research-article

Public Access

Visual privacy protection in mobile image recognition using protective perturbation

Authors:

Sheng WeiAuthors Info & Claims

MMSys '22: Proceedings of the 13th ACM Multimedia Systems Conference

Pages 164 - 176

https://doi.org/10.1145/3524273.3528189

Published: 05 August 2022 Publication History

Abstract

Deep neural networks (DNNs) have been widely adopted in mobile image recognition applications. Considering intellectual property and computation resources, the image recognition model is often deployed at the service provider end, which takes input images from the user's mobile device and accomplishes the recognition task. However, from the user's perspective, the input images could contain sensitive information that is subject to visual privacy concerns, and the user must protect the privacy while offloading them to the service provider. To address the visual privacy issue, we develop a protective perturbation generator at the user end, which adds perturbations to the input images to prevent privacy leakage. Meanwhile, the image recognition model still runs at the service provider end to recognize the protected images without the need of being re-trained. Our evaluations using the CIFAR-10 dataset and 8 image recognition models demonstrate effective visual privacy protection while maintaining high recognition accuracy. Also, the protective perturbation generator achieves premium timing performance suitable for real-time image recognition applications.

References

[1]

2005. ARM Security Technology: Building a Secure System using TrustZone Technology.

[2]

2016. GDPR. Intersof Consulting. https://gdpr-info.eu.

[3]

2017. Find It On eBay: Using Pictures Instead of Words. https://tech.ebayinc.com/product/find-it-on-ebay-using-pictures-instead-of-words/.

[4]

2017. Google Lens. Search what you see. https://lens.google.com/.

[5]

2021. HIPAA. US Department of Health and Human Services. https://www.hhs.gov/hipaa/index.html.

[6]

2021. Intel Software Guard Extensions (SGX). https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html.

[7]

2021. Pytorch Lightning Metrics. https://pytorch-lightning.readthedocs.io/en/stable/extensions/metrics.html.

[8]

2021. Pytorch Mobile. https://pytorch.org/mobile/home/.

[9]

2021. Pytorch MS-SSIM. https://github.com/VainF/pytorch-msssim.

[10]

2021. Understand the Intersection between Data Privacy Laws and Cloud Computing. https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing.

[11]

Rosario Cammarota, Matthias Schunter, Anand Rajan, Fabian Boemer, Ágnes Kiss, Amos Treiber, Christian Weinert, Thomas Schneider, Emmanuel Stapf, Ahmad-Reza Sadeghi, et al. 2020. Trustworthy AI Inference Systems: An Industry Research View. arXiv:2008.04449.

[12]

Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy (S&P). 39--57.

[13]

Jianfeng Chi, Emmanuel Owusu, Xuwang Yin, Tong Yu, William Chan, Patrick Tague, and Yuan Tian. 2018. Privacy Partitioning: Protecting User Data During the Deep Learning Inference Phase. In arXiv:1812.02863. 1--17.

[14]

Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A Large-Scale Hierarchical Image Database. In IEEE conference on computer vision and pattern recognition (CVPR). 248--255.

[15]

WA Falcon et al. 2019. PyTorch Lightning. 3 (2019). https://github.com/PyTorchLightning/pytorch-lightning.

[16]

Liyue Fan. 2019. Practical Image Obfuscation with Provable Privacy. In IEEE International Conference on Multimedia and Expo (ICME). 784--789.

[17]

Andy Greenberg. 2014. Hacker Lexicon: What Is End-to-End Encryption? Wired, November 25 (2014).

[18]

Zhongshu Gu, Heqing Huang, Jialong Zhang, Dong Su, Hani Jamjoom, Ankita Lamba, Dimitrios Pendarakis, and Ian Molloy. 2020. Confidential Inference via Ternary Model Partitioning. In arXiv:1807.00969. 1--12.

[19]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 770--778.

[20]

Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely Connected Convolutional Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4700--4708.

