Yanru Xiao,Cong Wang,Xing Gao

DOI: https://doi.org/10.1109/cvpr42600.2020.00967

2020-01-01

Computer Vision and Pattern Recognition

Abstract:With the rapid growth of visual content, deep learning to hash is gaining popularity in the image retrieval community recently. Although it greatly facilitates search efficiency, privacy is also at risks when images on the web are retrieved at a large scale and exploited as a rich mine of personal information. An adversary can extract private images by querying similar images from the targeted category for any usable model. Existing methods based on image processing preserve privacy at a sacrifice of perceptual quality. In this paper, we propose a new mechanism based on adversarial examples to "stash'' private images in the deep hash space while maintaining perceptual similarity. We first find that a simple approach of hamming distance maximization is not robust against brute-force adversaries. Then we develop a new loss function by maximizing the hamming distance to not only the original category, but also the centers from all the classes, partitioned into clusters of various sizes. The extensive experiment shows that the proposed defense can harden the attacker's efforts by 2-7 orders of magnitude, without significant increase of computational overhead and perceptual degradation. We also demonstrate 30-60% transferability in hash space with a black-box setting. The code is available at: https://github.com/sugarruy/hashstash

Qiang Liu,Yanlong Qiu,Tongqing Zhou,Ming Xu,Jiaohua Qin,Wentao Ma,Fan Zhang,Zhiping Cai

DOI: https://doi.org/10.1109/tcsvt.2024.3489886

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep cross-modal retrieval, with its effective and efficient search capabilities, has gained widespread adoption in today’s media-sharing practices yet raises concerns regarding potential threats to user data privacy. The cutting-edge data-centric countermeasures usually adopt adversarial learning, i.e., laboriously crafting the proper perturbation for each image, resulting in the noticeable noise in adversarial examples that greatly undermines the aesthetic appeal of image sharing. To address this issue, we propose a novel Model-centric Cross-modal Privacy-preserving framework (MCP), wherein the pre-defined invisible backdoor is seamlessly integrated into the global retrieval model via backdoor learning, thereby effectively preventing shared images containing such triggers from being retrieved. Specifically, we introduce a simple yet effective cross-modal backdoor learning algorithm that alternately optimizes two losses: 1) a privacy-preserving loss for perturbing retrieval with a user-injected trigger and 2) the standard utility loss for maintaining normal retrieval performance. Compared to state-of-the-art methods, MCP excels in providing excellent stealthiness, manifesting in a notable improvement of approximately 100% in SSIM metrics. Furthermore, it achieves an outstanding privacy-preserving (backdoor) success rate, as evidenced by a substantial mAP reduction of 22.3% (for FashionVC), 11.5% (for NUS-WIDE), and 21.8% (for MIRFlickr-25K) in poisoned retrieval, while maintaining similar normal retrieval performance. Additionally, MCP exhibits robust resistance against potential black-box defenses (e.g., trigger filtering) and white-box defenses (e.g., fine-tuning and model pruning). The code and data are available at https://github.com/lqsunshine/MCP.

Yanru Xiao,Cong Wang

DOI: https://doi.org/10.1109/CVPR46437.2021.00197

2021-01-01

Abstract:With the large multimedia content online, deep hashing has become a popular method for efficient image retrieval and storage. However, by inheriting the algorithmic back-end from softmax classification, these techniques are vulnerable to the well-known adversarial examples as well. The massive collection of online images into the database also opens up new attack vectors. Attackers can embed adversarial images into the database and target specific categories to be retrieved by user queries. In this paper, we start from an adversarial standpoint to explore and enhance the capacity of targeted black-box transferability attack for deep hashing. We motivate this work by a series of empirical studies to see the unique challenges in image retrieval. We study the relations between adversarial subspace and black-box transferability via utilizing random noise as a proxy. Then we develop a new attack that is simultaneously adversarial and robust to noise to enhance transferability. Our experimental results demonstrate about 1.2-3x improvements of black-box transferability compared with the state-of-the-art mechanisms.

