Jiawang Bai,Bin Chen,Dongxian Wu,Chaoning Zhang,Shu-Tao Xia

2021-01-01

Abstract:While online video sharing becomes more popular, it also causes unconscious leakage of personal information in the video retrieval systems like deep hashing. An adversary can collect users’ private information from the video database by querying similar videos. This paper focuses on bypassing the deep video hashing based retrieval to prevent information from being maliciously collected. We propose universal adversarial head (UAH), which crafts adversarial query videos by prepending the original videos with a sequence of adversarial frames to perturb the normal hash codes in the Hamming space. This adversarial head can be obtained just using a few videos, and mislead the retrieval system to return irrelevant videos on most natural query videos. Furthermore, to obey the principle of information protection, we expand the proposed method to a data-free paradigm to generate the UAH, without access to users’ original videos. Extensive experiments demonstrate the protection effectiveness of our method under various settings.

Yanru Xiao,Cong Wang,Xing Gao

DOI: https://doi.org/10.1109/cvpr42600.2020.00967

2020-01-01

Computer Vision and Pattern Recognition

Abstract:With the rapid growth of visual content, deep learning to hash is gaining popularity in the image retrieval community recently. Although it greatly facilitates search efficiency, privacy is also at risks when images on the web are retrieved at a large scale and exploited as a rich mine of personal information. An adversary can extract private images by querying similar images from the targeted category for any usable model. Existing methods based on image processing preserve privacy at a sacrifice of perceptual quality. In this paper, we propose a new mechanism based on adversarial examples to "stash'' private images in the deep hash space while maintaining perceptual similarity. We first find that a simple approach of hamming distance maximization is not robust against brute-force adversaries. Then we develop a new loss function by maximizing the hamming distance to not only the original category, but also the centers from all the classes, partitioned into clusters of various sizes. The extensive experiment shows that the proposed defense can harden the attacker's efforts by 2-7 orders of magnitude, without significant increase of computational overhead and perceptual degradation. We also demonstrate 30-60% transferability in hash space with a black-box setting. The code is available at: https://github.com/sugarruy/hashstash

Yanru Xiao,Cong Wang

DOI: https://doi.org/10.1109/CVPR46437.2021.00197

2021-01-01

Abstract:With the large multimedia content online, deep hashing has become a popular method for efficient image retrieval and storage. However, by inheriting the algorithmic back-end from softmax classification, these techniques are vulnerable to the well-known adversarial examples as well. The massive collection of online images into the database also opens up new attack vectors. Attackers can embed adversarial images into the database and target specific categories to be retrieved by user queries. In this paper, we start from an adversarial standpoint to explore and enhance the capacity of targeted black-box transferability attack for deep hashing. We motivate this work by a series of empirical studies to see the unique challenges in image retrieval. We study the relations between adversarial subspace and black-box transferability via utilizing random noise as a proxy. Then we develop a new attack that is simultaneously adversarial and robust to noise to enhance transferability. Our experimental results demonstrate about 1.2-3x improvements of black-box transferability compared with the state-of-the-art mechanisms.

Ming Li,Xiangyu Xu,Hehe Fan,Pan Zhou,Jun Liu,Jia-Wei Liu,Jiahe Li,Jussi Keppo,Mike Zheng Shou,Shuicheng Yan

DOI: https://doi.org/10.1109/iccv51070.2023.00471

2023-01-01

Abstract:Existing methods of privacy-preserving action recognition (PPAR) mainly focus on frame-level (spatial) privacy removal through 2D CNNs. Unfortunately, they have two major drawbacks. First, they may compromise temporal dynamics in input videos, which are critical for accurate action recognition. Second, they are vulnerable to practical attacking scenarios where attackers probe for privacy from an entire video rather than individual frames. To address these issues, we propose a novel framework STPrivacy to perform video-level PPAR. For the first time, we introduce vision Transformers into PPAR by treating a video as a tubelet sequence, and accordingly design two complementary mechanisms, i.e., sparsification and anonymization, to remove privacy from a spatio-temporal perspective. In specific, our privacy sparsification mechanism applies adaptive token selection to abandon action-irrelevant tubelets. Then, our anonymization mechanism implicitly manipulates the remaining action-tubelets to erase privacy in the embedding space through adversarial learning. These mechanisms provide significant advantages in terms of privacy preservation for human eyes and action-privacy trade-off adjustment during deployment. We additionally contribute the first two large-scale PPAR benchmarks, VP-HMDB51 and VP-UCF101, to the community. Extensive evaluations on them, as well as two other tasks, validate the effectiveness and generalization capability of our framework.

Hong Li,Yunhua He,Limin Sun,Xiuzhen Cheng,Jiguo Yu

DOI: https://doi.org/10.1109/INFOCOM.2016.7524621

2016-01-01

Abstract:Video surveillance has been widely adopted to ensure home security in recent years. Most video encoding standards such as H.264 and MPEG-4 compress the temporal redundancy in a video stream using difference coding, which only encodes the residual image between a frame and its reference frame. Difference coding can efficiently compress a video stream, but it causes side-channel information leakage even though the video stream is encrypted, as reported in this paper. Particularly, we observe that the traffic patterns of an encrypted video stream are different when a user conducts different basic activities of daily living, which must be kept private from third parties as obliged by HIPAA regulations. We also observe that by exploiting this side-channel information leakage, attackers can readily infer a user's basic activities of daily living based on only the traffic size data of an encrypted video stream. We validate such an attack using two off-the-shelf cameras, and the results indicate that the user's basic activities of daily living can be recognized with a high accuracy.

Zhipeng Wei,Jingjing Chen,Xingxing Wei,Linxi Jiang,Tat-Seng Chua,Fengfeng Zhou,Yu-Gang Jiang

DOI: https://doi.org/10.1609/aaai.v34i07.6918

2020-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:We study the problem of attacking video recognition models in the black-box setting, where the model information is unknown and the adversary can only make queries to detect the predicted top-1 class and its probability. Compared with the black-box attack on images, attacking videos is more challenging as the computation cost for searching the adversarial perturbations on a video is much higher due to its high dimensionality. To overcome this challenge, we propose a heuristic black-box attack model that generates adversarial perturbations only on the selected frames and regions. More specifically, a heuristic-based algorithm is proposed to measure the importance of each frame in the video towards generating the adversarial examples. Based on the frames' importance, the proposed algorithm heuristically searches a subset of frames where the generated adversarial example has strong adversarial attack ability while keeps the perturbations lower than the given bound. Besides, to further boost the attack efficiency, we propose to generate the perturbations only on the salient regions of the selected frames. In this way, the generated perturbations are sparse in both temporal and spatial domains. Experimental results of attacking two mainstream video recognition methods on the UCF-101 dataset and the HMDB-51 dataset demonstrate that the proposed heuristic black-box adversarial attack method can significantly reduce the computation cost and lead to more than 28% reduction in query numbers for the untargeted attack on both datasets.

Mu Li,Vishal Monga

DOI: https://doi.org/10.1109/TIP.2012.2206036

Abstract:The goal of video hashing is to design hash functions that summarize videos by short fingerprints or hashes. While traditional applications of video hashing lie in database searches and content authentication, the emergence of websites such as YouTube and DailyMotion poses a challenging problem of anti-piracy video search. That is, hashes or fingerprints of an original video (provided to YouTube by the content owner) must be matched against those uploaded to YouTube by users to identify instances of "illegal" or undesirable uploads. Because the uploaded videos invariably differ from the original in their digital representation (owing to incidental or malicious distortions), robust video hashes are desired. We model videos as order-3 tensors and use multilinear subspace projections, such as a reduced rank parallel factor analysis (PARAFAC) to construct video hashes. We observe that, unlike most standard descriptors of video content, tensor-based subspace projections can offer excellent robustness while effectively capturing the spatio-temporal essence of the video for discriminability. We introduce randomization in the hash function by dividing the video into (secret key based) pseudo-randomly selected overlapping sub-cubes to prevent against intentional guessing and forgery. Detection theoretic analysis of the proposed hash-based video identification is presented, where we derive analytical approximations for error probabilities. Remarkably, these theoretic error estimates closely mimic empirically observed error probability for our hash algorithm. Furthermore, experimental receiver operating characteristic (ROC) curves reveal that the proposed tensor-based video hash exhibits enhanced robustness against both spatial and temporal video distortions over state-of-the-art video hashing techniques.

Jiawang Bai,Bin Chen,Yiming Li,Dongxian Wu,Weiwei Guo,Shu-tao Xia,En-hui Yang

DOI: https://doi.org/10.48550/arXiv.2004.07955

2020-04-15

Cryptography and Security

Abstract:The deep hashing based retrieval method is widely adopted in large-scale image and video retrieval. However, there is little investigation on its security. In this paper, we propose a novel method, dubbed deep hashing targeted attack (DHTA), to study the targeted attack on such retrieval. Specifically, we first formulate the targeted attack as a point-to-set optimization, which minimizes the average distance between the hash code of an adversarial example and those of a set of objects with the target label. Then we design a novel component-voting scheme to obtain an anchor code as the representative of the set of hash codes of objects with the target label, whose optimality guarantee is also theoretically derived. To balance the performance and perceptibility, we propose to minimize the Hamming distance between the hash code of the adversarial example and the anchor code under the $\ell^\infty$ restriction on the perturbation. Extensive experiments verify that DHTA is effective in attacking both deep hashing based image retrieval and video retrieval.

Hao-Xian Wang,Zhe-Ming Lu,Jeng-Shyang Pan,Sheng-He Sun

2005-01-01

Abstract:In this paper, a novel adaptive approach to spatial domain video watermarking is presented. It takes full advantage of both intra-frame and inter-frame information of video content to guarantee the perceptual invisibility and robustness of the watermark. An effective block classifier is delicately designed based on motion information and region complexity. Meanwhile, the idea of bitplane replacement is introduced in the embedding procedure. A major advantage of this technique is that the watermark can be extracted without referring to the original video while embedded adaptively in accordance with the human visual system and signal characteristics. The multi-frame based extraction strategy ensures that the watermark can be correctly recovered from a very short segment of video. Individual frames extracted from the video also contain watermark information. Experimental results show that the watermarked video appears visually indistinguishable from the original video, and the proposed watermarking technique is robust enough to common video attacks.

Hossein Hosseini,Baicen Xiao,Andrew Clark,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1708.04301

2017-08-15

Abstract:Due to the growth of video data on Internet, automatic video analysis has gained a lot of attention from academia as well as companies such as Facebook, Twitter and Google. In this paper, we examine the robustness of video analysis algorithms in adversarial settings. Specifically, we propose targeted attacks on two fundamental classes of video analysis algorithms, namely video classification and shot detection. We show that an adversary can subtly manipulate a video in such a way that a human observer would perceive the content of the original video, but the video analysis algorithm will return the adversary's desired outputs. We then apply the attacks on the recently released Google Cloud Video Intelligence API. The API takes a video file and returns the video labels (objects within the video), shot changes (scene changes within the video) and shot labels (description of video events over time). Through experiments, we show that the API generates video and shot labels by processing only the first frame of every second of the video. Hence, an adversary can deceive the API to output only her desired video and shot labels by periodically inserting an image into the video at the rate of one frame per second. We also show that the pattern of shot changes returned by the API can be mostly recovered by an algorithm that compares the histograms of consecutive frames. Based on our equivalent model, we develop a method for slightly modifying the video frames, in order to deceive the API into generating our desired pattern of shot changes. We perform extensive experiments with different videos and show that our attacks are consistently successful across videos with different characteristics. At the end, we propose introducing randomness to video analysis algorithms as a countermeasure to our attacks.

Multimedia,Cryptography and Security,Computer Vision and Pattern Recognition

Erkun Yang,Tongliang Liu,Cheng Deng,Dacheng Tao

DOI: https://doi.org/10.1109/tcyb.2018.2882908

IF: 11.8

2018-01-01

IEEE Transactions on Cybernetics

Abstract:Due to its strong representation learning ability and its facilitation of joint learning for representation and hash codes, deep learning-to-hash has achieved promising results and is becoming increasingly popular for the large-scale approximate nearest neighbor search. However, recent studies highlight the vulnerability of deep image classifiers to adversarial examples; this also introduces profound security concerns for deep retrieval systems. Accordingly, in order to study the robustness of modern deep hashing models to adversarial perturbations, we propose hash adversary generation (HAG), a novel method of crafting adversarial examples for Hamming space search. The main goal of HAG is to generate imperceptibly perturbed examples as queries, whose nearest neighbors from a targeted hashing model are semantically irrelevant to the original queries. Extensive experiments prove that HAG can successfully craft adversarial examples with small perturbations to mislead targeted hashing models. The transferability of these perturbations under a variety of settings is also verified. Moreover, by combining heterogeneous perturbations, we further provide a simple yet effective method of constructing adversarial examples for black-box attacks.

Shangyu Xie,Han Wang,Yu Kong,Yuan Hong

DOI: https://doi.org/10.48550/arXiv.2107.04284

2021-08-14

Abstract:Widely deployed deep neural network (DNN) models have been proven to be vulnerable to adversarial perturbations in many applications (e.g., image, audio and text classifications). To date, there are only a few adversarial perturbations proposed to deviate the DNN models in video recognition systems by simply injecting 2D perturbations into video frames. However, such attacks may overly perturb the videos without learning the spatio-temporal features (across temporal frames), which are commonly extracted by DNN models for video recognition. To our best knowledge, we propose the first black-box attack framework that generates universal 3-dimensional (U3D) perturbations to subvert a variety of video recognition systems. U3D has many advantages, such as (1) as the transfer-based attack, U3D can universally attack multiple DNN models for video recognition without accessing to the target DNN model; (2) the high transferability of U3D makes such universal black-box attack easy-to-launch, which can be further enhanced by integrating queries over the target model when necessary; (3) U3D ensures human-imperceptibility; (4) U3D can bypass the existing state-of-the-art defense schemes; (5) U3D can be efficiently generated with a few pre-learned parameters, and then immediately injected to attack real-time DNN-based video recognition systems. We have conducted extensive experiments to evaluate U3D on multiple DNN models and three large-scale video datasets. The experimental results demonstrate its superiority and practicality.

Cryptography and Security

Chuan Qin,Liang Wu,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1109/lsp.2021.3111820

2021-01-01

IEEE Signal Processing Letters

Abstract:As the deep hashing technique has been widely used in large-scale image retrieval, the corresponding security issue is getting more and more attention. Recent studies have found that deep image classifiers are vulnerable to adversarial example attacks and produce misleading classifications. Therefore, in order to study the robustness of deep hashing based retrieval system to adversarial example, in this letter, we propose a novel adversarial example generation algorithm, non-targeted deep hashing attack (NDHA), which uses the anchor-moving strategy to continuously modify anchor image to cross the search correlation boundary and maximize Hamming distance between the hash codes of adversarial example and query image. The generated adversarial example can make the retrieved result semantically irrelevant to query image. Extensive experiments show that the proposed NDHA can efficiently produce imperceptible perturbation, which is effective for attacking deep hashing based retrieval systems.

Xi Li,Songhe Wang,Ruiquan Huang,Mahanth Gowda,George Kesidis

2023-12-09

Abstract:Deep neural networks (DNNs) have achieved tremendous success in various applications including video action recognition, yet remain vulnerable to backdoor attacks (Trojans). The backdoor-compromised model will mis-classify to the target class chosen by the attacker when a test instance (from a non-target class) is embedded with a specific trigger, while maintaining high accuracy on attack-free instances. Although there are extensive studies on backdoor attacks against image data, the susceptibility of video-based systems under backdoor attacks remains largely unexplored. Current studies are direct extensions of approaches proposed for image data, e.g., the triggers are independently embedded within the frames, which tend to be detectable by existing defenses. In this paper, we introduce a simple yet effective backdoor attack against video data. Our proposed attack, adding perturbations in a transformed domain, plants an imperceptible, temporally distributed trigger across the video frames, and is shown to be resilient to existing defensive strategies. The effectiveness of the proposed attack is demonstrated by extensive experiments with various well-known models on two video recognition benchmarks, UCF101 and HMDB51, and a sign language recognition benchmark, Greek Sign Language (GSL) dataset. We delve into the impact of several influential factors on our proposed attack and identify an intriguing effect termed "collateral damage" through extensive studies.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security

Songyang Gao,Shihan Dou,Qi Zhang,Xuanjing Huang,Jin Ma,Ying Shan

DOI: https://doi.org/10.18653/v1/2023.findings-acl.857

2023-01-01

Abstract:Detecting adversarial samples that are carefully crafted to fool the model is a critical step to socially-secure applications.However, existing adversarial detection methods require access to sufficient training data, which brings noteworthy concerns regarding privacy leakage and generalizability.In this work, we validate that the adversarial sample generated by attack algorithms is strongly related to a specific vector in the high-dimensional inputs.Such vectors, namely UAPs (Universal Adversarial Perturbations), can be calculated without original training data.Based on this discovery, we propose a data-agnostic adversarial detection framework, which induces different responses between normal and adversarial samples to UAPs.Experimental results show that our method achieves competitive detection performance on various text classification tasks, and maintains an equivalent time consumption to normal inference.

Gengshen Wu,Li Liu,Yuchen Guo,Guiguang Ding,Jungong Han,Jialie Shen,Ling Shao

DOI: https://doi.org/10.24963/ijcai.2017/429

2017-01-01

Abstract:Recently, hashing video contents for fast retrieval has received increasing attention due to the enormous growth of online videos. As the extension of image hashing techniques, traditional video hashing methods mainly focus on seeking the appropriate video features but pay little attention to how the video-specific features can be leveraged to achieve optimal binarization. In this paper, an end-to-end hashing framework, namely Unsupervised Deep Video Hashing (UDVH), is proposed, where feature extraction, balanced code learning and hash function learning are integrated and optimized in a self-taught manner. Particularly, distinguished from previous work, our framework enjoys two novelties: 1) an unsupervised hashing method that integrates the feature clustering and feature binarization, enabling the neighborhood structure to be preserved in the binary space; 2) a smart rotation applied to the video-specific features that are widely spread in the low-dimensional space such that the variance of dimensions can be balanced, thus generating more effective hash codes. Extensive experiments have been performed on two real-world datasets and the results demonstrate its superiority, compared to the state-of-the-art video hashing methods. To bootstrap further developments, the source code will be made publically available.

Lukas Struppek,Dominik Hintersdorf,Daniel Neider,Kristian Kersting

DOI: https://doi.org/10.1145/3531146.3533073

2024-07-16

Abstract:Apple recently revealed its deep perceptual hashing system NeuralHash to detect child sexual abuse material (CSAM) on user devices before files are uploaded to its iCloud service. Public criticism quickly arose regarding the protection of user privacy and the system's reliability. In this paper, we present the first comprehensive empirical analysis of deep perceptual hashing based on NeuralHash. Specifically, we show that current deep perceptual hashing may not be robust. An adversary can manipulate the hash values by applying slight changes in images, either induced by gradient-based approaches or simply by performing standard image transformations, forcing or preventing hash collisions. Such attacks permit malicious actors easily to exploit the detection system: from hiding abusive material to framing innocent users, everything is possible. Moreover, using the hash values, inferences can still be made about the data stored on user devices. In our view, based on our results, deep perceptual hashing in its current form is generally not ready for robust client-side scanning and should not be used from a privacy perspective.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Gejian Zhao,Chuan Qin,Xiangyang Luo,Xinpeng Zhang,Chin-Chen Chang

DOI: https://doi.org/10.1145/3577163.3595110

2023-01-01

Abstract:In this paper, we propose an end-to-end perceptual robust hashing scheme for video copy detection based on unsupervised learning. Firstly, the spatio-temporal information in videos is effectively fused and condensed into high-dimensional features through a 3D selfattention, multi-scale feature fusion model based on 3D-CNN, in which the Inception block and the 3D self-attention mechanism are integrated. Then, we calculate the correlation distances between the extracted features to differentiate perceptual contents. Based on the similarity relationship, we can dynamically generate the pseudo-labels and exploit them to further guide the model training for video hash generation. In addition, we design the dual constraints to make the hash code obtain satisfactory robustness and discrimination. Extensive experiments demonstrate that the proposed scheme achieves superior performance of copy detection compared with existing schemes and performs well even in the case of untrained manipulations.

Jordan Madden,Moxanki Bhavsar,Lhamo Dorje,Xiaohua Li

2024-12-06

Abstract:Perceptual hashing algorithms (PHAs) are widely used for identifying illegal online content and are thus integral to various sensitive applications. However, due to their hasty deployment in real-world scenarios, their adversarial security has not been thoroughly evaluated. This paper assesses the security of three widely utilized PHAs - PhotoDNA, PDQ, and NeuralHash - against hash-evasion and hash-inversion attacks. Contrary to existing literature, our findings indicate that these PHAs demonstrate significant robustness against such attacks. We provide an explanation for these differing results, highlighting that the inherent robustness is partially due to the random hash variations characteristic of PHAs. Additionally, we propose a defense method that enhances security by intentionally introducing perturbations into the hashes.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Ling Du,Wei Zhang,Huazhu Fu,Wenqi Ren,Xinpeng Zhang

DOI: https://doi.org/10.1016/j.jvcir.2019.01.027

IF: 2.887

2019-01-01

Journal of Visual Communication and Image Representation

Abstract:The advancement in video surveillance has raised significant concerns about privacy protection. The existing methods focus on identifying the sensitive region and preserving the behavior of the target, however, they ignore the recoverability of private content. In this paper, we propose a novel and efficient privacy protection scheme for data security in video surveillance, which jointly addresses several key challenges, including de-identification, behavior preservation, recoverability, and compressibility in one unified system. Our method constructs a public stream and a private residual error stream by blurring the private sensitive region. With our scheme, ordinary users could recognize the behaviors in the public identity-protected video stream for surveillance purpose, while authorized users are able to access the recovered private content (e.g., for law investigations). Moreover, the compressed privacy protected region and residual error could be able to save the costs associated with transmission and storage. The extensive experiments on two standard surveillance datasets and a user study demonstrate the effectiveness of our privacy protection system. (C) 2019 Elsevier Inc. All rights reserved.