DisguisedNets: Secure Image Outsourcing for Confidential Model Training in Clouds

Figure 1 depicts the general image disguising framework. A data owner disguises her private images before outsourcing them to the cloud for DNN learning. She can either fully outsource the entire image datasets and the learning procedure to the cloud or selectively retain sensitive images in the cloud-client partitioning setting. She transforms all of her images using one secure transformation key secret to her. Note that this transformation should be at a reasonable cost, practical for a client’s infrastructure to process.

Specifically, assume the data owner owns a set of images for training, notated as pairs \(D=\lbrace (X_i, y_i)\rbrace\) , where \(X_i\) is the image pixel matrix ( \({l\times m}\) and \({3\times l \times m}\) for grayscale and RGB images, respectively) and \(y_i\) the corresponding label. We formally define a disguising mechanism as follows: Let the disguising mechanism be a transformation \(T_K\) , where K is the secret key that depends on the selected perturbation techniques. By applying image disguising, the training data is transformed to \(\lbrace (T(X_i), c_i)\rbrace\) with \(c_i\) mapped to \(0,1 , \dots\) randomly representing the classes \(y_i\) . The original model is a function \(\mathbf {M}(D)\) , which is learned with a DNN learning method \(\mathbf {G}\) : \(\mathbf {G}_\theta (D) \rightarrow \mathbf {M}(D)\) , with a certain parameter setting \(\theta\) . The image disguising mechanism enables the same learning method \(\mathbf {G}\) to be applied with possible parameter tuning \(\theta ^{\prime }\) to the transformed data directly without any modification: \(\mathbf {G}_\theta ^{\prime }(T (D) \rightarrow \mathbf {M}_T(T(D))\) . For any new data \(X_{new}\) , the model application (or inference) is defined as \(\mathbf {M}_T(T(X_{new}))\) , i.e., the new data transformed with the same key. To make such a transformation method practical for modeling, i.e., a model trained with transformed data still working satisfactorily, a user may expect the error of modeling is not far away from the original model’s. Thus, a utility-preserving mechanism should havewhere \(\delta\) is the level of model quality degradation acceptable to the user. While for a specific DNN modeling method and a specific dataset, it is difficult to theoretically justify what this gap will be, one can always directly evaluate the model quality to check whether it is acceptable for the application. We have empirically evaluated the \(\delta\) levels for different mechanisms, datasets, and a few popular DNN modeling architectures in experiments.

Note that the InstaHide method also fits this framework, although originally it was designed for protecting participants’ private data in federated learning. However, some InstaHide methods allow the learned model \(\mathbf {M}_T\) to be applicable to the original test data, i.e., \(\mathbf {M}_T \approx \mathbf {M}\) . This property is undesirable for outsourced training, as it leaves the learned models unprotected, vulnerable to model-based attacks.

We are concerned with the confidentiality of the sensitive training image data and the DNN models in the outsourced training phase. Here, we make some relevant security assumptions about confidential training.

Assets to Be Protected. With a disguising mechanism, we generalize that the training data D is transformed to \(T_{key}(D)\) , and the model \(M(D)\) is changed to \(M_T(T_{key}(D))\) , where the modeling method keeps unchanged but with necessary parameter tuning. Training data can be sensitive for many reasons. The attacker might want to know whether an image is likely used to train a model, e.g., the membership inference attack [42], examine training images that may contain sensitive objects, or steal a proprietary training dataset to build a replica model. The exposed model is also targeted by all kinds of model-based attacks, as we have discussed.

Adversarial Prior Knowledge. The adversary may have two levels of prior knowledge. For each level, we may design a disguising technique.

Potential Attacks. Based on the threat model, we consider two types of attacks.

(1) Visual Re-identification Attack. With a protection mechanism on data and models, we consider a basic attack: training image re-identification, which aims at matching the disguised images to original images with the Level-1 knowledge only. Note that most older disguising methods [10, 28] are not even resilient to human visual re-identification. Apparently, using human editors to validate this attack is time-consuming and inefficient. Thus, we introduce a model-based re-identification test—DNN examiner, which uses a model trained on the original data to tell whether a protected image is re-identifiable. As most models on the original data are quite capable, comparable to human editors, this method can significantly simplify the evaluation process.