Jiajie Zhang,Bingsheng Zhang,Jiancheng Lin

DOI: https://doi.org/10.1109/EuroSPW.2019.00030

2019-01-01

Abstract:This work investigates the image privacy problem in the context of social networking under the threat of reverse image search. We introduce a new concept called recessive social networking. Unlike conventional privacy-preserving social networking, in our setting, the aim is to deceive machine learning algorithms that used in reverse image search, while still enabling unaffected ubiquitous social networking among humans. We, for the first time, ultilize adversarial example technique as a defensive mechanism to protect image privacy against content-based image search algorithms in the context of social networking. Finally, rigorous evaluations are conducted to demonstrate the effectiveness, transferability, and robustness of the proposed countermeasure.

Yujia Liu,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1155/2017/1897438

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online image sharing in social platforms can lead to undesired privacy disclosure. For example, some enterprises may detect these large volumes of uploaded images to do users’ in-depth preference analysis for commercial purposes. And their technology might be today’s most powerful learning model, deep neural network (DNN). To just elude these automatic DNN detectors without affecting visual quality of human eyes, we design and implement a novel Stealth algorithm, which makes the automatic detector blind to the existence of objects in an image, by crafting a kind of adversarial examples. It is just like all objects disappear after wearing an “invisible cloak” from the view of the detector. Then we evaluate the effectiveness of Stealth algorithm through our newly defined measurement, named privacy insurance. The results indicate that our scheme has considerable success rate to guarantee privacy compared with other methods, such as mosaic, blur, and noise. Better still, Stealth algorithm has the smallest impact on image visual quality. Meanwhile, we set a user adjustable parameter called cloak thickness for regulating the perturbation intensity. Furthermore, we find that the processed images have transferability property; that is, the adversarial images generated for one particular DNN will influence the others as well.

Haichuan Zhang,Meiyu Lin,Zhaoyi Liu,Renyuan Li,Zhiyuan Cheng,Carl Yang,Mingjie Tang

2024-10-19

Abstract:As generative models achieve great success, tampering and modifying the sensitive image contents (i.e., human faces, artist signatures, commercial logos, etc.) have induced a significant threat with social impact. The backdoor attack is a method that implants vulnerabilities in a target model, which can be activated through a trigger. In this work, we innovatively prevent the abuse of image content modification by implanting the backdoor into image-editing models. Once the protected sensitive content on an image is modified by an editing model, the backdoor will be triggered, making the editing fail. Unlike traditional backdoor attacks that use data poisoning, to enable protection on individual images and eliminate the need for model training, we developed the first framework for run-time backdoor implantation, which is both time- and resource- efficient. We generate imperceptible perturbations on the images to inject the backdoor and define the protected area as the only backdoor trigger. Editing other unprotected insensitive areas will not trigger the backdoor, which minimizes the negative impact on legal image modifications. Evaluations with state-of-the-art image editing models show that our protective method can increase the CLIP-FID of generated images from 12.72 to 39.91, or reduce the SSIM from 0.503 to 0.167 when subjected to malicious editing. At the same time, our method exhibits minimal impact on benign editing, which demonstrates the efficacy of our proposed framework. The proposed run-time backdoor can also achieve effective protection on the latest diffusion models. Code are available.

Cryptography and Security

Dominik Hintersdorf,Lukas Struppek,Daniel Neider,Kristian Kersting

DOI: https://doi.org/10.48550/arXiv.2310.08320

2024-07-23

Abstract:The proliferation of large AI models trained on uncurated, often sensitive web-scraped data has raised significant privacy concerns. One of the concerns is that adversaries can extract information about the training data using privacy attacks. Unfortunately, the task of removing specific information from the models without sacrificing performance is not straightforward and has proven to be challenging. We propose a rather easy yet effective defense based on backdoor attacks to remove private information, such as names and faces of individuals, from vision-language models by fine-tuning them for only a few minutes instead of re-training them from scratch. Specifically, by strategically inserting backdoors into text encoders, we align the embeddings of sensitive phrases with those of neutral terms-"a person" instead of the person's actual name. For image encoders, we map individuals' embeddings to be removed from the model to a universal, anonymous embedding. The results of our extensive experimental evaluation demonstrate the effectiveness of our backdoor-based defense on CLIP by assessing its performance using a specialized privacy attack for zero-shot classifiers. Our approach provides a new "dual-use" perspective on backdoor attacks and presents a promising avenue to enhance the privacy of individuals within models trained on uncurated web-scraped data.