[21]

Georgios A Kaissis, Marcus R Makowski, Daniel Rückert, and Rickmer F Braren. 2020. Secure, Privacy-Preserving and Federated Machine Learning in Medical Imaging. Nature Machine Intelligence 2, 6 (2020), 305--311.

[22]

Suleyman Serdar Kozat, Ramarathnam Venkatesan, and Mehmet Kivanç Mihçak. 2004. Robust Perceptual Image Hashing via Matrix Invariants. In International Conference on Image Processing (ICIP), Vol. 5. 3443--3446.

[23]

Alex Krizhevsky and Geoffrey Hinton. 2009. Learning Multiple Layers of Features from Tiny Images. Technical Report. University of Toronto.

[24]

Chetan Kumar, Riazat Ryan, and Ming Shao. 2020. Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks. In Association for the Advancement of Artificial Intelligence (AAAI), Vol. 34. 11304--11311.

[25]

Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2017. Trojaning attack on neural networks. In Network and Distributed System Security Symposium (NDSS).

[26]

Ilya Loshchilov and Frank Hutter. 2017. Decoupled Weight Decay Regularization. arXiv preprint arXiv:1711.05101 (2017).

[27]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards Deep Learning Models Resistant to Adversarial Attacks. arXiv preprint arXiv:1706.06083 (2017).

[28]

Sébastien Marcel and Yann Rodriguez. 2010. Torchvision the Machine-Vision Package of Torch. In ACM international conference on Multimedia. 1485--1488.

[29]

Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. 2017. On Detecting Adversarial Perturbations. arXiv preprint arXiv:1702.04267 (2017).

[30]

Jim Nilsson and Tomas Akenine-Möller. 2020. Understanding SSIM. arXiv:2006.13846 (2020).

[31]

Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2017. Towards a Visual Privacy Advisor: Understanding and Predicting Privacy Risks in Images. In International conference on computer vision (ICCV). 3686--3695.

[32]

Margarita Osadchy, Benny Pinkas, Ayman Jarrous, and Boaz Moskovich. 2010. SCiFI - A System for Secure Face Identification. In IEEE Symposium on Security and Privacy (S&P). 239--254.

[33]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks against Machine Learning. In Asia conference on computer and communications security (AsiaCCS). 506--519.

Digital Library

[34]

Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Kopf, Edward Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala. 2019. PyTorch: An Imperative Style, High-Performance Deep Learning Library. In Advances in Neural Information Processing Systems 32. 8024--8035.

[35]

Huy Phan. 2021. PyTorch Models Trained on CIFAR-10 Dataset. https://github.com/huyvnphan/PyTorch_CIFAR10.

[36]

Huy Phan, Yi Xie, Siyu Liao, Jie Chen, and Bo Yuan. 2020. CAG: A Real-time Low-cost Enhanced-robustness High-transferability Content-aware Adversarial Attack Generator. In AAAI Conference on Artificial Intelligence (AAAI), Vol. 34. 5412--5419.

[37]

Omid Poursaeed, Isay Katsman, Bicheng Gao, and Serge Belongie. 2018. Generative adversarial perturbations. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4422--4431.

[38]

Zhongzheng Ren, Yong Jae Lee, and Michael S Ryoo. 2018. Learning to Anonymize Faces for Privacy Preserving Action Detection. In European conference on computer vision (ECCV). 620--636.

Digital Library

[39]

Olaf Ronneberger, Philipp Fischer, and Thomas Brox. 2015. U-Net: Convolutional Networks for Biomedical Image Segmentation. In International Conference on Medical image computing and computer-assisted intervention. 234--241.

[40]

Ahmad-Reza Sadeghi, Thomas Schneider, and Immo Wehrenberg. 2009. Efficient Privacy-Preserving Face Recognition. In International Conference on Information Security and Cryptology (ICISC). 229--244.

[41]

Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-Gan: Protecting Classifiers against Adversarial Attacks Using Generative Models. arXiv preprint arXiv:1805.06605 (2018).

[42]

Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. MobileNetV2: Inverted Residuals and Linear Bottlenecks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 4510--4520.

