Skip to main content
QUICK REVIEW

[论文解读] DeepObfuscator: Adversarial Training Framework for Privacy-Preserving Image Classification

Ang Li, Jiayi Guo|arXiv (Cornell University)|Sep 9, 2019
Adversarial Robustness in Machine Learning参考文献 19被引用 26
一句话总结

DeepObfuscator 是一种对抗性训练框架,通过混淆从图像中提取的深度特征,以在基于云的图像分类过程中保护用户隐私。通过对抗性地训练可学习的混淆网络,它将图像重建质量显著降低(MS-SSIM 从 0.9458 降至 0.3175),并削弱了对私有属性的推理能力(例如,性别分类准确率从 97.36% 降至 58.85%),同时仅导致目标任务的分类准确率下降 2%。

ABSTRACT

Deep learning has been widely utilized in many computer vision applications and achieved remarkable commercial success. However, running deep learning models on mobile devices is generally challenging due to limitation of the available computing resources. It is common to let the users send their service requests to cloud servers that run the large-scale deep learning models to process. Sending the data associated with the service requests to the cloud, however, impose risks on the user data privacy. Some prior arts proposed sending the features extracted from raw data (e.g., images) to the cloud. Unfortunately, these extracted features can still be exploited by attackers to recover raw images and to infer embedded private attributes (e.g., age, gender, etc.). In this paper, we propose an adversarial training framework DeepObfuscator that can prevent extracted features from being utilized to reconstruct raw images and infer private attributes, while retaining the useful information for the intended cloud service (i.e., image classification). DeepObfuscator includes a learnable encoder, namely, obfuscator that is designed to hide privacy-related sensitive information from the features by performingour proposed adversarial training algorithm. Our experiments on CelebAdataset show that the quality of the reconstructed images fromthe obfuscated features of the raw image is dramatically decreased from 0.9458 to 0.3175 in terms of multi-scale structural similarity (MS-SSIM). The person in the reconstructed image, hence, becomes hardly to be re-identified. The classification accuracy of the inferred private attributes that can be achieved by the attacker drops down to a random-guessing level, e.g., the accuracy of gender is reduced from 97.36% to 58.85%. As a comparison, the accuracy of the intended classification tasks performed via the cloud service drops by only 2%

研究动机与目标

  • 解决基于云的图像分类中因提取特征可能泄露原始图像或私有属性而导致的隐私泄露问题。
  • 开发一种框架,在保护敏感信息的同时,保持对目标任务的特征可用性。
  • 实现在不损害用户隐私的前提下,安全地将图像处理任务卸载至云端。

提出的方法

  • 引入一个可学习的编码器,即混淆网络,将原始图像特征转换为具有隐私保护特性的表示。
  • 采用对抗性训练算法,联合优化特征混淆与任务可用性。
  • 使用生成器网络从混淆后的特征中重建图像,混淆网络则旨在欺骗该生成器。
  • 训练混淆网络以最小化重建质量(通过 MS-SSIM 损失)和私有属性推理准确率。
  • 集成分类头以保持对目标图像分类任务的高准确率。
  • 使用结合重建损失、属性推理损失和分类目标的多目标损失函数来优化混淆网络。

实验结果

研究问题

  • RQ1对抗性训练框架能否有效降低从混淆特征中重建图像的质量?
  • RQ2该框架在多大程度上能够阻止攻击者从混淆特征中推断出性别、年龄等私有属性?
  • RQ3混淆过程对目标图像分类任务的准确率造成多大程度的下降?
  • RQ4该框架能否在最大化隐私保护的同时,为基于云的分类任务保留足够的特征可用性?

主要发现

  • 从混淆特征中重建图像的多尺度结构相似性(MS-SSIM)从 0.9458 降至 0.3175,表明图像质量严重退化。
  • 攻击者对性别属性的推理准确率从 97.36% 降至 58.85%,接近随机猜测水平。
  • 经过混淆后,目标图像分类任务的准确率仅下降 2%,表明特征可用性得到良好保留。
  • 由于结构保真度的显著损失,重建图像中的人物几乎无法被识别。
  • 该框架成功平衡了隐私保护与任务可用性,展示了在实际部署中的可行性。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。