Machine Learning,Computation and Language,Cryptography and Security,Computer Vision and Pattern Recognition

Kealan Dunnett,Reza Arablouei,Dimity Miller,Volkan Dedeoglu,Raja Jurdak

2024-11-18

Abstract:The widespread adoption of deep learning across various industries has introduced substantial challenges, particularly in terms of model explainability and security. The inherent complexity of deep learning models, while contributing to their effectiveness, also renders them susceptible to adversarial attacks. Among these, backdoor attacks are especially concerning, as they involve surreptitiously embedding specific triggers within training data, causing the model to exhibit aberrant behavior when presented with input containing the triggers. Such attacks often exploit vulnerabilities in outsourced processes, compromising model integrity without affecting performance on clean (trigger-free) input data. In this paper, we present a comprehensive review of existing mitigation strategies designed to counter backdoor attacks in image recognition. We provide an in-depth analysis of the theoretical foundations, practical efficacy, and limitations of these approaches. In addition, we conduct an extensive benchmarking of sixteen state-of-the-art approaches against eight distinct backdoor attacks, utilizing three datasets, four model architectures, and three poisoning ratios. Our results, derived from 122,236 individual experiments, indicate that while many approaches provide some level of protection, their performance can vary considerably. Furthermore, when compared to two seminal approaches, most newer approaches do not demonstrate substantial improvements in overall performance or consistency across diverse settings. Drawing from these findings, we propose potential directions for developing more effective and generalizable defensive mechanisms in the future.

Cryptography and Security,Machine Learning

Mingjie Sun,J. Zico Kolter

2023-12-18

Abstract:Backdoor inversion, a central step in many backdoor defenses, is a reverse-engineering process to recover the hidden backdoor trigger inserted into a machine learning model. Existing approaches tackle this problem by searching for a backdoor pattern that is able to flip a set of clean images into the target class, while the exact size needed of this support set is rarely investigated. In this work, we present a new approach for backdoor inversion, which is able to recover the hidden backdoor with as few as a single image. Insipired by recent advances in adversarial robustness, our method SmoothInv starts from a single clean image, and then performs projected gradient descent towards the target class on a robust smoothed version of the original backdoored classifier. We find that backdoor patterns emerge naturally from such optimization process. Compared to existing backdoor inversion methods, SmoothInv introduces minimum optimization variables and does not require complex regularization schemes. We perform a comprehensive quantitative and qualitative study on backdoored classifiers obtained from existing backdoor attacks. We demonstrate that SmoothInv consistently recovers successful backdoors from single images: for backdoored ImageNet classifiers, our reconstructed backdoors have close to 100% attack success rates. We also show that they maintain high fidelity to the underlying true backdoors. Last, we propose and analyze two countermeasures to our approach and show that SmoothInv remains robust in the face of an adaptive attacker. Our code is available at <a class="link-external link-https" href="https://github.com/locuslab/smoothinv" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Kuanrong Liu,Siyuan Liang,Jiawei Liang,Pengwen Dai,Xiaochun Cao

2024-09-29

Abstract:Multimodal contrastive learning uses various data modalities to create high-quality features, but its reliance on extensive data sources on the Internet makes it vulnerable to backdoor attacks. These attacks insert malicious behaviors during training, which are activated by specific triggers during inference, posing significant security risks. Despite existing countermeasures through fine-tuning that reduce the malicious impacts of such attacks, these defenses frequently necessitate extensive training time and degrade clean accuracy. In this study, we propose an efficient defense mechanism against backdoor threats using a concept known as machine unlearning. This entails strategically creating a small set of poisoned samples to aid the model's rapid unlearning of backdoor vulnerabilities, known as Unlearn Backdoor Threats (UBT). We specifically use overfit training to improve backdoor shortcuts and accurately detect suspicious samples in the potential poisoning data set. Then, we select fewer unlearned samples from suspicious samples for rapid forgetting in order to eliminate the backdoor effect and thus improve backdoor defense efficiency. In the backdoor unlearning process, we present a novel token-based portion unlearning training regime. This technique focuses on the model's compromised elements, dissociating backdoor correlations while maintaining the model's overall integrity. Extensive experimental results show that our method effectively defends against various backdoor attack methods in the CLIP model. Compared to SoTA backdoor defense methods, UBT achieves the lowest attack success rate while maintaining a high clean accuracy of the model (attack success rate decreases by 19% compared to SOTA, while clean accuracy increases by 2.57%).