(2) Reconstruction Attack. More sophisticated are reconstruction attacks, which try to reverse the disguising mechanism to approximately reconstruct the original images and then conduct the visual re-identification attack. The specific attack will depend on the disguising method used. We can also use the DNN examiner approach to evaluate how successful a reconstruction attack works in our experiments.

In this section, we present one way of image transformation: image block permutation, which will be combined with other mechanisms later.

An image \(X_{l \times m}\) is first partitioned into t blocks of uniform size \(r\times s\) . If we label the blocks sequentially as \(v= \lt 1,2,3,4, \dots , t\gt\) , then a pseudorandom permutation of the image, \(T_{\pi }(X)\) , shuffles the blocks and reassembles the corresponding image accordingly. Block-based permutation preserves the in-block information and the relative positions of related blocks. Thus, we understand it preserves a great amount of information for effective modeling. However, while the permutation may break the global patterns of the images and achieve good visual privacy already, the between-block characteristics such as boundaries, color, content shape, and texture of the original neighboring blocks may provide clues for adversaries to recover the original image—imagine the jigsaw puzzle! For large t, such attacks can be time-consuming due to the vague similarity between block boundaries. However, with the prior knowledge—knowing an original image and its block-permuted version—it is not difficult to solve such a jigsaw puzzle. Thus, we use this as a preliminary step that will be further enhanced with other steps in the disguising framework.

Next, we establish pixel-block-level protection mechanisms that aim to preserve the data utility for DNN modeling and further increase the resilience to attacks. We consider two candidate mechanisms—random projection and encryption schemes—and discuss their characteristics.

Specifically, when an image is partitioned into t pixel blocks for random permutation, we get a list of t parameters \(\lbrace K_i, i=1\dots t\rbrace\) , one for the pixel-block at the same position across the whole dataset. For example, \(K_i\) contains the block-wise random projection matrix for the RMT method and the block-wise AES encryption key for the AES method. We name the specific position of the pixel block in the image the pixel-block position. The list of parameters acts as a secret key and will be shared, together with the permutation key, by each image in the dataset. The purpose of this setting is to maximize the preservation of distinguishable patterns between image classes—i.e., a pair of similar image patterns (blocks) can still be transformed to another pair of (likely) similar ones after applying the disguising mechanism.

Randomized Multidimensional Transformation (RMT). For an image represented as a pixel matrix X, a general linear transformation can be defined as \(G(X) = R(X+\Delta)\) , where \(R_{ m \times m}\) is a random orthogonal matrix generated following the Haar distribution [14], or a random invertible matrix, e.g., a random projection matrix [49], and \(\Delta\) is an optional noise matrix. We call this method the randomized multidimensional transformation. When an image is partitioned into t blocks for random permutation, we prepare a list of random matrices \(\lbrace R_i, i=1..t\rbrace\) , one for each image-block position, and share this list for each image. Such transformation is known to preserve (or approximately preserve by random projection) the Euclidean distance between columns of the matrix X. For real application, we may arrange the pixel blocks accordingly to form the column of X. For example, a 4 × 4 pixel matrix can be partitioned into 4 2 × 2 block to preserve the smaller block-level similarity with RMT. Figure 2 shows the effects of RMT on MNIST and CIFAR-10 datasets.

AES Block Transformation (AES). The existing AES encryption schemes typically use 128-bit encryption keys, which encode every 16 bytes of data sequentially. If we use AES for pixel-block encryption, assuming each pixel is stored in one byte, then 16 original pixels are mapped to 16 encrypted bytes (pixels), and a whole pixel block is encoded to 16-byte units. Putting all encrypted pixel blocks together, we get a disguised image. For clear presentation, we use “AES encryption unit,” i.e., by default 16 bytes, to distinguish from the “pixel block” used in partitioning and permutation in our image disguising framework. Each pixel block at the specific position of the image will use a distinct AES key to ensure better security, while the AES key at the same position will be used for different images to preserve the locality information across images. Figure 3 shows some example AES transformations on images.

