using hash function MD5 on block's features, the proposed image authentication method can detect any type of attack with higher accuracy compared to existing methods. Its attack detection ability reaches for block sizes of , , and for a block size of while maintaining high image quality.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Jonggyu Jang,Hyeonsu Lyu,Seongjin Hwang,Hyun Jong Yang

2024-08-08

Abstract:This paper investigates the security vulnerabilities of adversarial-example-based image encryption by executing data reconstruction (DR) attacks on encrypted images. A representative image encryption method is the adversarial visual information hiding (AVIH), which uses type-I adversarial example training to protect gallery datasets used in image recognition tasks. In the AVIH method, the type-I adversarial example approach creates images that appear completely different but are still recognized by machines as the original ones. Additionally, the AVIH method can restore encrypted images to their original forms using a predefined private key generative model. For the best security, assigning a unique key to each image is recommended; however, storage limitations may necessitate some images sharing the same key model. This raises a crucial security question for AVIH: How many images can safely share the same key model without being compromised by a DR attack? To address this question, we introduce a dual-strategy DR attack against the AVIH encryption method by incorporating (1) generative-adversarial loss and (2) augmented identity loss, which prevent DR from overfitting -- an issue akin to that in machine learning. Our numerical results validate this approach through image recognition and re-identification benchmarks, demonstrating that our strategy can significantly enhance the quality of reconstructed images, thereby requiring fewer key-sharing encrypted images. Our source code to reproduce our results will be available soon.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security

Heng Yao,Hongbin Wei,Chuan Qin,Zhenjun Tang

DOI: https://doi.org/10.1007/s11554-019-00904-8

2019-08-05

Abstract:Reversible image authentication (RIA) is an emerging research field for image tampering operation detection. Tampered regions can be localized precisely by embedding an authentication code (AC) into each divided image block in advance. Once the image is identified as an authentic image, the original image can be recovered without any loss. Under these two preconditions, an efficient RIA scheme is proposed to further improve the detection precision of the final authentication results. Compared with existing methods, a uniform embedding strategy is adopted in this paper, in which one AC bit is embedded into each divided image block to ensure they have the same authentication capability. To improve the forgery localization precision, the block size is adaptively sought according to the embedding capacity of the image. In addition, during the image authentication process, the embedding parameters and location map information are verified to increase the process's rigorousness. The experimental results demonstrate the superiority of the detection precision of the proposed method.

computer science, artificial intelligence,engineering, electrical & electronic,imaging science & photographic technology

Yiyi Xie,Yuqian Zhou,Tao Wang,Wenying Wen,Shuang Yi,Yushu Zhang

DOI: https://doi.org/10.1016/j.neunet.2024.106130

IF: 7.8

2024-04-01

Neural Networks

Abstract:The significant advancement in deep learning has made it feasible to extract gender from faces accurately. However, such unauthorized extraction would pose potential threats to individual privacy. Existing protection schemes for gender privacy have exhibited satisfactory performance. Nevertheless, they suffer from gender inference from gender-related attributes and fail to support the recovery of the original image. In this paper, we propose a novel gender privacy protection scheme that aims to enhance gender privacy while supporting reversibility. Firstly, our scheme utilizes continuously optimized adversarial perturbations to prevent gender recognition from unauthorized classifiers. Meanwhile, gender-related attributes are concealed for classifiers, which prevents the inference of gender from these attributes, thereby enhancing gender privacy. Moreover, an identity preservation constraint is added to maintain identity preservation. Secondly, reversibility is supported by a reversible image transformation, allowing the perturbations to be securely removed to losslessly recover the original face when required. Extensive experiments demonstrate the effectiveness of our scheme in gender privacy protection, identity preservation, and reversibility.

computer science, artificial intelligence,neurosciences

Yaoteng Tan,Zikui Cai,M. Salman Asif

2024-06-13

Abstract:We introduce transformation-dependent adversarial attacks, a new class of threats where a single additive perturbation can trigger diverse, controllable mis-predictions by systematically transforming the input (e.g., scaling, blurring, compression). Unlike traditional attacks with static effects, our perturbations embed metamorphic properties to enable different adversarial attacks as a function of the transformation parameters. We demonstrate the transformation-dependent vulnerability across models (e.g., convolutional networks and vision transformers) and vision tasks (e.g., image classification and object detection). Our proposed geometric and photometric transformations enable a range of targeted errors from one crafted input (e.g., higher than 90% attack success rate for classifiers). We analyze effects of model architecture and type/variety of transformations on attack effectiveness. This work forces a paradigm shift by redefining adversarial inputs as dynamic, controllable threats. We highlight the need for robust defenses against such multifaceted, chameleon-like perturbations that current techniques are ill-prepared for.

