Tong Chen,Zhan Ma

DOI: https://doi.org/10.1109/TCSVT.2023.3276442

IF: 5.859

2023-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep neural network-based image compression has been extensively studied. However, the model robustness which is crucial to practical application is largely overlooked. We propose to examine the robustness of prevailing learned image compression models by injecting negligible adversarial perturbation into the original source image. Severe distortion in decoded reconstruction reveals the general vulnerability in existing methods regardless of their settings (e.g., network architecture, loss function, quality scale). A variety of defense strategies including geometric self-ensemble based pre-processing, and adversarial training, are investigated against the adversarial attack to improve the model's robustness. Later the defense efficiency is further exemplified in real-life image recompression case studies. Overall, our methodology is simple, effective, and generalizable, making it attractive for developing robust learned image compression solutions. All materials are made publicly accessible at https://njuvision.github.io/RobustNIC for reproducible research.

Tong Chen,Zhan Ma

DOI: https://doi.org/10.1109/TCSVT.2023.3276442

2023-06-08

Abstract:Deep neural network-based image compression has been extensively studied. However, the model robustness which is crucial to practical application is largely overlooked. We propose to examine the robustness of prevailing learned image compression models by injecting negligible adversarial perturbation into the original source image. Severe distortion in decoded reconstruction reveals the general vulnerability in existing methods regardless of their settings (e.g., network architecture, loss function, quality scale). A variety of defense strategies including geometric self-ensemble based pre-processing, and adversarial training, are investigated against the adversarial attack to improve the model's robustness. Later the defense efficiency is further exemplified in real-life image recompression case studies. Overall, our methodology is simple, effective, and generalizable, making it attractive for developing robust learned image compression solutions. All materials are made publicly accessible at <a class="link-external link-https" href="https://njuvision.github.io/RobustNIC" rel="external noopener nofollow">this https URL</a> for reproducible research.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing

Yang Sui,Zhuohang Li,Ding Ding,Xiang Pan,Xiaozhong Xu,Shan Liu,Zhenzhong Chen

2024-01-06

Abstract:Adversarial attacks can readily disrupt the image classification system, revealing the vulnerability of DNN-based recognition tasks. While existing adversarial perturbations are primarily applied to uncompressed images or compressed images by the traditional image compression method, i.e., JPEG, limited studies have investigated the robustness of models for image classification in the context of DNN-based image compression. With the rapid evolution of advanced image compression, DNN-based learned image compression has emerged as the promising approach for transmitting images in many security-critical applications, such as cloud-based face recognition and autonomous driving, due to its superior performance over traditional compression. Therefore, there is a pressing need to fully investigate the robustness of a classification system post-processed by learned image compression. To bridge this research gap, we explore the adversarial attack on a new pipeline that targets image classification models that utilize learned image compressors as pre-processing modules. Furthermore, to enhance the transferability of perturbations across various quality levels and architectures of learned image compression models, we introduce a saliency score-based sampling method to enable the fast generation of transferable perturbation. Extensive experiments with popular attack methods demonstrate the enhanced transferability of our proposed method when attacking images that have been post-processed with different learned image compression models.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing

Qi Liu,Tao Liu,Zihao Liu,Yanzhi Wang,Yier Jin,Wujie Wen

DOI: https://doi.org/10.48550/arXiv.1802.05193

2018-03-20

Abstract:DNN is presenting human-level performance for many complex intelligent tasks in real-world applications. However, it also introduces ever-increasing security concerns. For example, the emerging adversarial attacks indicate that even very small and often imperceptible adversarial input perturbations can easily mislead the cognitive function of deep learning systems (DLS). Existing DNN adversarial studies are narrowly performed on the ideal software-level DNN models with a focus on single uncertainty factor, i.e. input perturbations, however, the impact of DNN model reshaping on adversarial attacks, which is introduced by various hardware-favorable techniques such as hash-based weight compression during modern DNN hardware implementation, has never been discussed. In this work, we for the first time investigate the multi-factor adversarial attack problem in practical model optimized deep learning systems by jointly considering the DNN model-reshaping (e.g. HashNet based deep compression) and the input perturbations. We first augment adversarial example generating method dedicated to the compressed DNN models by incorporating the software-based approaches and mathematical modeled DNN reshaping. We then conduct a comprehensive robustness and vulnerability analysis of deep compressed DNN models under derived adversarial attacks. A defense technique named "gradient inhibition" is further developed to ease the generating of adversarial examples thus to effectively mitigate adversarial attacks towards both software and hardware-oriented DNNs. Simulation results show that "gradient inhibition" can decrease the average success rate of adversarial attacks from 87.99% to 4.77% (from 86.74% to 4.64%) on MNIST (CIFAR-10) benchmark with marginal accuracy degradation across various DNNs.