As AES has multiple modes, we have carefully checked different modes and decided one in our design based on the trade-off between data utility and security. (1) With the AES Cipher Block Chaining (CBC) mode, any pixel-level change in the pixel block between two images will result in different encoding results. This feature makes two similar blocks very different after encoding, seriously damaging data utility, and thus it is not ideal for our purpose. (2) Then, we turn to the AES Electronic Code Book (ECB) mode to preserve more utility. ECB is considered as a fixed mapping function between 16-byte original data to 16-byte encrypted data. Different from CBC, the neighboring 16-byte blocks do not affect the encoding of the current block. This matches our requirement of data utility preservation, e.g., to preserve the block-level distinguishable patterns after the transformation.

In the initial design, when the pixel block size is larger than 16, we can use 16 encryption units. One may wonder how to handle the block size \(\lt\) 16, which might preserve more information. We design a scaling-up-down procedure for handling this setting. Specifically, we can scale up the block to 16-byte size first, i.e., duplicating pixels in a pixel-by-pixel way. For example, for a 2 × 2 block, each pixel is duplicated along the x axis and y axis, respectively, to get a 4 × 4 block, which is then encrypted. Finally, we can choose to scale down the whole image to the original size by merging the neighboring pixels. This procedure can also be applied to pixel blocks larger than 16 pixels—by changing the encryption unit to be less than 16. In experiments, we found smaller encryption units actually improve model quality for the AES method. Algorithm 1 shows the AES method without the scaling-up-down procedure, and Figure 4 demonstrates how the result looks like for different settings of the AES method.

The additional costs of the disguising methods are twofold: the client-side encoding cost and the server-side additional learning cost. The client-side encoding cost can be critical for both large data holder and small-batch data contributor with limited computing and storage space, e.g., submitting data from mobile phones. On the other side, the model trainer may also wonder whether the server-side learning can converge, and if it can converge, whether the disguised images will affect the convergence speed. We leave the second part to the experimental evaluation and analyze the client-side encoding cost here.

For clear presentation, we assume the image size \(m \times m\) . For schemes involving partitioning, we assume the image is partitioned into \(t^2\) blocks with block size \(m/t \times m/t\) . The cost of RMT encoding per image is dominated by \(t^2\) matrix multiplications with each costing \((m/t)^3\) . Thus, the total cost is \(O (m^3/t)\) —the more blocks, the lower costs. With the same setting, if the block size \((m/t)^2 \ge 16\) (assuming times of 16 for simplicity), then the AES-128 encryption cost is \((m/t)^2/16\) AES encryption operations per block and thus the overall cost is \(O(m^2/16)\) encryption operations. For \((m/t)^2 \lt 16\) , the scale-up-down process uses a scaling factor s and the final cost is \(O((ms)^2/16)\) encryption operations. Our experimental evaluation shows that per image cost relatively low and can be comfortably done by any PC or mobile phone—lower than 5 milliseconds per image for the sample datasets.

In contrast, while the computational cost of InstaHide is also relatively low, it requires accesses to a large auxiliary dataset, such as ImageNet, to achieve good confidentiality. For k images involved in the mix-up process, the overall cost is \(O(km^2)\) . The accesses to the auxiliary dataset have to be carefully handled to ensure security and reasonable storage or communication costs. Table 1 summarizes the per-image time and space complexity for applying these methods. The cost scales linearly with the number of images in the training dataset.

This section aims to analyze the possible threats to the proposed disguising mechanisms and clarify the applicable settings. With Level-1 adversarial knowledge, DisguisedNets mechanisms provide strong confidentiality protection, as shown in the discussion of “brute-force attacks” and “clustering attacks.” Other simpler methods are struggling with visual re-identification by human eyes [10, 28], while InstaHide is broken with only the Level-1 knowledge by a clustering-based method [4]. However, DisguisedNets methods are still vulnerable to more sophisticated reconstruction attacks that depend on Level-2 adversarial knowledge. This study clearly states the settings that DisguisedNets can be applied and distinguishes the security features of the DiguisedNets methods from InstaHide’s.