[43]

Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv preprint arXiv:1409.1556 (2014).

[44]

Qianru Sun, Liqian Ma, Seong Joon Oh, Luc Van Gool, Bernt Schiele, and Mario Fritz. 2018. Natural and Effective Obfuscation by Head Inpainting. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 5050--5059.

[45]

Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going Deeper with Convolutions. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 1--9.

[46]

Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, Jon Shlens, and Zbigniew Wojna. 2016. Rethinking the Inception Architecture for Computer Vision. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2818--2826.

[47]

Zhongze Tang, Xianglong Feng, Yi Xie, Huy Phan, Tian Guo, Bo Yuan, and Sheng Wei. 2020. VVSec: Securing Volumetric Video Streaming via Benign Use of Adversarial Perturbation. In ACM International Conference on Multimedia (MM). 3614--3623.

Digital Library

[48]

Florian Tramer and Dan Boneh. 2019. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In International Conference on Learning Representations (ICLR). 1--19.

[49]

Haohan Wang, Xindi Wu, Zeyi Huang, and Eric P Xing. 2020. High-Frequency Component Helps Explain the Generalization of Convolutional Neural Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 8684--8694.

[50]

Ji Wang, Jianguo Zhang, Weidong Bao, Xiaomin Zhu, Bokai Cao, and Philip S Yu. 2018. Not Just Privacy: Improving Performance of Private Deep Learning in Mobile Cloud. In ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD). 2407--2416.

Digital Library

[51]

Sen Wang and J Morris Chang. 2020. Privacy-Preserving Image Classification in the Local Setting. arXiv:2002.03261 (2020).

[52]

Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. 2004. Image Quality Assessment: from Error Visibility to Structural Similarity. IEEE Transactions on Image Processing 13, 4 (2004), 600--612.

Digital Library

[53]

Zhou Wang, Alan C Bovik, and Eero P Simoncelli. 2005. Structural Approaches to Image Quality Assessment. Handbook of Image and Video Processing 7, 18 (2005).

[54]

Hao Wu, Xuejin Tian, Minghao Li, Yunxin Liu, Ganesh Ananthanarayanan, Fengyuan Xu, and Sheng Zhong. 2021. PECAM: Privacy-Enhanced Video Streaming and Analytics via Securely-Reversible Transformation. In International Conference on Mobile Computing and Networking (MobiCom). 229--241.

Digital Library

[55]

Zirui Xu, Fuxun Yu, Chenchen Liu, and Xiang Chen. 2019. HAMPER: HighPerformance Adaptive Mobile Security Enhancement against Malicious Speech and Image Recognition. In Asia and South Pacific Design Automation Conference (ASPDAC). 512--517.

Digital Library

[56]

Shaokai Ye, Sia Huat Tan, Kaidi Xu, Yanzhi Wang, Chenglong Bao, and Kaisheng Ma. 2019. Brain-Inspired Reverse Adversarial Examples. arXiv:1905.12171 (2019).

[57]

Yang Zhao, Xing Hu, Shuangchen Li, Jing Ye, Lei Deng, Yu Ji, Jianyu Xu, Dong Wu, and Yuan Xie. 2019. Memory Trojan Attack on Neural Network Accelerators. In Design, Automation & Test in Europe Conference & Exhibition (DATE). 1415--1420.

[58]

Bingquan Zhu, Hao Fang, Yanan Sui, and Luming Li. 2020. Deepfakes for Medical Video De-Identification: Privacy Protection and Diagnostic Information Preservation. In AAAI/ACM Conference on AI, Ethics, and Society (AIES). 414--420.

Digital Library

[59]

Shilin Zhu, Chi Zhang, and Xinyu Zhang. 2017. Automating Visual Privacy Protection Using a Smart LED. In International Conference on Mobile Computing and Networking (MobiCom). 329--342.