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Shuang Li,Hongwei Li,Hanxiao Chen

DOI: https://doi.org/10.1109/globecom46510.2021.9685762

2021-01-01

Abstract:Lack of transparency in deep learning models makes them vulnerable to backdoor attack, which can cause severe security consequences. For a backdoored model, the specific inputs can trigger misclassification rules while it performs normal behaviors on clean data. Existing backdoor attacks usually generate poisoned data by adding an obvious trigger to the original data and mislabeling them, which suffers from poor invisibility and hence can be easily detected. In this paper, we propose Stand-in Backdoor, a more stealthy and powerful backdoor attack, which can completely hide the trigger while maintaining correct labels of poisoned data. Specifically, we design a novel optimization strategy to transform triggers into imperceptible perturbation in the feature space. Furthermore, utilizing the transferability of feature perturbation, we fine-tune the victim model with well-constructed poisoned data that are correctly labeled. Extensive experiments conducted on various image classification tasks demonstrate that our attack outperforms the state-of-the-art work in terms of backdoor stealth and attack performance, without sacrificing the model's utility.

Ricardo Sanchez-Matilla,Chau Yi Li,Ali Shahin Shamsabadi,Riccardo Mazzon,Andrea Cavallaro

DOI: https://doi.org/10.48550/arXiv.2007.09766

2020-07-19

Computer Vision and Pattern Recognition

Abstract:Adversarial perturbations can be added to images to protect their content from unwanted inferences. These perturbations may, however, be ineffective against classifiers that were not {seen} during the generation of the perturbation, or against defenses {based on re-quantization, median filtering or JPEG compression. To address these limitations, we present an adversarial attack {that is} specifically designed to protect visual content against { unseen} classifiers and known defenses. We craft perturbations using an iterative process that is based on the Fast Gradient Signed Method and {that} randomly selects a classifier and a defense, at each iteration}. This randomization prevents an undesirable overfitting to a specific classifier or defense. We validate the proposed attack in both targeted and untargeted settings on the private classes of the Places365-Standard dataset. Using ResNet18, ResNet50, AlexNet and DenseNet161 {as classifiers}, the performance of the proposed attack exceeds that of eleven state-of-the-art attacks. The implementation is available at https://github.com/smartcameras/RP-FGSM/.

Wenbo Jiang,Hongwei Li,Jiaming He,Rui Zhang,Guowen Xu,Tianwei Zhang,Rongxing Lu

2024-07-15

Abstract:Recently, deep learning-based Image-to-Image (I2I) networks have become the predominant choice for I2I tasks such as image super-resolution and denoising. Despite their remarkable performance, the backdoor vulnerability of I2I networks has not been explored. To fill this research gap, we conduct a comprehensive investigation on the susceptibility of I2I networks to backdoor attacks. Specifically, we propose a novel backdoor attack technique, where the compromised I2I network behaves normally on clean input images, yet outputs a predefined image of the adversary for malicious input images containing the trigger. To achieve this I2I backdoor attack, we propose a targeted universal adversarial perturbation (UAP) generation algorithm for I2I networks, where the generated UAP is used as the backdoor trigger. Additionally, in the backdoor training process that contains the main task and the backdoor task, multi-task learning (MTL) with dynamic weighting methods is employed to accelerate convergence rates. In addition to attacking I2I tasks, we extend our I2I backdoor to attack downstream tasks, including image classification and object detection. Extensive experiments demonstrate the effectiveness of the I2I backdoor on state-of-the-art I2I network architectures, as well as the robustness against different mainstream backdoor defenses.

Computer Vision and Pattern Recognition,Artificial Intelligence

Mingfu Xue,Shichang Sun,Zhiyu Wu,Can He,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.1016/j.jisa.2021.102993

IF: 4.96

2021-12-01

Journal of Information Security and Applications

Abstract:People are always interested in sharing photos on social platforms. However, undesirable privacy leakage may occur due to such online photo sharing. Advanced deep neural network (DNN) based object detectors can easily steal users’ personal information exposed in shared photos. In this paper, we propose a novel adversarial example based privacy-preserving technique for social images against object detectors-based privacy stealing. Specifically, we propose an Object Disappearance Algorithm to craft two kinds of adversarial social images to fool the object detector. One can hide all the objects in the social images from being detected by an object detector, and the other can make the customized sensitive objects be misclassified by the object detector. Experimental results show that, the proposed method can effectively protect the privacy of social images, while the quality of these images is not affected. The privacy-preserving success rates of the proposed method on MS-COCO and PASCAL VOC 2007 datasets are high up to 96.1% and 99.3%, respectively, and the privacy leakage rates on these two datasets are as low as 0.57% and 0.07%, respectively. Compared with common image processing methods (low brightness, noise, blur, mosaic and JPEG compression) and the existing work, the proposed method can achieve much more powerful performance in protecting the privacy of social images, while not affecting the quality of social images.

computer science, information systems

Zhen Xiang,David J. Miller,George Kesidis

DOI: https://doi.org/10.48550/arXiv.2010.07489

2020-10-15

Abstract:Backdoor data poisoning is an emerging form of adversarial attack usually against deep neural network image classifiers. The attacker poisons the training set with a relatively small set of images from one (or several) source class(es), embedded with a backdoor pattern and labeled to a target class. For a successful attack, during operation, the trained classifier will: 1) misclassify a test image from the source class(es) to the target class whenever the same backdoor pattern is present; 2) maintain a high classification accuracy for backdoor-free test images. In this paper, we make a break-through in defending backdoor attacks with imperceptible backdoor patterns (e.g. watermarks) before/during the training phase. This is a challenging problem because it is a priori unknown which subset (if any) of the training set has been poisoned. We propose an optimization-based reverse-engineering defense, that jointly: 1) detects whether the training set is poisoned; 2) if so, identifies the target class and the training images with the backdoor pattern embedded; and 3) additionally, reversely engineers an estimate of the backdoor pattern used by the attacker. In benchmark experiments on CIFAR-10, for a large variety of attacks, our defense achieves a new state-of-the-art by reducing the attack success rate to no more than 4.9% after removing detected suspicious training images.

Machine Learning

Depeng Chen,Hao Chen,Hulin Jin,Jie Cui,Hong Zhong

2024-11-25

Abstract:Membership inference attacks (MIAs) are critical tools for assessing privacy risks and ensuring compliance with regulations like the General Data Protection Regulation (GDPR). However, their potential for auditing unauthorized use of data remains under explored. To bridge this gap, we propose a novel clean-label backdoor-based approach for MIAs, designed specifically for robust and stealthy data auditing. Unlike conventional methods that rely on detectable poisoned samples with altered labels, our approach retains natural labels, enhancing stealthiness even at low poisoning rates. Our approach employs an optimal trigger generated by a shadow model that mimics the target model's behavior. This design minimizes the feature-space distance between triggered samples and the source class while preserving the original data labels. The result is a powerful and undetectable auditing mechanism that overcomes limitations of existing approaches, such as label inconsistencies and visual artifacts in poisoned samples. The proposed method enables robust data auditing through black-box access, achieving high attack success rates across diverse datasets and model architectures. Additionally, it addresses challenges related to trigger stealthiness and poisoning durability, establishing itself as a practical and effective solution for data auditing. Comprehensive experiments validate the efficacy and generalizability of our approach, outperforming several baseline methods in both stealth and attack success metrics.

Cryptography and Security,Artificial Intelligence

Wenjuan Lian,Yichi Zhang,Xin Chen,Bin Jia,Xiaosong Zhang

DOI: https://doi.org/10.1155/2023/6357750

IF: 8.993

2023-09-07

International Journal of Intelligent Systems

Abstract:Although there are some protection mechanisms in federated learning, its training process is still vulnerable to some powerful attacks, such as invisible backdoor attacks. Existing research work focuses more on how to prevent attacks in distributed training scenarios and improve the security of the FL training process, but it lacks consideration of utility and robustness, especially when the learning model of FL suffers from stealth backdoor attacks. This paper proposes an improved FL defense scheme IPCADP based on user-level differential privacy and variational autoencoders technology. The scheme can control and protect the privacy attribute of the image and can also eliminate the triggers that exist in the poisoned image. The experimental results show that compared with some existing defense schemes, IPCADP can defend against invisible backdoor attacks and improve the classification accuracy of the main task, while mitigating the impact of attacks on model robustness and stability. To a certain extent, the balance and unity of security, utility, and robustness are realized.