Note that the models trained with disguised images work only on disguised images.² This property also protects models from existing model-based attacks, including model-inversion attacks [12, 52], membership-inference attacks [20, 42], and model-extraction attacks [23, 46]. In the following, we analyze whether and how the proposed image disguising methods can also protect from these model-based attacks.

These model-based attacks are possible only when the model can be accessed by the attacker. Thus, we consider two model exposure scenarios.

Since our focus is on confidential model training, we will skip the discussion about model access API exposure. In the following, we will discuss how the disguising methods can protect from model exposure in training.

A model-inversion attack uses a learning procedure, e.g., a GAN method [52] zhang20, to progressively adjust randomly generated or seed images from similar domains towards most likely training examples. This type of attack needs to access the model freely. With an exposed model, the model-inversion attack recovers only the disguised training data, not the original data. Thus, if the disguised training data is secure, then model-inversion attacks are not meaningful. We will show how disguising methods protect from this kind of attack in experiments. The attacker can use the service API like accessing a normal model; how internal data transformation happens does not interfere with the attack. Thus, the disguising methods can also be an effective defensive mechanism against model-inversion attacks.

A membership-inference attack(MIA) estimates the possibility of a target sample belonging to the training data of a model. This attack assumes the adversary knows the type and distribution of training data [42] and tries to estimate the probability of using a target sample in model training. Most such attacks look at the model’s output probability vector for the target sample to distinguish in- or out-training samples. Since the disguised model is trained on the distribution of transformed data, without transforming the target sample with the secret disguising parameter, the output probability vector more likely indicates original images to be out-training samples.

A model-extraction attack(MEA) assumes the attacker can freely access the model to collect the (input, predicted-label) pairs, which are then used to reconstruct the model. MEA is often applied to paid model API to reconstruct a free model offline. The model trained on disguised images effectively deter this attack, as the attacker cannot forge effective input data, which are generated with the secret disguising function.

Therefore, we conclude that image disguising can also effectively protect exposed models during training.

As we discussed, the costs of disguising mechanisms are twofold: the client-side encoding and the server side additional training time. We have briefly analyzed the per-image disguising cost in Section 4.3. Figure 8 shows the average costs of the RMT, AES, and InstaHide methods for random batches of 100 images from the four datasets, respectively. All methods finish within 100–500 milliseconds. While a typical mobile processor might be much slower than the Intel Xeon CPU that we use for experiments, we expect the actual encoding costs for mobile processors will not be too high.

The server side additional training cost is another major concern. Since the standard deep learning software is used in training disguised images, the per-epoch cost is only affected by the image size and the architecture complexity, regardless of how the image is encoded. The major cost difference comes from the number of additional epoches required to converge. Figure 9 shows the evaluation of convergence speed on MNIST and CIFAR10 for the methods: baseline, RMT, AES, and InstaHide. The baseline refers to the models reported in Table 2. Both RMT and AES run with the basic setting of 4 × 4 pixel blocks without noise addition. The scale-up-down method is not applied to AES. The result shows that training with the RMT-disguised or InstaHide disguised images does not affect the convergence speed, and we have seen the same convergence pattern as the regular training for both datasets. However, the AES-disguised images make the convergence difficult. It converges around 50 epochs for MNIST, compared to 10 epochs for other methods; its convergence pattern is unstable for CIFAR10. In addition, the convergence quality for AES-disguised images is significantly affected. Both figures show much higher losses than other methods.

As we have discussed, RMT and AES are resilient to Level-1 attacks that aim to recover parameter settings. However, it is unclear how they are resilient to the basic visual re-identification test. In the following, we will evaluate the resilience of RMT, AES, and InstaHide to visual re-identification and then focus on the effect of parameter settings for RMT and AES.