Digital Library

Cited By

Wu SHuang ZLiang ZGu LHarada TLi ZZhu Y(2025)Defender of privacy and fairness: Tiny but reversible generative model via mutually collaborative knowledge distillationNeurocomputing10.1016/j.neucom.2024.128822618(128822)Online publication date: Mar-2025
https://doi.org/10.1016/j.neucom.2024.128822
Zhao RZhang YWang TWen WXiang YCao X(2024)Visual Content Privacy Protection: A SurveyACM Computing Surveys10.1145/3708501Online publication date: 16-Dec-2024
https://dl.acm.org/doi/10.1145/3708501
Yu HHou JZhang LLiu SLi X(2024)Efficient Object-grained Video Inpainting with Personalized Recovery and Permission Control2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682955(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682955
Show More Cited By

Index Terms

Visual privacy protection in mobile image recognition using protective perturbation
1. Information systems
  1. Information systems applications
    1. Multimedia information systems
2. Security and privacy
  1. Systems security

Recommendations

Privacy protection vs. utility in visual data

Ubiquitous and networked sensors impose a huge challenge for privacy protection which has become an emerging problem of modern society. Protecting the privacy of visual data is particularly important due to the omnipresence of cameras, and various ...
Once-for-all: Efficient Visual Face Privacy Protection via Person-specific Veils
MM '24: Proceedings of the 32nd ACM International Conference on Multimedia

As billions of face images stored on cloud platforms contain sensitive information to human vision, the public confronts substantial threats to visual face privacy. In response, the community has proposed some perturbation-based schemes to mitigate ...
Modeling the Trade-off of Privacy Preservation and Activity Recognition on Low-Resolution Images
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems

A computer vision system using low-resolution image sensors can provide intelligent services (e.g., activity recognition) but preserve unnecessary visual privacy information from the hardware level. However, preserving visual privacy and enabling ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MMSys '22: Proceedings of the 13th ACM Multimedia Systems Conference

June 2022

432 pages

ISBN:9781450392839

DOI:10.1145/3524273

General Chairs:
Niall Murray
Technological University of the Shannon: Midlands Midwest
,
Gwendal Simon
Synamedia
,
Mylene Farias
University of Brasilia
,
Program Chairs:
Irene Viola
Centrum Wiskunde & Informatica
,
Mario Montagud
i2CAT Foundation & University of Valencia

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 August 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

MMSys '22

Sponsor:

SIGMM

MMSys '22: 13th ACM Multimedia Systems Conference

June 14 - 17, 2022

Athlone, Ireland

Acceptance Rates

Overall Acceptance Rate 176 of 530 submissions, 33%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
634
Total Downloads

Downloads (Last 12 months)302
Downloads (Last 6 weeks)20

Reflects downloads up to 26 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu SHuang ZLiang ZGu LHarada TLi ZZhu Y(2025)Defender of privacy and fairness: Tiny but reversible generative model via mutually collaborative knowledge distillationNeurocomputing10.1016/j.neucom.2024.128822618(128822)Online publication date: Mar-2025
https://doi.org/10.1016/j.neucom.2024.128822
Zhao RZhang YWang TWen WXiang YCao X(2024)Visual Content Privacy Protection: A SurveyACM Computing Surveys10.1145/3708501Online publication date: 16-Dec-2024
https://dl.acm.org/doi/10.1145/3708501
Yu HHou JZhang LLiu SLi X(2024)Efficient Object-grained Video Inpainting with Personalized Recovery and Permission Control2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682955(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682955
Takashima IYasuda KTakeuchi YAritsugi MShibayama AMendonça I(2024)Semi-automated Disaster Image Tagging While Protecting Privacy: A Case StudyDatabase and Expert Systems Applications10.1007/978-3-031-68312-1_11(142-148)Online publication date: 26-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68312-1_11
Ying WZhang LLuo SYao CYing F(2023)Simulation of computer image recognition technology based on image feature extractionSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-023-08246-127:14(10167-10176)Online publication date: 27-Apr-2023
https://dl.acm.org/doi/10.1007/s00500-023-08246-1

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents