skip to main content
10.1145/3394171.3413906acmconferencesArticle/Chapter ViewAbstractPublication PagesmmConference Proceedingsconference-collections
research-article

Adversarial Privacy-preserving Filter

Published: 12 October 2020 Publication History

Abstract

While widely adopted in practical applications, face recognition has been critically discussed regarding the malicious use of face images and the potential privacy problems, e.g., deceiving payment system and causing personal sabotage. Online photo sharing services unintentionally act as the main repository for malicious crawler and face recognition applications. This work aims to develop a privacy-preserving solution, called Adversarial Privacy-preserving Filter (APF), to protect the online shared face images from being maliciously used. We propose an end-cloud collaborated adversarial attack solution to satisfy requirements of privacy, utility and non-accessibility. Specifically, the solutions consist of three modules: (1) image-specific gradient generation, to extract image-specific gradient in the user end with a compressed probe model; (2) adversarial gradient transfer, to fine-tune the image-specific gradient in the server cloud; and (3) universal adversarial perturbation enhancement, to append image-independent perturbation to derive the final adversarial noise. Extensive experiments on three datasets validate the effectiveness and efficiency of the proposed solution. A prototype application is also released for further evaluation. We hope the end-cloud collaborated attack framework could shed light on addressing the issue of online multimedia sharing privacy-preserving issues from user side.

Supplementary Material

MP4 File (3394171.3413906.mp4)
While widely adopted in practical applications, face recognition has been critically discussed regarding the malicious use of face images and the potential privacy problems, e.g., deceiving payment system and causing personal sabotage. Online photo sharing services unintentionally act as the main repository for malicious crawler and face recognition applications. This work aims to develop a privacy-preserving solution, called Adversarial Privacy-preserving Filter (APF), to protect the online shared face images from being maliciously used. We propose an end-cloud collaborated adversarial attack solution to satisfy requirements of privacy, utility and non-accessibility. Extensive experiments on three datasets validate the effectiveness and efficiency of the proposed solution. A prototype application is also released for further evaluation. We hope the end-cloud collaborated attack framework could shed light on addressing the issue of online multimedia sharing privacy-preserving issues from user side.