Visual Re-identification. The test on visual re-identification is done with the DNN examiners trained on the original datasets, respectively. The intuition is, if the image was not sufficiently disguised, then its content would still be visually recognized by a human attacker that is implemented with the DNN examiner. We can use the DNN examiner’s accuracy on disguised (or reconstructed) images to represent the level of re-identifiability, i.e., the Attack Success Rate, as we defined earlier. Since DNNs are better than human especially for detecting images from heavily noisy and distorted images [26], we believe these attack success rate numbers should be generally higher than what a human attacker can do. Figure 10 summarizes how resilient these methods are to visual re-identification attacks, where both RMT and AES use the block size 4 × 4 without noise addition. The result shows all methods are resilient to visual re-identification.

Effect of RMT Parameter Settings. Block size and noise level settings of RMT may affect the quality of models trained on RMT-disguised images. For easier presentation, we convert block size into the number of blocks: 1 block on the x-axis means the image is not split into blocks; while 196 blocks means 196 2 × 2 blocks for 32 × 32 images (CIFAR10) or padded 28 × 28 images (MNIST and FASHION), and 196 4 × 3 blocks for padded 60 × 48 images (LFW). Thus, a smaller block size results in a larger number of blocks after partitioning, as the image size is fixed. If more than one block is generated in partitioning, then we also apply a secret block-wise permutation. Figure 11(a) shows that the model quality is slightly decreased with smaller block sizes (more blocks per image). Overall, the model quality is well preserved, only 2%–3% worse than the baseline. Figure 11(b) uses normal noise distribution \((noise\_level)*N(0, 1)\) to generate the per-pixel noise. It shows that more sophisticated images, such as CIFAR and LFW are more sensitive to noise addition.

Effect of AES Parameter Settings. Block size is the only parameter for the AES method. Figure 12(a) shows different block size settings from 1 block (e.g., 32 × 32 per block for 32 × 32 images) to 64 blocks (e.g., 4 × 4 pixels per block for 32 × 32 images). We tested two schemes: no scaling vs. scaling. The no-scaling scheme uses the block size \(\ge\) 16 bytes, while scaling can use even smaller block sizes. Specifically, when we use a block size \(\lt\) 16, e.g., 2 × 2 blocks, the scaling-up factors are determined for the x and y axes, corresponding, e.g., the scaling factor for x-axis is 2 and also 2 for y-axis for 2 × 2 blocks, so we can partition the scaled image with 4 × 4 blocks. Figure 12(a) shows that the model quality is much lower by the no-scaling scheme. For some datasets, e.g., CIFAR10 and LFW, the model quality is too low to be used. Figure 12(b) with a small block size 2 × 2 and the scaling-up-down method shows that the model quality is boosted to the level comparable to the RMT’s results for MNIST and FASHION, while the other two still stay at unusable levels. The possible reason is that the colored (multi-channel) images contain more noisy image blocks, which change significantly after the AES transformation. Thus, different from the RMT scheme, the AES scheme may only preserve utility for some datasets.

With the known additional knowledge, i.e., pairs of original and disguised images, the disguising mechanisms might be under the reconstruction attack, and attackers can visually check the reconstructed images to re-identify the features of original images. The re-identification step after reconstruction still uses the DNN examiner to generate the attack success rate.

AES under Codebook Attack. Assume the attacker knows k pairs of original images and their ECB encrypted ones with other necessary knowledge such as block sizes. The codebook attack uses the known pairs to construct a mapping between the known plaintext 16-byte pixels (or a reduced number of pixels if the scaling up/down method is used to preserve more utility) and the corresponding encrypted 16-byte pixels. The attacker might be able to use the codebook to partially recover the original pixel blocks of a disguised image (with random pixel patches for unrecognized blocks).

