Skip to main content
SpringerLink
Log in

A framework for evaluating image obfuscation under deep learning-assisted privacy attacks

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Image obfuscation techniques (e.g., pixelation, blurring and masking,...) have been developed to protect sensitive information in images (e.g. individuals’ faces). In a previous work, we designed a recommendation framework that evaluates the robustness of image obfuscation techniques and recommends the most resilient obfuscation against Deep-Learning assisted attacks. In this paper, we extend the framework due to two main reasons. First, to the best of our knowledge there is not a standardized evaluation methodology nor a defined model for adversaries when evaluating the robustness of image obfuscation and more specifically face obfuscation techniques. Therefore, we adapt a three-components adversary model (goal, knowledge and capabilities) to our application domain (i.e., facial features obfuscations) and embed it in our framework. Second, considering several attacking scenarios is vital when evaluating the robustness of image obfuscation techniques. Hence, we define three threat levels and explore new aspects of an adversary and its capabilities by extending the background knowledge to include the obfuscation technique along with its hyper-parameters and the identities of the target individuals. We conduct three sets of experiments on a publicly available celebrity faces dataset. Throughout the first experiment, we implement and evaluate the recommendation framework by considering four adversaries attacking obfuscation techniques (e.g. pixelating, Gaussian/motion blur and masking) via restoration-based attacks. Throughout the second and third experiments, we demonstrate how the adversary’s attacking capabilities (recognition-based and Restoration & Recognition-based attacks) scale with its background knowledge and how it increases the potential risk of breaching the identities of blurred faces.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Availability of data and materials

The dataset used throughout our experiments is publicly available.

Code Availability

The code that we implemented is publicly available as GitHub repositories and is referenced.

Notes

  1. Throughout the rest of this paper, we will use the terms obfuscation and anonymization interchangeably.

  2. That possess obfuscated face images

  3. the enemy knows the system”, i.e, “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.”

  4. In T3 the restoration-based attack could be less dangerous compared to T1 and T2 because the adversary is not aware of the exact hyperparameters of the obfuscation technique.

  5. The Structural Similarity Index (SSIM) measures image quality modifications (enhancement/degradations)

  6. OpenFace is a Python and Torch implementation of face recognition with deep neural networks [55]. OpenFace directly learns a mapping from face images to a compact euclidean space where distances directly correspond to a measure of face similarity.

  7. By definition, the average relative error is the absolute difference between the “exact theoretical” value and its “measured” counterpart, divided by the “exact theoretical” value. We consider the inference over the clear face image (GT) as the “exact” value whereas the prediction over the anonymized (AN) and the reconstructed (RC) face images as the “measured” values.

  8. Class labels with the Top n highest probabilities.

  9. Top-n accuracy is 100%.

  10. We first selected 1307 images from the official CelebA test set, then we filtered out, via a pre-trained celebrity recognition model, the faces that were wrongly recognized or correctly recognized with a probability lower than 0.7

  11. The implementation [42] provided a network which upscales the input image by a factor of 2. Hence, we added an upscaling function and re-trained it from scratch for upscaling by a factor of 4.

  12. For instance, we did not employ the FaceScrub dataset [48], which is designated for identity recognition tasks, because the number of identities is limited to 530 whereas it is 10,177 in the CelebA dataset.

  13. for additional details regarding the data preparation process, please contact jimmytekli@hotmail.com

  14. we mined images from google via google-images-download as well.

  15. 854 being the maximum number of individuals in our test set

  16. https://github.com/BMW-InnovationLab/BMW-Classification-Training-GUI

  17. In addition to the classes regarding the individuals in N, we also added an additional class to our classifier entitled “others” which grouped 800 images that belong to other individuals

  18. https://docs.opencv.org/master/da/d56/group__text__detect.html

  19. https://github.com/tesseract-ocr/tesseract

References

  1. Abramian D, Eklund A (2018) Refacing: reconstructing anonymized facial features using GANs COCR, volume. arXiv:1810.06455

  2. Ahonen T, Hadid A, Pietikainen M (2006) Face description with local binary patterns: application to face recognition. Patt Anal Mach Intell, IEEE Trans 28(12):20372041

    Article  MATH  Google Scholar 

  3. Amos B, Ludwiczuk B, Satyanarayanan M (2016) Openface: a general purpose face recognition library with mobile applications, Tech Rep, CMU Sch Comput Sci, CMU-CS-16-118

  4. Bansal M, Kumar M, Sachdeva M, Mittal A (2021) Transfer learning for image classification using VGG19: Caltech-101 image data set. J Ambient Intell Humaniz Comput, 2021 Sep 17:1–12

    Google Scholar 

  5. Belhumeur P, Hespanha J, Kriegman D (1997) Eigenfaces vs. Sherfaces: recognition using class specific linear projection. Patt Anal Mach Intell, IEEE Trans 19(7):711720