Machine Learning,Cryptography and Security

Kang Liu,Di Wu,Yiru Wang,Dan Feng,Benjamin Tan,Siddharth Garg

DOI: https://doi.org/10.48550/arXiv.2205.13253

2022-08-23

Abstract:Deep learning techniques have shown promising results in image compression, with competitive bitrate and image reconstruction quality from compressed latent. However, while image compression has progressed towards a higher peak signal-to-noise ratio (PSNR) and fewer bits per pixel (bpp), their robustness to adversarial images has never received deliberation. In this work, we, for the first time, investigate the robustness of image compression systems where imperceptible perturbation of input images can precipitate a significant increase in the bitrate of their compressed latent. To characterize the robustness of state-of-the-art learned image compression, we mount white-box and black-box attacks. Our white-box attack employs fast gradient sign method on the entropy estimation of the bitstream as its bitrate approximation. We propose DCT-Net simulating JPEG compression with architectural simplicity and lightweight training as the substitute in the black-box attack and enable fast adversarial transferability. Our results on six image compression models, each with six different bitrate qualities (thirty-six models in total), show that they are surprisingly fragile, where the white-box attack achieves up to 56.326x and black-box 1.947x bpp change. To improve robustness, we propose a novel compression architecture factorAtn which incorporates attention modules and a basic factorized entropy model, resulting in a promising trade-off between the rate-distortion performance and robustness to adversarial attacks that surpasses existing learned image compressors.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Jiajie Zhang,Bingsheng Zhang,Jiancheng Lin

DOI: https://doi.org/10.1109/EuroSPW.2019.00030

2019-01-01

Abstract:This work investigates the image privacy problem in the context of social networking under the threat of reverse image search. We introduce a new concept called recessive social networking. Unlike conventional privacy-preserving social networking, in our setting, the aim is to deceive machine learning algorithms that used in reverse image search, while still enabling unaffected ubiquitous social networking among humans. We, for the first time, ultilize adversarial example technique as a defensive mechanism to protect image privacy against content-based image search algorithms in the context of social networking. Finally, rigorous evaluations are conducted to demonstrate the effectiveness, transferability, and robustness of the proposed countermeasure.

Yu Aust Zhang,Huan Xu,Chengfei Pei,Gaoming Yang

DOI: https://doi.org/10.7717/peerj-cs.811

2021-12-24

Abstract:The rapid development of deep neural networks (DNN) has promoted the widespread application of image recognition, natural language processing, and autonomous driving. However, DNN is vulnerable to adversarial examples, such as an input sample with imperceptible perturbation which can easily invalidate the DNN and even deliberately modify the classification results. Therefore, this article proposes a preprocessing defense framework based on image compression reconstruction to achieve adversarial example defense. Firstly, the defense framework performs pixel depth compression on the input image based on the sensitivity of the adversarial example to eliminate adversarial perturbations. Secondly, we use the super-resolution image reconstruction network to restore the image quality and then map the adversarial example to the clean image. Therefore, there is no need to modify the network structure of the classifier model, and it can be easily combined with other defense methods. Finally, we evaluate the algorithm with MNIST, Fashion-MNIST, and CIFAR-10 datasets; the experimental results show that our approach outperforms current techniques in the task of defending against adversarial example attacks.

Mingfu Xue,Xin Wang,Shichang Sun,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1007/s10489-023-04575-8

2022-01-03

Abstract:In recent years, many backdoor attacks based on training data poisoning have been proposed. However, in practice, those backdoor attacks are vulnerable to image compressions. When backdoor instances are compressed, the feature of specific backdoor trigger will be destroyed, which could result in the backdoor attack performance deteriorating. In this paper, we propose a compression-resistant backdoor attack based on feature consistency training. To the best of our knowledge, this is the first backdoor attack that is robust to image compressions. First, both backdoor images and their compressed versions are input into the deep neural network (DNN) for training. Then, the feature of each image is extracted by internal layers of the DNN. Next, the feature difference between backdoor images and their compressed versions are minimized. As a result, the DNN treats the feature of compressed images as the feature of backdoor images in feature space. After training, the backdoor attack against DNN is robust to image compression. Furthermore, we consider three different image compressions (i.e., JPEG, JPEG2000, WEBP) in feature consistency training, so that the backdoor attack is robust to multiple image compression algorithms. Experimental results demonstrate the effectiveness and robustness of the proposed backdoor attack. When the backdoor instances are compressed, the attack success rate of common backdoor attack is lower than 10%, while the attack success rate of our compression-resistant backdoor is greater than 97%. The compression-resistant attack is still robust even when the backdoor images are compressed with low compression quality. In addition, extensive experiments have demonstrated that, our compression-resistant backdoor attack has the generalization ability to resist image compression which is not used in the training process.