computer science, artificial intelligence

Ruitao Hou,Kanghua Mo,Yucheng Long,Ning Li,Yuan Rao

DOI: https://doi.org/10.1016/j.ins.2024.120874

IF: 8.1

2024-06-07

Information Sciences

Abstract:Recent advancements in deep learning have substantially boosted the performance of monocular depth estimation (MDE), an essential component in fully-vision-based autonomous driving systems (e.g., Tesla and Toyota). These advancements, however, have been primarily directed towards optimizing performance, with limited consideration for security vulnerabilities. This study introduces the first backdoor attack against self-supervised MDE models. By conceptualizing backdoor attacks as a multi-task challenge, we propose a novel attack framework that employs multi-task learning to iteratively optimize the standard MDE subtask and the backdoor learning subtask. Within this framework, we design two types of backdoor attacks: Target Disappearing Backdoor Attack (TDBA) and Depth Increasing Backdoor Attack (DIBA). TDBA renders specific objects invisible to the compromised model, while DIBA dramatically inflates the depth of trigger-associated objects. Extensive evaluations on three mainstream MDE models show that TDBA can make the target model directly ignore the specific objects, with a mean depth error under 0.06 meters, while DIBA significantly increases the depth for trigger-associated objects, resulting in a mean depth error exceeding 94.2 meters. These findings highlight the urgent need for advanced security measures in the development of MDE models, to mitigate such vulnerabilities.

computer science, information systems

Wanlun Ma,Derui Wang,Chao Chen,Sheng Wen,Gaolei Fei,Yang Xiang

DOI: https://doi.org/10.1109/tdsc.2024.3376929

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The privacy of social media users is a major concern when the users share their content to the public. Sensitive information such as the location of the users can be inferred from relevant content without arising the awareness of the users. With blooming services provided by social media platforms, the users have more freedom to share information via diverse data formats. The multi-modality of the shared information may, in return, worsen the private information leakage caused by inference attacks. In this paper, we first examine the problem of location inference on multi-modal data comprised of textual information and visual content. It is observed that the visual content, such as photos shared by social media users, can significantly boost the success rate of location inference. To thwart adversaries who are driven by visual-related data, we propose a defence that mitigates the threat of location privacy breach under an imperceptible utility loss. Our defence, namely LocGuard, perturbs the photos in a one-off manner before sharing them. The perturbations, along with a simple but effective bipartite perturbation strategy, ensure that LocGuard is resistant to adaptive adversaries who can perform adversarial training based on the perturbed photos. Moreover, LocGuard remains effective against open-set adversaries whose data categories in the training dataset are hidden from the defender. In the evaluation, we conduct extensive experiments based on real-world datasets and compare our work with previous methods. The results show that LocGuard significantly outperforms the existing defences. In particular, LocGuard not only achieves better privacy protection and utility preservation for image sharing, but also can effectively defend against adversarial-training-capable attackers.

computer science, information systems, software engineering, hardware & architecture

Ming Li,Zhaoli Yang,Tao Wang,Yushu Zhang,Wenying Wen

DOI: https://doi.org/10.1109/tcsvt.2024.3448351

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In recent years, the uploading of massive personal images has increased the security risks, mainly including privacy breaches and copyright infringement. Adversarial examples provide a novel solution for protecting image privacy, as they can evade the detection by deep neural network (DNN)-based recognizers. However, the perturbations in the adversarial examples typically meaningless and therefore cannot be extracted as traceable information to support copyright protection. In this paper, we designed a dual protection scheme for image privacy and copyright via traceable adversarial examples. Specifically, a traceable adversarial model is proposed, which can be used to embed the invisible copyright information into images for copyright protection while fooling DNN-based recognizers for privacy protection. Inspired by the training method of generative adversarial networks (GANs), a new dynamic adversarial training strategy is designed, which allows our model for achieving stable multi-objective learning. Experimental results show that our scheme is exceptionally robust in the face of a variety of noise conditions and image processing methods, while exhibiting good model migration and defense robustness.