Xiuli Chai,Yakun Ma,Yinjing Wang,Zhihua Gan,Yushu Zhang

DOI: https://doi.org/10.1109/tmm.2023.3345158

IF: 7.3

2023-01-01

IEEE Transactions on Multimedia

Abstract:The growing practice of outsourcing captured photos to the cloud has provided users with convenience while also raising privacy concerns. Traditional image encryption techniques prioritize privacy protection but often compromise usability, which is unacceptable for cloud users. To strike a balance between image privacy and usability, scholars have proposed thumbnail-preserving encryption (TPE), whose cipher image preserves the same thumbnail as the plain image while erasing details beyond the thumbnail, providing visual usability while protecting privacy. Regrettably, most of the proposed TPE schemes are not well-suited for widely used JPEG images, and existing TPE schemes supporting JPEG suffer from drawbacks such as poor visual usability, high expansion rate, and the inability to decrypt without loss. Besides, the retrieval designed for TPE-encrypted images exhibits limited generalization. To address these challenges, we pertinently introduce a TPE based on adaptive deviation embedding (TPE-ADE) for JPEG images, incorporating Huffman coding and reversible data hiding techniques. By leveraging JPEG in-compression encryption, we achieve perfectly reversible TPE that enhances visual usability and reduces expansion rates of TPE-encrypted images. Additionally, we encourage the TPE-encrypted images to resemble low-resolution images (LRIs). Then, the convolutional neural network (CNN) is employed to recognize and retrieve LRIs to verify the functionality of TPE-encrypted images. Also, a teacher-assistant-student (TAS) learning paradigm is proposed to optimize the CNN model, enhancing the performances of recognition and retrieval. Experimental results validate the superiority of our encryption algorithm and the effectiveness of TAS.

Jiacheng Zhao,Xiuming Zhao,Zhihua Gan,Xiuli Chai,Tianfeng Ma,Zhen Chen

DOI: https://doi.org/10.1007/s00530-024-01425-6

IF: 3.9

2024-01-01

Multimedia Systems

Abstract:The rise of online sharing platforms has provided people with diverse and convenient ways to share images. However, a substantial amount of sensitive user information is contained within these images, which can be easily captured by malicious neural networks. To ensure the secure utilization of authorized protected data, reversible adversarial attack techniques have emerged. Existing algorithms for generating adversarial examples do not strike a good balance between visibility and attack capability. Additionally, the network oscillations generated during the training process affect the quality of the final examples. To address these shortcomings, we propose a novel reversible adversarial network based on generative adversarial networks (RA-RevGAN). In this paper, the generator is used for noise generation to map features into perturbations of the image, while the region selection module confines these perturbations to specific areas that significantly affect classification. Furthermore, a robust attack mechanism is integrated into the discriminator to stabilize the network’s training by optimizing convergence speed and minimizing time cost. Extensive experiments have demonstrated that the proposed method ensures a high image generation rate, excellent attack capability, and superior visual quality while maintaining high classification accuracy in image restoration.

Zhaoxia Yin,Hua Wang,Li Chen,Jie Wang,Weiming Zhang

DOI: https://doi.org/10.48550/arxiv.1911.02360

2019-01-01

Abstract:In order to prevent illegal or unauthorized access of image data such ashuman faces and ensure legitimate users can use authorization-protected data,reversible adversarial attack technique is rise. Reversible adversarialexamples (RAE) get both attack capability and reversibility at the same time.However, the existing technique can not meet application requirements becauseof serious distortion and failure of image recovery when adversarialperturbations get strong. In this paper, we take advantage of Reversible ImageTransformation technique to generate RAE and achieve reversible adversarialattack. Experimental results show that proposed RAE generation scheme canensure imperceptible image distortion and the original image can bereconstructed error-free. What's more, both the attack ability and the imagequality are not limited by the perturbation amplitude.

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:In this study, we propose a new methodology to control how user's data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibil-ity guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, re-versible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks. (c) 2022 Elsevier Ltd. All rights reserved.