References

[1]
Sheng Chen, Yang Liu, Xiang Gao, and Zhen Han. 2018. Mobilefacenets: Efficient cnns for accurate real-time face verification on mobile devices. In Chinese Conference on Biometric Recognition. Springer, 428--438.
[2]
Bobby Chesney and Danielle Citron. 2019. Deep fakes: A looming challenge for privacy, democracy, and national security. Calif. L. Rev., Vol. 107 (2019), 1753.
[3]
Debayan Deb, Jianbang Zhang, and Anil K Jain. 2019. Advfaces: Adversarial face synthesis. arXiv preprint arXiv:1908.05008 (2019).
[4]
Jiankang Deng, Jia Guo, Niannan Xue, and Stefanos Zafeiriou. 2019. Arcface: Additive angular margin loss for deep face recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4690--4699.
[5]
Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 9185--9193.
[6]
Yinpeng Dong, Hang Su, Baoyuan Wu, Zhifeng Li, Wei Liu, Tong Zhang, and Jun Zhu. 2019. Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 7714--7722.
[7]
Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014a. Generative adversarial nets. In Proceedings of the Advances in Neural Information Processing Systems. 2672--2680.
[8]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014b. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[9]
Yandong Guo, Lei Zhang, Yuxiao Hu, Xiaodong He, and Jianfeng Gao. 2016. Ms-celeb-1m: A dataset and benchmark for large-scale face recognition. In Proceedings of the European Conference on Computer Vision (ECCV). Springer, 87--102.
[10]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Identity mappings in deep residual networks. In Proceedings of the European Conference on Computer Vision (ECCV). Springer, 630--645.
[11]
Gary B Huang, Marwan Mattar, Tamara Berg, and Eric Learned-Miller. 2008. Labeled faces in the wild: A database forstudying face recognition in unconstrained environments. In Workshop on Faces in 'Real-Life' Images: Detection, Alignment, and Recognition.
[12]
Peter Klemperer, Yuan Liang, Michelle Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael Reiter. 2012. Tag, you can see it! Using tags for access control in photo sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 377--386.
[13]
Stepan Komkov, Aleksandr Petiushko, and al et. 2019. AdvHat: Real-world adversarial attack on ArcFace Face ID system. arXiv preprint arXiv:1908.08705 (2019).
[14]
Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. Proceedings of the International Conference on Learning Representations (ICLR) workshop.
[15]
Fenghua Li, Zhe Sun, Ben Niu, Yunchuan Guo, and Ziwen Liu. 2018. Srim scheme: An impression-management scheme for privacy-aware photo-sharing users. Engineering, Vol. 4, 1 (2018), 85--93.
[16]
Yingwei Li, Song Bai, Cihang Xie, Zhenyu Liao, Xiaohui Shen, and Alan L Yuille. 2019. Regional homogeneity: Towards learning transferable universal adversarial perturbations against defenses. arXiv preprint arXiv:1904.00979 (2019).
[17]
Weiyang Liu, Yandong Wen, Zhiding Yu, Ming Li, Bhiksha Raj, and Le Song. 2017. Sphereface: Deep hypersphere embedding for face recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 212--220.
[18]
Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2017. Delving into Transferable Adversarial Examples and Black-box Attacks. Proceedings of the International Conference on Learning Representations (ICLR).
[19]
Yan Luo, Xavier Boix, Gemma Roig, Tomaso Poggio, and Qi Zhao. 2015. Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292 (2015).
[20]
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 1765--1773.
[21]
Stylianos Moschoglou, Athanasios Papaioannou, Christos Sagonas, Jiankang Deng, Irene Kotsia, and Stefanos Zafeiriou. 2017. Agedb: the first manually collected, in-the-wild age database. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Workshops. 51--59.
[22]
Omid Poursaeed, Isay Katsman, Bicheng Gao, and Serge Belongie. 2018. Generative adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4422--4431.
[23]
Olaf Ronneberger, Philipp Fischer, and Thomas Brox. 2015. U-net: Convolutional networks for biomedical image segmentation. In Proceedings of the International Conference on Medical Image Computing and Computer-assisted Intervention. Springer, 234--241.
[24]
Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4510--4520.
[25]
Florian Schroff, Dmitry Kalenichenko, and James Philbin. 2015. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 815--823.
[26]
Soumyadip Sengupta, Jun-Cheng Chen, Carlos Castillo, Vishal M Patel, Rama Chellappa, and David W Jacobs. 2016. Frontal to profile face verification in the wild. In Proceedings of the IEEE Winter Conference on Applications of Computer Vision (WACV). IEEE, 1--9.
[27]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K Reiter. 2016. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 ACM Sigsac Conference on Computer and Communications Security. 1528--1540.
[28]
Jose M Such and Natalia Criado. 2016. Resolving multi-party privacy conflicts in social media. IEEE Transactions on Knowledge and Data Engineering, Vol. 28, 7 (2016), 1851--1863.
[29]
Weiwei Sun, Jiantao Zhou, Shuyuan Zhu, and Yuan Yan Tang. 2018. Robust privacy-preserving image sharing over online social networks (osns). ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM), Vol. 14, 1 (2018), 1--22.
[30]
Christian Szegedy, Sergey Ioffe, Vincent Vanhoucke, and Alexander A Alemi. 2017. Inception-v4, inception-resnet and the impact of residual connections on learning. In Proceedings of the AAAI Conference on Artificial Intelligence.
[31]
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations (ICLR).
[32]
Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. 2004. Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing (TIP), Vol. 13, 4 (2004), 600--612.
[33]
Zhou Wang, Eero P Simoncelli, and Alan C Bovik. 2003. Multiscale structural similarity for image quality assessment. In Proceedings of the Asilomar Conference on Signals, Systems & Computers, Vol. 2. 1398--1402.
[34]
Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, Jianyu Wang, Zhou Ren, and Alan L Yuille. 2019. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2730--2739.
[35]
Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose. 2016. Virtual U: defeating face liveness detection by building virtual models from your public photos. In Proceedings of the USENIX Conference on Security Symposium. USENIX Association, 497--512.
[36]
Dong Yi, Zhen Lei, Shengcai Liao, and Stan Z Li. 2014. Learning face representation from scratch. arXiv preprint arXiv:1411.7923 (2014).
[37]
Lan Zhang, Kebin Liu, Xiang-Yang Li, Cihang Liu, Xuan Ding, and Yunhao Liu. 2016. Privacy-friendly photo capturing and sharing system. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing. 524--534.