    Article  Google Scholar 

  6. Bellare M, Pointcheval D, Rogaway P (2000) Authenticated Key Exchange Secure against Dictionary Attacks. In: Advances in Cryptology — EUROCRYPT 2000, lecture notes in computer science. Springer, pp 139–155, Berlin

  7. Bellare M, Rogaway P (1993) Entity authentication and key distribution, Advances in Cryptology–CRYPTO’ 93. In: Stinson DR (ed) Lecture notes in computer science, 1993. Springer, pp 232–249, Berlin

  8. Bellare M, Rogaway P (1995) Provably secure session key distribution: The Three Party Case. In: Proceedings of the 27th annual ACM symposium on theory of computing, Las Vegas, pp 57–66

  9. Biggio B, Nelson B, Laskov P (2012) Poisoning attacks against support vector machines arXiv:1206.6389

  10. Boracchi G, Foi A (2012) Modeling the performance of image restoration from motion blur. Image Process, IEEE Trans 21(8):3502–3517

    Article  MathSciNet  MATH  Google Scholar 

  11. Caesar H, Bankiti V, Lang AH, Vora S, Liong VE, Xu Q, Krishnan A, Pan Y, Baldan G, Beijbom O (2019) nuscenes: a multimodal dataset for autonomous driving. arXiv:1903.11027

  12. Chattopadhyay A, Ruska R, Pfantz L (2021) Determining the robustness of privacy enhancing deID against the reID adversary: an experimental study the 16th international conference on availability. Reliabil Secur

  13. Chen L, Papandreou G, Kokkinos I, Murphy K (2016) A L.Yuille, Deeplab: semantic image segmentation with deep convolutional nets, atrous convolution, and fully connected. arXiv:1606.00915

  14. Dargan S, Kumar M, Ayyagari MR et al (2020) A survey of deep learning and its applications: a new paradigm to machine learning arch computat methods eng, vol 27, pp 1071–1092

  15. Do Q, Martini B, Choo K-KR (2018) The role of the adversary model in applied security research. Comput Secur

  16. Dong W, Zhang L, Shi G, Image deblurring XWu (2011) Superresolution by adaptive sparse domain selection and adaptive regularization. Image Process, IEEE Trans 20(7):1838–1857

    Article  MathSciNet  Google Scholar 

  17. Dufaux F, Ebrahimi T (2010) A framework for the validation of privacy protection solutions in video surveillance. In: IEEE international conference on multimedia and expo

  18. Frome A, Cheung G, Abdulkader A, Zennaro M et al (2009) Large-scale privacy protection in Google Street View IEEE 12th International Conference on Computer Vision ICCV

  19. Garcia D (2016) srez: adversarial super resolution. http://github.com/david-gpu/srez. Accessed 2019

  20. Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples in ICLR

  21. Gopalan R, Taheri S, Turaga P, Chellappa R (2012) A blur-robust descriptor with applications to face recognition. IEEE Trans Patt Anal Mach Intell

  22. Hao H, Güera D, Horváth J, Reibman AR, Delp EJ (2020) Robustness analysis of face obscuration 2020 15th IEEE international conference on automatic face and gesture recognition

  23. Hao H, Güera D, Reibman AR, Delp EJ (2019) A utility-preserving gan for face obscuration. In: Proceedings of the international conference on machine learning, synthetic realities: deep learning for detecting audio visual fakes workshop

  24. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition CVPR

  25. Hill S, Zhou Z, Saul L, Shacham H (2016) On the in effectiveness of mosaicing and blurring as tools for document redaction PETS

  26. Hu J, Shen L, Albanie S, Sun G, Wu E (2019) Squeeze-and-excitation networks, arXiv:1709.01507

  27. Jin CB (2018) Semantic-image-inpainting. https://github.com/ChengBinJin/semantic-image-inpainting. Accessed 2019

  28. Jingzhi L, Lutong H, Ruoyu C, Hua Z, Bing H, Lili W, Xiaochun C (2021) Identity-preserving face anonymization via adaptively facial attributes obfuscation. In: Proceedings of the 29th ACM international conference on multimedia

  29. Keys R (1981) Cubic convolution interpolation for digital image processing. Acoust, Speech Signal Process IEEE Trans 29(6):1153–1160

    Article  MathSciNet  MATH  Google Scholar 

  30. Komkov S, Petiushko A (2019) Advhat: real-world adversarial attack on arcface face id system arXiv:1908.08705

  31. Korshunov P, Melle A, Dugelay J-L, Ebrahimi T (2013) Framework for objective evaluation of privacy filters. In: Proceedings of SPIE, vol 8856, p 12

  32. Krizhevsky A, Hinton G (2009) Learning multiple layers of features from tiny images

  33. Laboratories Cambridge (1994) The database of faces

  34. Lander K, Bruce V, Hill H (2001) Evaluating the effectiveness of pixelation and blurring on masking the identity of familiar faces. Appl Cognit Psychol

  35. LeCun Y, Cortes C, Burges CJ (1998) The mnist database of handwritten digits

  36. Ledig C, Theis L, Huszar F, Caballero J, Cunningham \(\o:left: .\relax \special {t4ht=<mfenced separators="" open="|" }\bgroup \relax \special {t4ht=><mrow>}\bgroup N\egroup \egroup \o:right: .\relax \special {t4ht=</mrow></mfenced>}\) A, Acosta A, Aitken A, Tejani A, Totz J, Wang Z et al (2016) Photo-realistic single image super-resolution using a generative adversarial network. arXiv:1609.04802

  37. Li Y, Liu S, Yang J, Yang M. -H. (2017) Generative face completion, arXiv:1704.05838

  38. Li Y, Vishwamitra N, Knijnenburg BP, Hu H, Caine K (2017) Effectiveness and users’ experience of obfuscation as a privacy-enhancing technology for sharing photos. In: Proceedings of the ACM on human-computer interaction

  39. Linwei Y, Binglin L, Noman M, Yang W, Jie L (2018) Privacy-Preserving Age Estimation for Content Rating. In: 2018 IEEE 20th international workshop on multimedia signal processing (MMSP)

  40. Liu W, Anguelov D, Erhan D, Szegedy C, Reed S (2015) SSD: Single shot multibox detector. arXiv:1512.02325

  41. Liu Z, Luo P, Wang X, Tang X (2015) Deep learning face attributes in the wild. In: Proceedings of international conference on computer vision (ICCV)

  42. Majumdar S (2016) Image Super Resolution. https://github.com/titu1994/Image-Super-Resolution. Accessed 2019

  43. McPherson R, Shokri R, Shmatikov V (2016) Defeating image obfuscation with deep learning coRR

  44. Meden B, Rot P, Terhörst P, Damer N, Kuijper A, Scheirer WJ, Ross A, Peer P, Struc V (2021) Privacy-enhancing face biometrics: a comprehensive survey. IEEE Trans Inf Forensics Secur

  45. Nawaz T, Berg A, Ferryman J, Ahlberg J, Felsberg M (2017) Effective evaluation of privacy protection techniques in visible and thermal imagery. J Electron Imaging

  46. Newton EM, Sweeney L (2005) Preserving privacy by de-identifying face images. In: IEEE transactions on knowledge and data engineering

  47. Newton EM, Sweeney L, Malin B (2005) Preserving privacy by de-identifying face images. IEEE Trans Knowl Data Eng

  48. Ng H-W, Winkler S (2014) A data-driven approach to cleaning large face datasets. In: IEEE international conference on image processing (ICIP)

  49. Packhauser K, Gündel S, Münster N, Syben C, Christlein V, Maier A (2021) Is Medical Chest X-ray Data Anonymous? arXiv:2103.08562:v1

  50. Punnappurath A, Rajagopalan AN, Taheri S, Chellappa R, Seetharaman G (2015) Face recognition across non-uniform motion blur, illumination, and pose. IEEE Trans Image Process

  51. Ra M-R, Govindan R, Ortega A (2013) P3:Toward privacy-preserving photo sharing, NSDI

  52. Rezaeifar S, Voloshynovskiy S (2022) M asgari jirhandeh and v kinakh privacy-preserving image template sharing using contrastive learning entropy

  53. Ruchaud N, Dugelay JL (2016), Automatic face anonymization in visual data: are we really well protected? Electron Imaging

  54. Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, Huang Z, Karpathy A, Khosla A, Bernstein M, Berg AC, Fei-Fei L (2014) ImageNet large scale visual recognition challenge. arXiv:1409.0575

  55. Schroff F, Kalenichenko D, Philbin J (2015) Facenet: a unified embedding for face recognition and clustering. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 815–823

  56. Shafahi A, Huang WR, Najibi M, Suciu O, Studer C, Dumitras T, Goldstein T (2018) Poison frogs! targeted clean-label poisoning attacks on neural networks. In: Proc of NeurIPS

  57. Shaheed K, Mao A, Qureshi I, Kumar M, Hussain S, Ullah I, Zhang X (2022) DS-CNN: a pre-trained Xception model based on depth-wise separable convolutional neural network for finger vein recognition. Exp Syst Appl

  58. Shan S, Wenger E, Zhang J, Li H, H Zheng, Zhao BY (2020) Fawkes: Protecting personal privacy against unauthorized deep learning models. arXiv:2002.08327

  59. Shen Z (2016) Deep-semantic-face-deblurring. https://github.com/joanshen0508/Deep-Semantic-Face-Deblurring. Accessed 2019