Zhen Chen,Xiuli Chai,Zhihua Gan,Binjie Wang,Yushu Zhang

DOI: https://doi.org/10.1109/jiot.2024.3373636

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Medical images on the Internet of Medical Things (IoMT) can be easily collected, recognized and analyzed by unauthorized individuals and companies using deep neural networks (DNNs). The illegal use of this data compromises patient privacy and the rights of authorized users. The reversible adversarial example (RAE) is proposed to prevent unauthorized DNNs from recognizing privacy images without affecting authorized users. Nevertheless, existing RAE methods lack research on copyright protection, and unrestricted distribution and sale of these images can seriously jeopardize the copyrights of the image owners. To address this issue, this paper proposes an RAE based on visible watermark perturbation (RAE-VWP). Specifically, we first obtain the watermark embedding region (WER) of the image by the proposed saliency map fusion algorithm and save the information of this region using the reversible data hiding technique. Then, the proposed adaptive memory harmony search algorithm is applied to optimize the position and transparency of the embedded watermark perturbation. Finally, the RAE is generated by embedding the watermark perturbation into the WER of the image using the alpha blending technique. Particularly, the ensemble watermark vaccine is proposed to defend against attacks from watermark removal networks, significantly improving the robustness of RAE-VWP. The original image can be recovered without distortion by extracting the information saved in the RAE. Numerous experiments have shown that RAE-VWP can simultaneously protect image privacy and copyright with excellent reversibility.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiuli Chai,Yinjing Wang,Zhihua Gan,Xiuhui Chen,Yushu Zhang

DOI: https://doi.org/10.1016/j.ins.2022.05.008

IF: 8.1

2022-01-01

Information Sciences

Abstract:Owing to the rapid development of cloud services and personal privacy requirements, content-based encrypted image retrieval in the cloud has been increasing. Outsourced images are encrypted into noiselike ones to protect privacy, however, the obtained unrecognized appearance limits their availability. Besides, users have to decrypt all search results to browse, while some of them may not be needed, which undoubtedly wastes bandwidth and computing resources. To cope with this problem, a compromise strategy is proposed that considers the tradeoff between privacy and usability of cipher images. Wherein, a thumbnail preserving encryption (TPE) based on genetic algorithm is proposed. The pixels in the sub-blocks of the plain image are scrambled and diffused at the bit-level through crossover and mutation operators of the genetic algorithm. Moreover, two new operators of Mutation Compensation and Mutation Failure are defined and incorporated into the traditional genetic algorithm to achieve an ideal TPE, that cipher image has the same thumbnail as the original image. Additionally, a color histogram-based retrieval algorithm is introduced to retrieve cipher images using the color information preserved by thumbnails; and to improve retrieval accuracy by using the Bhattacharyya distance. A series of simulations verify the security and effectiveness of our scheme.

Wang Yinjing,Chai Xiuli,Gan Zhihua,Zhang Yushu,Chen Xiuhui,He Xin

DOI: https://doi.org/10.1007/s10489-022-03597-y

IF: 5.3

2022-01-01

Applied Intelligence

Abstract:With the development of cloud storage, more and more users upload images to the cloud. However, images stored in the cloud face the risk of unauthorized data mining by cloud service providers and being stolen by hackers. Encryption can protect image privacy, but traditional image encryption algorithms sacrifice image usability for security. To protect privacy while preserving image usability, two approximate thumbnail-preserving encryption (TPE) schemes, called dynamic range preserving encryption (DRPE) and approximate TPE with LSB Embedding (TPE-LSB), have been presented by Marohn in 2017. However, there is the possibility of decryption failure for DRPE, the cipher image robustness is poor for TPE-LSB, which cannot resist noise attacks. Additionally, both methods have the problems of the high file expansion rate of cipher image and poor perceptual quality of cipher image thumbnail. To solve these problems, a multi-level DWT information self-embedding method for thumbnail preserving encryption (TPE-ISE) is proposed. Compared with the previous works, the TPE-ISE scheme achieves a controllable compression ratio of cipher images, the perceptual quality of cipher images is closer to that of plain images, and the ability of cipher images to resist noise attacks is stronger. A series of experiments verify the superiority of the proposed algorithm.

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:• Reversible adversarial example controls how user’s data is recognized by AI. • The original image can be exactly recovered from reversible adversarial example. • Reversible adversarial example still functions as adversarial example. In this study, we propose a new methodology to control how user’s data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibility guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, reversible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks.

Haodong Zhang,Chi Man Pun,Xia Du

2023-06-20

Abstract:Reversible adversarial examples (RAE) combine adversarial attacks and reversible data-hiding technology on a single image to prevent illegal access. Most RAE studies focus on achieving white-box attacks. In this paper, we propose a novel framework to generate reversible adversarial examples, which combines a novel beam search based black-box attack and reversible data hiding with grayscale invariance (RDH-GI). This RAE uses beam search to evaluate the adversarial gain of historical perturbations and guide adversarial perturbations. After the adversarial examples are generated, the framework RDH-GI embeds the secret data that can be recovered losslessly. Experimental results show that our method can achieve an average Peak Signal-to-Noise Ratio (PSNR) of at least 40dB compared to source images with limited query budgets. Our method can also achieve a targeted black-box reversible adversarial attack for the first time.

Cryptography and Security

Jie Zhang,Zhihua Gan,Yang,Wenbin Jiang,Xin He,Xiuli Chai

DOI: https://doi.org/10.1145/3577117.3577145

2022-01-01

Abstract:Cloud services can store a large number of images, but cannot protect the security of user privacy. The traditional image encryption scheme improves the privacy security, but reduces the visibility of the image, which makes the image invisible in the cloud service. To maintain both cloud storage security and visual usability, Tajik et al. proposed a thumbnail preserving encryption (TPE) scheme so that the encrypted image is presented as a low-resolution version of the plaintext image. However, this scheme only scrambles and replaces pixels, and has low security. Aiming at the problem of low security of this method, this paper proposes a new thumbnail preserving encryption scheme (New-TPE). The plaintext image information is used as part of the key to construct the correlation between the encryption process and the plaintext image; The optimal random value is selected from multiple random values and is added to the pixel value replacement process, which increases the degree of variation of pixel values before and after the replacement and reduces the correlation between adjacent pixels; The simulated annealing idea is introduced to select the optimal scrambling sequence within the range; A displacement function scrambling method is proposed to reduce the correlation between adjacent pixels. The experimental results show that the proposed scheme has higher security and a better balance between image privacy and security.

Fan Xing,Xiaoyi Zhou,Hongli Peng,Xuefeng Fan,Wenbao Han,Yuqing Zhang

DOI: https://doi.org/10.1155/2024/6054172

IF: 8.993

2024-10-19

International Journal of Intelligent Systems

Abstract:Reversible adversarial example (RAE) is an effective cutting‐edge technology for protecting the intellectual property (IP) of datasets. However, existing RAE schemes primarily focus on the adversarial and restoration capabilities of adversarial examples (AE), with little attention paid to traceability, which is crucial for IP protection. This oversight leads to the inability to prevent authorized users from redistributing data, thereby posing significant IP security risks. To address this issue, we propose a novel approach named TAE‐RWP, wherein adversarial perturbations in AEs are treated as tools for IP verification. To enable the traceability of AEs, we introduce varying degrees of warping to the adversarial perturbations within the AEs of authorized users, utilizing the warping degree as a traceable feature. To further strengthen traceability, we adopt a technique named "random warping" to maintain the resilience of adversarial perturbations against distortions, and employ a strategy named "noise mode" to improve the verification model's capacity to recognize distortion features. Experimental results indicate that AEs generated by TAE‐RWP exhibit remarkable adversarial strength and restoration abilities, while the verification model demonstrates excellence in recognizing distortion features.

computer science, artificial intelligence

Fan Xing,Xiaoyi Zhou,Xuefeng Fan,Zhuo Tian,Yan Zhao

2023-10-25

Abstract:Collected and annotated datasets, which are obtained through extensive efforts, are effective for training Deep Neural Network (DNN) models. However, these datasets are susceptible to be misused by unauthorized users, resulting in infringement of Intellectual Property (IP) rights owned by the dataset creators. Reversible Adversarial Exsamples (RAE) can help to solve the issues of IP protection for datasets. RAEs are adversarial perturbed images that can be restored to the original. As a cutting-edge approach, RAE scheme can serve the purposes of preventing unauthorized users from engaging in malicious model training, as well as ensuring the legitimate usage of authorized users. Nevertheless, in the existing work, RAEs still rely on the embedded auxiliary information for restoration, which may compromise their adversarial abilities. In this paper, a novel self-generation and self-recovery method, named as RAEDiff, is introduced for generating RAEs based on a Denoising Diffusion Probabilistic Models (DDPM). It diffuses datasets into a Biased Gaussian Distribution (BGD) and utilizes the prior knowledge of the DDPM for generating and recovering RAEs. The experimental results demonstrate that RAEDiff effectively self-generates adversarial perturbations for DNN models, including Artificial Intelligence Generated Content (AIGC) models, while also exhibiting significant self-recovery capabilities.

Cryptography and Security,Artificial Intelligence,Graphics,Machine Learning

Xiuli Chai,Xiuhui Chen,Yakun Ma,Fang Zuo,Zhihua Gan,Yushu Zhang

DOI: https://doi.org/10.1631/FITEE.2200498

2023-01-01

Abstract:With the substantial increase in image transmission, the demand for image security is increasing. Noise-like images can be obtained by conventional encryption schemes, and although the security of the images can be guaranteed, the noise-like images cannot be directly previewed and retrieved. Based on the rank-then-encipher method, some researchers have designed a three-pixel exact thumbnail preserving encryption (TPE2) scheme, which can be applied to balance the security and availability of images, but this scheme has low encryption efficiency. In this paper, we introduce an efficient exact thumbnail preserving encryption scheme. First, blocking and bit-plane decomposition operations are performed on the plaintext image. The zigzag scrambling model is used to change the bit positions in the lower four bit planes. Subsequently, an operation is devised to permute the higher four bit planes, which is an extended application of the hidden Markov model. Finally, according to the difference in bit weights in each bit plane, a bit-level weighted diffusion rule is established to generate an encrypted image and still maintain the same sum of pixels within the block. Simulation results show that the proposed scheme improves the encryption efficiency and can guarantee the availability of images while protecting their privacy.

Xiuli Chai,Gongyao Cao,Zhihua Gan,Yushu Zhang,Yakun Ma,Xin He

DOI: https://doi.org/10.1109/JIOT.2024.3439549

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:As the development of the Internet of Things (IoT), the security of images in social networks is attracting more and more attention. Among the various encryption methods, thumbnail-preserving encryption (TPE) has gained much attention and diverse study, for it has powerful capability of balancing the security and usability of cloud storage images by simultaneously securing privacy and preserving visual information of images. Unfortunately, most of the existing TPE schemes for JPEG images have the disadvantages of limited thumbnail precision or weak security or irreversibility, making them vulnerable to cryptanalysis. To address these issues, we propose a thumbnail-preserving encryption based on adjustable precision (TPE-AP) for JPEG images. Firstly, a joint adjustment strategy is introduced for encrypted quantized QC coefficient (QDCC) and quantized AC coefficient (QACC) of plain image, which makes the security and usability of the thumbnail controllable by exploiting numerical characteristics of QDCC and distribution features of QACC. Secondly, a time-varying encryption strategy based on international time is presented, characteristics of JPEG compression and quantized coefficients are combined to generate encryption sequences, improving the security of the whole encryption process. In addition, we explore the redundancy of QACC within DCT blocks and provide an improved embedding strategy to solve irreversibility problem. Experimental results show that the peak signal-to-noise ratio (PSNR) of thumbnail-preserving accuracy reaches 52 dB, the file expansion is minimally limited to 6.3%, the decryption time less than 0.13 seconds and the mean average precision (mAP) of retrieval attains 62%, it indicates that TPE-AP outperforms the state-of-the-art methods.

Kejiang Chen,Xianhan Zeng,Qichao Ying,Sheng Li,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.2112.14420

2021-12-29

Abstract:Deep learning has achieved enormous success in various industrial applications. Companies do not want their valuable data to be stolen by malicious employees to train pirated models. Nor do they wish the data analyzed by the competitors after using them online. We propose a novel solution for dataset protection in this scenario by robustly and reversibly transform the images into adversarial images. We develop a reversible adversarial example generator (RAEG) that introduces slight changes to the images to fool traditional classification models. Even though malicious attacks train pirated models based on the defensed versions of the protected images, RAEG can significantly weaken the functionality of these models. Meanwhile, the reversibility of RAEG ensures the performance of authorized models. Extensive experiments demonstrate that RAEG can better protect the data with slight distortion against adversarial defense than previous methods.

Computer Vision and Pattern Recognition,Image and Video Processing

Xiuli Chai,Yinjing Wang,Xiuhui Chen,Zhihua Gan,Yushu Zhang

DOI: https://doi.org/10.1109/lsp.2022.3163685

2022-01-01

IEEE Signal Processing Letters

Abstract:To balance the privacy and usability of images in the cloud, Tajik et al. recently designed a thumbnail preserving encryption (TPE) based on sum-preserving encryption, however, multiple iterations make it inefficient. We use CycleGan to simulate randomized unary encoding (RUE) and achieve a more efficient TPE. Thumbnail consistency loss is proposed to guarantee the visual quality of the encrypted image, and the quality of decrypted image is improved via ssim-loss. Besides, a decryption network with a key is retrained such that it can decrypt cipher images in multiple domains, and a binary string is adopted as the key instead of the decryption network parameters to facilitate sharing of images. Simulations verify the effectiveness of the proposed algorithm.

engineering, electrical & electronic

Ming Li,Zhaoli Yang,Tao Wang,Yushu Zhang,Wenying Wen

DOI: https://doi.org/10.1109/tcsvt.2024.3448351

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In recent years, the uploading of massive personal images has increased the security risks, mainly including privacy breaches and copyright infringement. Adversarial examples provide a novel solution for protecting image privacy, as they can evade the detection by deep neural network (DNN)-based recognizers. However, the perturbations in the adversarial examples typically meaningless and therefore cannot be extracted as traceable information to support copyright protection. In this paper, we designed a dual protection scheme for image privacy and copyright via traceable adversarial examples. Specifically, a traceable adversarial model is proposed, which can be used to embed the invisible copyright information into images for copyright protection while fooling DNN-based recognizers for privacy protection. Inspired by the training method of generative adversarial networks (GANs), a new dynamic adversarial training strategy is designed, which allows our model for achieving stable multi-objective learning. Experimental results show that our scheme is exceptionally robust in the face of a variety of noise conditions and image processing methods, while exhibiting good model migration and defense robustness.

Li Chen,Shaowei Zhu,Zhaoxia Yin

DOI: https://doi.org/10.48550/arXiv.2110.02700

2023-01-02

Abstract:Adding perturbations to images can mislead classification models to produce incorrect results. Recently, researchers exploited adversarial perturbations to protect image privacy from retrieval by intelligent models. However, adding adversarial perturbations to images destroys the original data, making images useless in digital forensics and other fields. To prevent illegal or unauthorized access to sensitive image data such as human faces without impeding legitimate users, the use of reversible adversarial attack techniques is increasing. The original image can be recovered from its reversible adversarial examples. However, existing reversible adversarial attack methods are designed for traditional imperceptible adversarial perturbations and ignore the local visible adversarial perturbation. In this paper, we propose a new method for generating reversible adversarial examples based on local visible adversarial perturbation. The information needed for image recovery is embedded into the area beyond the adversarial patch by the reversible data hiding technique. To reduce image distortion, lossless compression and the B-R-G (bluered-green) embedding principle are adopted. Experiments on CIFAR-10 and ImageNet datasets show that the proposed method can restore the original images error-free while ensuring good attack performance.

Computer Vision and Pattern Recognition

Bar Avraham,Yisroel Mirsky

2024-10-20

Abstract:Black box attacks, where adversaries have limited knowledge of the target model, pose a significant threat to machine learning systems. Adversarial examples generated with a substitute model often suffer from limited transferability to the target model. While recent work explores ranking perturbations for improved success rates, these methods see only modest gains. We propose a novel strategy called PEAS that can boost the transferability of existing black box attacks. PEAS leverages the insight that samples which are perceptually equivalent exhibit significant variability in their adversarial transferability. Our approach first generates a set of images from an initial sample via subtle augmentations. We then evaluate the transferability of adversarial perturbations on these images using a set of substitute models. Finally, the most transferable adversarial example is selected and used for the attack. Our experiments show that PEAS can double the performance of existing attacks, achieving a 2.5x improvement in attack success rates on average over current ranking methods. We thoroughly evaluate PEAS on ImageNet and CIFAR-10, analyze hyperparameter impacts, and provide an ablation study to isolate each component's importance.

Machine Learning,Artificial Intelligence,Cryptography and Security

Ziming Zhao,Zhaoxuan Li,Tingting Li,Zhuoxue Song,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3576915.3624396

2023-01-01

Abstract:Image watermark is a technique widely used for copyright protection. Recent studies show that the image watermark can be added to the clear image as a kind of noise to realize fooling deep learning models. However, previous adversarial example (AE) detection schemes tend to be ineffective since the watermark logo differs from typical noise perturbations. In this poster, we propose Themis, a novel AE detection method against watermark perturbation. Different from prior methods, Themis neither modifies the protected classifier nor requires knowledge of the process for generating AEs. Specifically, Themis leverages usable information theory to calculate the pointwise score, thereby discovering those instances that may be watermark AEs. The empirical evaluations involving 5 different logo watermark perturbations demonstrate the proposed scheme can efficiently detect AEs, and significantly (over 15% accuracy) outperforms five state-of-the-art (SOTA) detection methods. The visualization results display our detection metric is more distinguishable between AEs and non-AEs. Meanwhile, Themis realizes a larger Area Under Curve (AUC) in a threshold-resilient manner, while only introducing similar to 0.04s overhead.