Cited By

View all
  • (2025)AdvCloak: Customized adversarial cloak for privacy protectionPattern Recognition10.1016/j.patcog.2024.111050158(111050)Online publication date: Feb-2025
  • (2024)Once-for-all: Efficient Visual Face Privacy Protection via Person-specific VeilsProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3681371(7705-7713)Online publication date: 28-Oct-2024
  • (2024)TPE-AP: Thumbnail-Preserving Encryption Based on Adjustable Precision for JPEG ImagesIEEE Internet of Things Journal10.1109/JIOT.2024.343954911:22(37021-37031)Online publication date: 15-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MM '20: Proceedings of the 28th ACM International Conference on Multimedia
October 2020
4889 pages
ISBN:9781450379885
DOI:10.1145/3394171
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. adversarial example
  2. face recognition
  3. photo sharing
  4. privacy-preserving

Qualifiers

  • Research-article

Funding Sources

Conference

MM '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 2,145 of 8,556 submissions, 25%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)70
  • Downloads (Last 6 weeks)7
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2025)AdvCloak: Customized adversarial cloak for privacy protectionPattern Recognition10.1016/j.patcog.2024.111050158(111050)Online publication date: Feb-2025
  • (2024)Once-for-all: Efficient Visual Face Privacy Protection via Person-specific VeilsProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3681371(7705-7713)Online publication date: 28-Oct-2024
  • (2024)TPE-AP: Thumbnail-Preserving Encryption Based on Adjustable Precision for JPEG ImagesIEEE Internet of Things Journal10.1109/JIOT.2024.343954911:22(37021-37031)Online publication date: 15-Nov-2024
  • (2024)Adversarial Attacks and Defenses in 6G Network-Assisted IoT SystemsIEEE Internet of Things Journal10.1109/JIOT.2024.337380811:11(19168-19187)Online publication date: 1-Jun-2024
  • (2024)Reversible Adversarial Examples based on Self-Embedding Watermark for Image Privacy Protection2024 International Joint Conference on Neural Networks (IJCNN)10.1109/IJCNN60899.2024.10650535(1-8)Online publication date: 30-Jun-2024
  • (2024)C-privacy: a social relationship-driven image customization sharing method in cyber-physical networksDigital Communications and Networks10.1016/j.dcan.2024.03.009Online publication date: Mar-2024
  • (2024)RA-RevGAN: region-aware reversible adversarial example generation network for privacy-preserving applicationsMultimedia Systems10.1007/s00530-024-01425-630:4Online publication date: 26-Jul-2024
  • (2024)Overview of Face De-identification TechniquesFace De-identification: Safeguarding Identities in the Digital Era10.1007/978-3-031-58222-6_3(23-57)Online publication date: 26-Apr-2024
  • (2024)Privacy Preservation of Large Language Models in the Metaverse Era: Research Frontiers, Categorical Comparisons, and Future DirectionsInternational Journal of Network Management10.1002/nem.229235:1Online publication date: 29-Jul-2024
  • (2023)Face Database Protection via Beautification with Chaotic SystemsEntropy10.3390/e2504056625:4(566)Online publication date: 25-Mar-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media