Computer Vision and Pattern Recognition,Machine Learning

Dongdong Hou,Chuan Qin,Nenghai Yu,Weiming Zhang

DOI: https://doi.org/10.1016/j.jvcir.2017.11.014

IF: 2.887

2018-01-01

Journal of Visual Communication and Image Representation

Abstract:Reversible visual transformation reversibly transforms a secret image to a freely-selected target image and gets a camouflage image similar to the target image, which has been proved to be very useful in such two applications: privacy protection of images and reversible data hiding in encrypted images. Now, a new reversible transformation technique for color images is proposed by exploring and utilizing the correlations among three color channels and inside each color channel. The amount of the accessorial information for recording transformation parameters is largely reduced. Therefore, the visual quality of the created camouflage image is much improved by dividing the secret image and the target image into even smaller blocks for transformation.

Mengda Xie,Yiling He,Meie Fang

DOI: https://doi.org/10.48550/arXiv.2311.16478

2023-11-27

Abstract:Deep Neural Networks (DNNs) are susceptible to adversarial examples. Conventional attacks generate controlled noise-like perturbations that fail to reflect real-world scenarios and hard to interpretable. In contrast, recent unconstrained attacks mimic natural image transformations occurring in the real world for perceptible but inconspicuous attacks, yet compromise realism due to neglect of image post-processing and uncontrolled attack direction. In this paper, we propose RetouchUAA, an unconstrained attack that exploits a real-life perturbation: image retouching styles, highlighting its potential threat to DNNs. Compared to existing attacks, RetouchUAA offers several notable advantages. Firstly, RetouchUAA excels in generating interpretable and realistic perturbations through two key designs: the image retouching attack framework and the retouching style guidance module. The former custom-designed human-interpretability retouching framework for adversarial attack by linearizing images while modelling the local processing and retouching decision-making in human retouching behaviour, provides an explicit and reasonable pipeline for understanding the robustness of DNNs against retouching. The latter guides the adversarial image towards standard retouching styles, thereby ensuring its realism. Secondly, attributed to the design of the retouching decision regularization and the persistent attack strategy, RetouchUAA also exhibits outstanding attack capability and defense robustness, posing a heavy threat to DNNs. Experiments on ImageNet and Place365 reveal that RetouchUAA achieves nearly 100\% white-box attack success against three DNNs, while achieving a better trade-off between image naturalness, transferability and defense robustness than baseline attacks.

Computer Vision and Pattern Recognition

Yuxin Cao,Yumeng Zhu,Derui Wang,Sheng Wen,Minhui Xue,Jin Lu,Hao Ge

2024-07-11

Abstract:Face recognition pipelines have been widely deployed in various mission-critical systems in trust, equitable and responsible AI applications. However, the emergence of adversarial attacks has threatened the security of the entire recognition pipeline. Despite the sheer number of attack methods proposed for crafting adversarial examples in both digital and physical forms, it is never an easy task to assess the real threat level of different attacks and obtain useful insight into the key risks confronted by face recognition systems. Traditional attacks view imperceptibility as the most important measurement to keep perturbations stealthy, while we suspect that industry professionals may possess a different opinion. In this paper, we delve into measuring the threat brought about by adversarial attacks from the perspectives of the industry and the applications of face recognition. In contrast to widely studied sophisticated attacks in the field, we propose an effective yet easy-to-launch physical adversarial attack, named AdvColor, against black-box face recognition pipelines in the physical world. AdvColor fools models in the recognition pipeline via directly supplying printed photos of human faces to the system under adversarial illuminations. Experimental results show that physical AdvColor examples can achieve a fooling rate of more than 96% against the anti-spoofing model and an overall attack success rate of 88% against the face recognition pipeline. We also conduct a survey on the threats of prevailing adversarial attacks, including AdvColor, to understand the gap between the machine-measured and human-assessed threat levels of different forms of adversarial attacks. The survey results surprisingly indicate that, compared to deliberately launched imperceptible attacks, perceptible but accessible attacks pose more lethal threats to real-world commercial systems of face recognition.

Computer Vision and Pattern Recognition

Shixin Tian,Guolei Yang,Ying Cai

DOI: https://doi.org/10.1609/aaai.v32i1.11828

2018-04-29

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep Neural Networks (DNNs) have demonstrated remarkable performance in a diverse range of applications. Along with the prevalence of deep learning, it has been revealed that DNNs are vulnerable to attacks. By deliberately crafting adversarial examples, an adversary can manipulate a DNN to generate incorrect outputs, which may lead catastrophic consequences in applications such as disease diagnosis and self-driving cars. In this paper, we propose an effective method to detect adversarial examples in image classification. Our key insight is that adversarial examples are usually sensitive to certain image transformation operations such as rotation and shifting. In contrast, a normal image is generally immune to such operations. We implement this idea of image transformation and evaluate its performance in oblivious attacks. Our experiments with two datasets show that our technique can detect nearly 99% of adversarial examples generated by the state-of-the-art algorithm. In addition to oblivious attacks, we consider the case of white-box attacks. We propose to introduce randomness in the process of image transformation, which can achieve a detection ratio of around 70%.