Computer Vision and Pattern Recognition

Mingfu Xue,Shichang Sun,Zhiyu Wu,Can He,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1016/j.jisa.2021.102993

IF: 4.96

2021-12-01

Journal of Information Security and Applications

Abstract:People are always interested in sharing photos on social platforms. However, undesirable privacy leakage may occur due to such online photo sharing. Advanced deep neural network (DNN) based object detectors can easily steal users’ personal information exposed in shared photos. In this paper, we propose a novel adversarial example based privacy-preserving technique for social images against object detectors-based privacy stealing. Specifically, we propose an Object Disappearance Algorithm to craft two kinds of adversarial social images to fool the object detector. One can hide all the objects in the social images from being detected by an object detector, and the other can make the customized sensitive objects be misclassified by the object detector. Experimental results show that, the proposed method can effectively protect the privacy of social images, while the quality of these images is not affected. The privacy-preserving success rates of the proposed method on MS-COCO and PASCAL VOC 2007 datasets are high up to 96.1% and 99.3%, respectively, and the privacy leakage rates on these two datasets are as low as 0.57% and 0.07%, respectively. Compared with common image processing methods (low brightness, noise, blur, mosaic and JPEG compression) and the existing work, the proposed method can achieve much more powerful performance in protecting the privacy of social images, while not affecting the quality of social images.

computer science, information systems

Zhenqiang Chen,Yifeng Liu,Gang Ke,Jingkai Wang,Weibin Zhao,Sio-long Lo

DOI: https://doi.org/10.1007/s44196-024-00506-8

IF: 2.259

2024-05-15

International Journal of Computational Intelligence Systems

Abstract:In recent years, related research has focused on how to safely transfer and protect the privacy of images in social network services while providing easy access by authorized users. To safeguard privacy, we suggest an image encryption scheme that combines data hiding and image encryption. The proposed scheme successfully decrypts images after JPEG compression attacks and preserves the privacy of secret regions through the use of block scrambling encryption based on region selection. Simultaneously, the scheme can handle nonuniform secret regions and obtain more sensitive secret keys because of the incorporation of a chaotic system. The enhanced deep learning-based data-hiding technology reduces algorithm complexity by enabling the encryption position to be determined in the decryption phase without the need for any information or equipment. However, this approach also increases algorithm security, because only when the right secret data are extracted can they be decrypted successfully. According to the experimental findings, the proposed scheme can correctly decrypt images via JPEG compression while maintaining visually acceptable quality. The proposed scheme can achieve greater robustness against image processing algorithms and a wider secret key space than traditional schemes.

computer science, artificial intelligence, interdisciplinary applications

Jamimamul Bakas,Praneta Rawat,Kalyan Kokkalla,Ruchira Naskar

DOI: https://doi.org/10.1007/978-3-030-05171-6_17

2024-07-03

Abstract:In this work, we deal with the problem of re compression based image forgery detection, where some regions of an image are modified illegitimately, hence giving rise to presence of dual compression characteristics within a single image. There have been some significant researches in this direction, in the last decade. However, almost all existing techniques fail to detect this form of forgery, when the first compression factor is greater than the second. We address this problem in re compression based forgery detection, here Recently, Machine Learning techniques have started gaining a lot of importance in the domain of digital image forensics. In this work, we propose a Convolution Neural Network based deep learning architecture, which is capable of detecting the presence of re compression based forgery in JPEG images. The proposed architecture works equally efficiently, even in cases where the first compression ratio is greater than the second. In this work, we also aim to localize the regions of image manipulation based on re compression features, using the trained neural network. Our experimental results prove that the proposed method outperforms the state of the art, with respect to forgery detection and localization accuracy.

Image and Video Processing,Computer Vision and Pattern Recognition

Yiren Zhao,Ilia Shumailov,Robert Mullins,Ross Anderson

DOI: https://doi.org/10.48550/arXiv.1810.00208

2020-04-17

Abstract:As deep neural networks (DNNs) become widely used, pruned and quantised models are becoming ubiquitous on edge devices; such compressed DNNs are popular for lowering computational requirements. Meanwhile, recent studies show that adversarial samples can be effective at making DNNs misclassify. We, therefore, investigate the extent to which adversarial samples are transferable between uncompressed and compressed DNNs. We find that adversarial samples remain transferable for both pruned and quantised models. For pruning, the adversarial samples generated from heavily pruned models remain effective on uncompressed models. For quantisation, we find the transferability of adversarial samples is highly sensitive to integer precision.