  60. Shen Z, Lai W, Xu T, Kautz J, Yang SM (2018) Deep semantic face deblurring CVPR:8260–8269

  61. Tekli J, al Bouna B, Couturier R, Tekli G, al Zein Z, Kamradt M (2019) A framework for evaluating image obfuscation under deep learning-assisted privacy attacks. In: 2019 17th international conference on privacy, security and trust (PST), Fredericton, NB, Canada, 2019, pp 1–10

  62. Turk M, Pentland A (1991) Face recognition using eigenfaces. Computer vision and pattern recognition, proceedings CVPR ’91. IEEE computer society conference

  63. Vu HN, Nguyen MH, Pham C (2022) Masked face recognition with convolutional neural networks and local binary patterns. Appl Intell

  64. Wang Z, Bovik AC, Sheikh HR, Simoncelli EP (2004) Image quality assessment: from error measurement to structural similarity. Image Process, IEEE Trans, vol 13

  65. Wang X et al (2017) Chestx-ray8: Hospital-scale chest X-ray database and benchmarks on weakly-supervised classification and localization of common thorax diseases. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2097–2106

  66. Wu Z, Wang ZH, Wang Z, Jin H, Wang Z (2020) Privacy-preserving deep action recognition: an adversarial learning framework and a new dataset. arxiv:1906.05675v4

  67. Xie S, Girshick R, Dollár P, Tu Z, He K (2017) Aggregated residual transformations for deep neural networks, In Computer Vision and Pattern Recognition (CVPR). In: 2017 IEEE Conference on. IEEE, pp 5987–5995

  68. Yang K, Yau J, Fei-Fei L, Deng J, Russakovsky O (2021) A study of face Obfuscation in ImageNet. arXiv:2103.06191v2

  69. Yang W, Zhang X, Tian Y, Wang W, Xue JH (2018) Deep learning for single image super-resolution: A brief review. arXiv:1808.03344

  70. Yeh RA, Chen C, Lim TY, Schwing AG, Hasegawa-Johnson M, Do MN (2017) Semantic image inpainting with deep generative models. Proc IEEE Conf Comput Vis Pattern Recognit:5485–5493

  71. Yu X, Porikli F (2016) Ultra-resolving face images by discriminative generative networks. Springer Int Pub:318–333

  72. Zhang K, Van Gool L, Timofte R (2020) Deep unfolding network for image super-resolution. IEEE Conf Comput Vision Patt Recognit

  73. Zhu J, Park T, Isola P, Efros AA (2017) Unpaired image-to-image translation using cycle-consistent adversarial networks. CoRR, vol arXiv:1703.10593

Download references

Acknowledgements

The authors especially thank Mr. Marc Kamradt for providing the GPU hardware available at the BMW TechOffice located in Munich to conduct all the experiments. This work has also been partially funded by the EIPHI Graduate School (contract “ANR-17-EURE-0002”).

Author information

Author notes

    Authors and Affiliations

    1. BMW Group, Munich, Germany

      Jimmy Tekli

    2. Université de Franche-Comté, CNRS institut FEMTO-ST, F-90000 Belfort, France

      Jimmy Tekli & Raphaël Couturier

    3. TICKET Lab, Antonine University, Baabda, Lebanon

      Bechara Al Bouna

    4. University of Balamand, Balamand, Lebanon

      Gilbert Tekli

    Authors
    1. Jimmy Tekli
      View author publications

      You can also search for this author in PubMed Google Scholar

    2. Bechara Al Bouna
      View author publications

      You can also search for this author in PubMed Google Scholar

    3. Gilbert Tekli
      View author publications

      You can also search for this author in PubMed Google Scholar

    4. Raphaël Couturier
      View author publications

      You can also search for this author in PubMed Google Scholar

    Contributions

    Both the second and the third author contributed equally to this study.

    Corresponding author

    Correspondence to Jimmy Tekli.

    Ethics declarations

    Consent for Publication

    The authors consent that this paper can be published in case of acceptance.

    Conflict of Interests

    On behalf of all authors, the corresponding author states that there is no conflict of interest.

    Additional information

    Publisher’s note

    Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

    Bechara Al Bouna and Gilbert Tekli contributed equally to this work.

    Rights and permissions

    Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

    Reprints and permissions

    About this article

    Check for updates. Verify currency and authenticity via CrossMark

    Cite this article

    Tekli, J., Al Bouna, B., Tekli, G. et al. A framework for evaluating image obfuscation under deep learning-assisted privacy attacks. Multimed Tools Appl 82, 42173–42205 (2023). https://doi.org/10.1007/s11042-023-14664-y

    Download citation

    • Received:

    • Revised:

    • Accepted:

    • Published:

    • Issue Date:

    • DOI: https://doi.org/10.1007/s11042-023-14664-y

    Keywords

    Search

    Navigation