As MNIST and Fashion perform reasonably well with the AES scheme (Figure 12), compared to the other two, we pick only the MNIST data for clear presentation—the Fashion data has a similar pattern. Figure 13 compares the attack results on 16-pixel encryption units (subfigure (a)) and 2-pixel encryption units (for 2 × 1 blocks) with scaling (subfigure (b)). The attacker’s known pairs are selected randomly from the training data, while the targeted images are selected from the testing data. 16-pixel encryption unit gives a one-to-one mapping between the original pixel units and the encrypted ones. We observed hit rates are quite low (lower than 10%), but success rates are increasing steadily due to the increased codebook size. Overall, attackers will need a large number of pairs to achieve a good success rate. 2-pixel encryption unit may create a one-to-many mapping between original pixel units and the encrypted ones, due to the scale up/down processes. We used the Python library function for image scaling. With the scaling process, we observed that hit rates initially increase to around 10% and then drop to 2%–3%. However, the success rate quickly reaches the plateau—around 50% with only 20 image pairs. Therefore, the no-scaling method is more resilient to attacks, as both the hit rates and success rates grow slowly, and knowing the whole training data does not help improve the success rates much. In contrast, the scaling method can help gain better model quality, while it also makes the method more vulnerable to Level-2 attacks.

Aiming at achieving a better balance of utility and attack resilience for the setting of the 2-pixel encryption unit, we test the use of “salt-and-pepper” noises to disturb the codebook attack. The AES encrypted pixel block changes dramatically when any of the original pixels change, which helps reduce the attack success rate. Figure 14 shows that by adding a small amount of noise, e.g., 2%–3%, the attack success rate drops by 10%, while the model quality is not significantly damaged. Certainly, the level of noise should be carefully chosen to avoid destroying the data utility: An increase of noise intensity to 4% will dramatically degrade the model quality, as Figure 14(b) shows.

RMT under Regression Attack. As we have shown, the regression attack can be a practical threat to RMT if the attacker is equipped with Level-2 knowledge. We also assume a stronger attack scenario: The attacker already knows the pixel-block size and the permutation pattern. We know that RMT without noise addition is very vulnerable to known pairs. With as little as one pair of known images, the block-wise transformation parameters \(\lbrace R_i, i=1..m\rbrace\) can be recovered using simple matrix inversion. Thus, we consider how the noise addition can help improve RMT’s resilience to attacks. Different from the “salt-and-pepper” noise for selected pixels in the enhanced AES scheme, we generate a noise value for each pixel and add it to the original pixel value before applying the projection, i.e., \(Y_i = R_i(X_i + \Delta _i)\) , where the noise \(\Delta _i\) is drawn from the uniform distribution \(U(0, u)\) . With noise addition, the regression attack is used to estimate the parameters \(\lbrace R_i\rbrace\) , the accuracy of which might be affected by the noise intensity (i.e., the u setting) and the number of available pairs.

Figure 15(a) shows that direct re-identification (with Level-1 attack) is generally not effective at all. However, Figure 15(b) shows that the regression attack is highly effective on all datasets. With a small number of known image pairs, the attack can achieve surprisingly high success rates. Thus, it is not safe to use the RMT scheme when Level-2 attack knowledge is available.

Exposing models may have high risks, as shown in model-inversion attacks, membership-inference attacks, and model-extraction attacks. This experiment shows that image-disguising methods can work effectively against such model-targeted attacks. We take the model-inversion (MI) attack, for example, which tries to recover training data from the exposed model.

This experiment checks whether models trained on disguised images by RMT and InstaHide are resilient to the MI attack. We adopt the recently develop GAN-based attack [52] that has shown better performance than the original method in recovering training data. Specifically, we used a 4 × 4 block without noise addition for RMT to generate disguised data and models. InstaHide (Private) uses only the private training data for mix-up. For InstaHide(Public), we use EMNIST (Capital letters A–J) as the public dataset for mix-up in disguising MNIST and FASHION and CIFAR100(class 0-9) as the public dataset for mix-up in disguising CIFAR-10 and LFW.

We then apply the MI attack to generate 2,000 images for each dataset evenly distributed in each class. Finally, we use the DNN examiners to recognize the recovered images. Figure 16 shows that the MI attack with good auxiliary data can be very effective, while models trained on both RMT and InstaHide disguised data are very resilient to the MI attack. Indeed, the MI attack recovers the RMT-disguised training data, which are very different from the original images and thus still unrecognizable.

Based on the experimental results, we have the following observations: