{"title":"Frequency domain-based reversible adversarial attacks for privacy protection in Internet of Things","authors":"Yang Lu, Tianfeng Ma, Zilong Pang, Xiuli Chai, Zhen Chen, Zongwei Tang","doi":"10.1117/1.jei.33.4.043049","DOIUrl":null,"url":null,"abstract":"Images shared on social networks often contain a large amount of private information. Bad actors can use deep learning technology to analyze private information from these images, thus causing user privacy leakage. To protect the privacy of users, reversible adversarial examples (RAEs) are proposed, and they may keep malignant models from accessing the image data while ensuring that the authorized model can recover the source data. However, existing RAEs have shortcomings in imperceptibility and attack capability. We utilize frequency domain information to generate RAEs. To improve the attack capability, the RAEs are generated by discarding the discriminant information of the original class and adding specific perturbation information. For imperceptibility, we propose to embed the perturbation in the wavelet domain of the image. Also, we design low-frequency constraints to distribute the perturbations in the high-frequency region and to ensure the similarity between the original examples and RAEs. In addition, the momentum pre-processing method is proposed to ensure that the direction of the gradient is consistent in each iteration by pre-converging the gradient before the formal iteration, thus accelerating the convergence speed of the gradient, which can be applied to the generation process of RAEs to speed up the generation of RAEs. Experimental results on the ImageNet, Caltech-256, and CIFAR-10 datasets show that the proposed method exhibits the best attack capability and visual quality compared with existing RAE generation schemes. The attack success rate and peak signal-to-noise ratio exceed 99% and 42 dB, respectively. In addition, the generated RAEs demonstrate good transferability and robustness.","PeriodicalId":54843,"journal":{"name":"Journal of Electronic Imaging","volume":"44 1","pages":""},"PeriodicalIF":1.0000,"publicationDate":"2024-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Electronic Imaging","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1117/1.jei.33.4.043049","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
引用次数: 0
Abstract
Images shared on social networks often contain a large amount of private information. Bad actors can use deep learning technology to analyze private information from these images, thus causing user privacy leakage. To protect the privacy of users, reversible adversarial examples (RAEs) are proposed, and they may keep malignant models from accessing the image data while ensuring that the authorized model can recover the source data. However, existing RAEs have shortcomings in imperceptibility and attack capability. We utilize frequency domain information to generate RAEs. To improve the attack capability, the RAEs are generated by discarding the discriminant information of the original class and adding specific perturbation information. For imperceptibility, we propose to embed the perturbation in the wavelet domain of the image. Also, we design low-frequency constraints to distribute the perturbations in the high-frequency region and to ensure the similarity between the original examples and RAEs. In addition, the momentum pre-processing method is proposed to ensure that the direction of the gradient is consistent in each iteration by pre-converging the gradient before the formal iteration, thus accelerating the convergence speed of the gradient, which can be applied to the generation process of RAEs to speed up the generation of RAEs. Experimental results on the ImageNet, Caltech-256, and CIFAR-10 datasets show that the proposed method exhibits the best attack capability and visual quality compared with existing RAE generation schemes. The attack success rate and peak signal-to-noise ratio exceed 99% and 42 dB, respectively. In addition, the generated RAEs demonstrate good transferability and robustness.
社交网络上共享的图片通常包含大量隐私信息。坏人可以利用深度学习技术分析这些图像中的隐私信息,从而造成用户隐私泄露。为了保护用户隐私,人们提出了可逆对抗范例(RAE),它们可以阻止恶意模型访问图像数据,同时确保授权模型可以恢复源数据。然而,现有的 RAE 在不可感知性和攻击能力方面存在缺陷。我们利用频域信息生成 RAE。为了提高攻击能力,我们在生成 RAE 时摒弃了原始类别的判别信息,并添加了特定的扰动信息。为了提高不可感知性,我们建议将扰动嵌入图像的小波域中。同时,我们还设计了低频约束,以将扰动分布在高频区域,并确保原始示例与 RAE 之间的相似性。此外,我们还提出了动量预处理方法,通过在正式迭代之前对梯度进行预收敛,确保每次迭代的梯度方向一致,从而加快梯度的收敛速度,该方法可应用于 RAE 的生成过程,加快 RAE 的生成速度。在ImageNet、Caltech-256和CIFAR-10数据集上的实验结果表明,与现有的RAE生成方案相比,所提出的方法具有最佳的攻击能力和视觉质量。攻击成功率和峰值信噪比分别超过 99% 和 42 dB。此外,生成的 RAE 还具有良好的可移植性和鲁棒性。
期刊介绍:
The Journal of Electronic Imaging publishes peer-reviewed papers in all technology areas that make up the field of electronic imaging and are normally considered in the design, engineering, and applications of electronic imaging systems.