Cryptography and Security,Machine Learning

Zhi Cao,Youneng Bao,Fanyang Meng,Chao Li,Wen Tan,Genhong Wang,Yongsheng Liang

2024-03-16

Abstract:Deep neural network-based image compression (NIC) has achieved excellent performance, but NIC method models have been shown to be susceptible to backdoor attacks. Adversarial training has been validated in image compression models as a common method to enhance model robustness. However, the improvement effect of adversarial training on model robustness is limited. In this paper, we propose a prior knowledge-guided adversarial training framework for image compression models. Specifically, first, we propose a gradient regularization constraint for training robust teacher models. Subsequently, we design a knowledge distillation based strategy to generate a priori knowledge from the teacher model to the student model for guiding adversarial training. Experimental results show that our method improves the reconstruction quality by about 9dB when the Kodak dataset is elected as the backdoor attack object for psnr attack. Compared with Ma2023, our method has a 5dB higher PSNR output at high bitrate points.

Image and Video Processing

Yujia Liu,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1155/2017/1897438

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online image sharing in social platforms can lead to undesired privacy disclosure. For example, some enterprises may detect these large volumes of uploaded images to do users’ in-depth preference analysis for commercial purposes. And their technology might be today’s most powerful learning model, deep neural network (DNN). To just elude these automatic DNN detectors without affecting visual quality of human eyes, we design and implement a novel Stealth algorithm, which makes the automatic detector blind to the existence of objects in an image, by crafting a kind of adversarial examples. It is just like all objects disappear after wearing an “invisible cloak” from the view of the detector. Then we evaluate the effectiveness of Stealth algorithm through our newly defined measurement, named privacy insurance. The results indicate that our scheme has considerable success rate to guarantee privacy compared with other methods, such as mosaic, blur, and noise. Better still, Stealth algorithm has the smallest impact on image visual quality. Meanwhile, we set a user adjustable parameter called cloak thickness for regulating the perturbation intensity. Furthermore, we find that the processed images have transferability property; that is, the adversarial images generated for one particular DNN will influence the others as well.

Jingui Ma,Ronggang Wang

DOI: https://doi.org/10.1109/dcc58796.2024.00090

2024-01-01

Abstract:Learned image compression has achieved better performance than traditional coding methods in terms of rate-distortion performance. However, the robustness of compression models themselves is rarely paid attention to by coding community. In this work, we explore the potential threats of image compression model, and design an imperceptible adversarial perturbation generation method based on gradient optimization. The image with our generated adversarial perturbation will lead to serious distortion on decoder side when the image is reconstructed. Specifically, we use a similar method based on Fast Gradient Sign Method (FGSM) to optimize a noise and generate an adversarial perturbation against image reconstruction. Furthermore, in order to improve the imperceptibility of our attack, we restrict the optimized noise to the high frequency region of the chrominance components of a YUV image, inspired by the characteristics of human vision system (HVS). See Figure 1 for more details. Experiments on four types of popular image compression models show that our adversarial attack can cause serious distortion on decoder side of the model while keeping the perturbation undetectable to human eyes. We hope that our work could arouse the concern of coding community to the robustness and security of AI intelligent coding technology.

Zihao Liu,Tao Liu,Wujie Wen,Lei Jiang,Jie Xu,Yanzhi Wang,Gang Quan

DOI: https://doi.org/10.48550/arXiv.1803.05788

2018-03-14

Abstract:As one of most fascinating machine learning techniques, deep neural network (DNN) has demonstrated excellent performance in various intelligent tasks such as image classification. DNN achieves such performance, to a large extent, by performing expensive training over huge volumes of training data. To reduce the data storage and transfer overhead in smart resource-limited Internet-of-Thing (IoT) systems, effective data compression is a "must-have" feature before transferring real-time produced dataset for training or classification. While there have been many well-known image compression approaches (such as JPEG), we for the first time find that a human-visual based image compression approach such as JPEG compression is not an optimized solution for DNN systems, especially with high compression ratios. To this end, we develop an image compression framework tailored for DNN applications, named "DeepN-JPEG", to embrace the nature of deep cascaded information process mechanism of DNN architecture. Extensive experiments, based on "ImageNet" dataset with various state-of-the-art DNNs, show that "DeepN-JPEG" can achieve ~3.5x higher compression rate over the popular JPEG solution while maintaining the same accuracy level for image recognition, demonstrating its great potential of storage and power efficiency in DNN-based smart IoT system design.

Computer Vision and Pattern Recognition,Graphics,Performance

Jiaming Zhang,Qi Yi,Dongyuan Lu,Jitao Sang

2023-09-03

Abstract:In light of the growing concerns regarding the unauthorized use of facial recognition systems and its implications on individual privacy, the exploration of adversarial perturbations as a potential countermeasure has gained traction. However, challenges arise in effectively deploying this approach against unauthorized facial recognition systems due to the effects of JPEG compression on image distribution across the internet, which ultimately diminishes the efficacy of adversarial perturbations. Existing JPEG compression-resistant techniques struggle to strike a balance between resistance, transferability, and attack potency. To address these limitations, we propose a novel solution referred to as \emph{low frequency adversarial perturbation} (LFAP). This method conditions the source model to leverage low-frequency characteristics through adversarial training. To further enhance the performance, we introduce an improved \emph{low-mid frequency adversarial perturbation} (LMFAP) that incorporates mid-frequency components for an additive benefit. Our study encompasses a range of settings to replicate genuine application scenarios, including cross backbones, supervisory heads, training datasets, and testing datasets. Moreover, we evaluated our approaches on a commercial black-box API, \texttt{Face++}. The empirical results validate the cutting-edge performance achieved by our proposed solutions.

Computer Vision and Pattern Recognition,Image and Video Processing

Gintare Karolina Dziugaite,Zoubin Ghahramani,Daniel M. Roy

DOI: https://doi.org/10.48550/arXiv.1608.00853

2016-08-02

Abstract:Neural network image classifiers are known to be vulnerable to adversarial images, i.e., natural images which have been modified by an adversarial perturbation specifically designed to be imperceptible to humans yet fool the classifier. Not only can adversarial images be generated easily, but these images will often be adversarial for networks trained on disjoint subsets of data or with different architectures. Adversarial images represent a potential security risk as well as a serious machine learning challenge---it is clear that vulnerable neural networks perceive images very differently from humans. Noting that virtually every image classification data set is composed of JPG images, we evaluate the effect of JPG compression on the classification of adversarial images. For Fast-Gradient-Sign perturbations of small magnitude, we found that JPG compression often reverses the drop in classification accuracy to a large extent, but not always. As the magnitude of the perturbations increases, JPG recompression alone is insufficient to reverse the effect.

Computer Vision and Pattern Recognition,Machine Learning

Mengtian Wu,Zaixing He,Xinyue Zhao,Shuyou Zhang

DOI: https://doi.org/10.1109/gcce46687.2019.9015273

2019-01-01

Abstract:We propose a new lossy image compression algorithm for images from consumer photo storage on the generative adversarial networks (GANs). It uses a pre-trained generator model as decoder and an algorithm called back-propagation-to-the-input as encoder. In compression process, this method could compress images with extremely small compression storage. Experiments demonstrate that this method surpasses the traditional ways in compression ratio and reconstruct representation.

Jiajun Huang,Xinqi Zhu,Chengbin Du,Siqi Ma,Surya Nepal,Chang Xu

DOI: https://doi.org/10.48550/arXiv.2302.06183

2023-02-13

Abstract:Forgery facial images and videos have increased the concern of digital security. It leads to the significant development of detecting forgery data recently. However, the data, especially the videos published on the Internet, are usually compressed with lossy compression algorithms such as H.264. The compressed data could significantly degrade the performance of recent detection algorithms. The existing anti-compression algorithms focus on enhancing the performance in detecting heavily compressed data but less consider the compression adaption to the data from various compression levels. We believe creating a forgery detection model that can handle the data compressed with unknown levels is important. To enhance the performance for such models, we consider the weak compressed and strong compressed data as two views of the original data and they should have similar representation and relationships with other samples. We propose a novel anti-compression forgery detection framework by maintaining closer relations within data under different compression levels. Specifically, the algorithm measures the pair-wise similarity within data as the relations, and forcing the relations of weak and strong compressed data close to each other, thus improving the discriminate power for detecting strong compressed data. To achieve a better strong compressed data relation guided by the less compressed one, we apply video level contrastive learning for weak compressed data, which forces the model to produce similar representations within the same video and far from the negative samples. The experiment results show that the proposed algorithm could boost performance for strong compressed data while improving the accuracy rate when detecting the clean data.

Computer Vision and Pattern Recognition