SocialGuard: An Adversarial Example Based Privacy-Preserving Technique for Social Images

Some researches have indicated that DNN models are vulnerable to adversarial examples, and a range of adversarial example generation methods have been proposed. Szegedy et al. [15] first proposed adversarial example attacks against the DNN models, and developed the L-BFGS algorithm to construct the adversarial perturbations. By adding the generated perturbations into a clean image, the target DNN model will output the incorrect classification result. Then, Goodfellow et al. [16] proposed the Fast Gradient Sign Method (FGSM) to explain the linear behavior of adversarial perturbations, which is effective to accelerate the generation of adversarial examples. Carlini and Wagner [17] constructed the high-confidence adversarial examples with three different distance metrics (i.e., ${L_{0}}$ distance, ${L_{2}}$ distance, and ${L_{\infty}}$ distance), and their generated adversarial examples could successfully fool the distilled neural networks. Chen et al. [18] developed the ShapeShifter attack to craft physical adversarial examples to fool road sign object detectors. By applying the Expectation over Transformation technique [19, 20], the ShapeShifter is robust to the changes of different distances and angles.

The workflow of the Faster R-CNN detector includes two stages [12]: region proposal and box classification. In the first stage, the features in an image are extracted, and the region proposal network (RPN) is used to determine where an object may exist and mark the region proposal. In the second stage, the corresponding objects in the marked region proposals are classified by DNN based classifier. Meanwhile, the bounding box regression [21] is performed to obtain the accurate location of each object in the image.

We proposed the idea of this paper in 2019 and applied for a Chinese patent [22]. Besides, few exploratory studies have been conducted on the protection of image privacy against DNN based privacy stealing. Li et al. [23] presented the Private Fast Gradient Sign Method (P-FGSM) to prevent the scene (e.g., hospital, church) in social images from being detected by DNN model. They added imperceptible perturbation to the social images to generate the adversarial social images, in which the scene will be incorrectly classified by DNN classifier. Shen et al. [24] proposed an algorithm to protect the sensitive information in social images against DNN based privacy stealing and keep the changes of the social images imperceptible. They also conducted a human subjective evaluation experiment to evaluate the factors that influence the visual sensitivity of human [24]. The difference between our work and [24] is that, [24] focuses on preventing sensitive information from being detected by DNN based classifier, while our work focuses on preventing sensitive objects from being detected by object detector. Shan et al. [25] proposed a Fawkes system to protect personal privacy against unauthorized face recognition models. Specifically, they add pixel-level perturbations to user’s photos before uploading them to the Internet [25]. The functionality of unauthorized facial recognition models trained on these photos with perturbations will be deteriorated seriously. The differences between our work and [25] are that: (i) The work [25] protects social privacy against facial recognition models, while our method protect social privacy against object detectors. (ii) The work [25] adds adversarial images to the training set of unauthorized facial recognition models to influence the training phase of these models (which is a strong assumption), while our work focuses on the testing phase of DNN detectors.

The above three related works focus on privacy protection against the image classifiers. Compared with image classifiers, attacking or deceiving object detectors is more challenging [26, 27, 8]. The reasons are as follows. First, an object detector is more complex, which can detect multiple objects at once. Second, the object detector can infer the true objects by the obtained information from the image background. To the best of the authors’ knowledge, the only social privacy protection work against object detectors is Liu et al. [8]. Liu et al. [8] constructed the adversarial examples with a stealth algorithm, which made all objects in the image invisible to the object detectors, thus protecting the image privacy from being detected. Compared to the work [8], our work has the following differences: (i) The mechanisms are different. The work [8] focuses on the region proposal stage (the first stage) of Faster R-CNN, while our method focuses on the classification stage (the second stage) of Faster R-CNN. Moreover, our method leverages the classification boundary of object detector to craft perturbations. Specifically, the position of the feature point of each bounding box is moved and crossed the classification boundary, which make object detector cannot find any sensitive object and abandon the corresponding bounding boxes, while the stealth algorithm in [8] performs a backpropagation on the loss function to create perturbations and suppress the generation of bounding boxes. (ii) The effects are different. The work [8] can hide all the objects in a social image from being detected, while our method can not only achieve this, but can also make the customized sensitive objects in a social image be misclassified as other classes.

DNN based object detectors perform excellently in various computer vision tasks. The deep learning based object detectors can be divided into two categories: (i) one-stage object detectors, such as You Only Look Once (YOLO) [28], and Single Shot Multibox Detector (SSD) [29]; (ii) two-stage object detectors, such as Faster R-CNN [12], and Region-based Fully Convolutional Networks (R-FCN) [30]. Existing research [31] has indicated that, compared to SSD and R-FCN, the Faster R-CNN can achieve more superior performance on the trade-off between speed and detection accuracy. Besides, generally, Faster R-CNN has higher detection accuracy than that of YOLO detector. Therefore, in this paper, the proposed method is targeting at protecting image privacy from being detected by Faster R-CNN detectors.

The privacy goal of the proposed method includes two aspects: one is that Faster R-CNN fails to predict any bounding box in an image, which will be discussed in Section 3.3, and the other is that Faster R-CNN can predict some bounding boxes in an image but classifies the sensitive objects incorrectly, which will be discussed in Section 3.4. If one of these two aspects is met, it is considered that the social privacy is successfully protected. To achieve the first aspect, we need to make sure that for each bounding box, the score of each bounding box is lower than the threshold, which can be formalized as:

where $x^{\prime}$ is an adversarial social image. $K$ is the number of classes that an object detector can recognize ($K=80$ in the experiment), and $k$ denotes the k-th category. $P_{k}$ is the score of class $k$ of the bounding box. $T$ is the detection threshold of the system.

For an object detector, it outputs bounding boxes with high scores (higher than the threshold), and discards the bounding boxes with low scores (lower than the threshold). Equation (1) indicates that the scores predicted by Faster R-CNN for all the bounding boxes are all lower than the threshold. Therefore, the system will abandon all bounding boxes and detect nothing in the adversarial social image.

The proposed adversarial example based method can make all objects in a social image undetectable by Faster R-CNN (the first aspect), which will be discussed in Section 3.3. In addition, the proposed method can also make the customized sensitive objects incorrectly classified as another object (the second aspect), which will be discussed in Section 3.4.

The overall flow of the proposed method is shown in Fig. 1. The method takes users’ photos as the inputs, and outputs the adversarial examples to deceive the Faster R-CNN object detector. First, pre-detection is performed on the users’ photos to obtain the detected objects. Then, the classes that do not belong to those correctly detected classes are selected as non-sensitive classes (defined in Section 3.3). Second, the region proposals ${r_{1}},{r_{2}},...,{r_{m}}$ are obtained in the classification stage of Faster R-CNN. Third, the adversarial attack is implemented at the second stage (i.e., the classification stage) of Faster R-CNN by iteratively constructing the perturbation in the image. The perturbation is iteratively constructed until that, for every bounding box, the score of each object is lower than the threshold, which will cause Faster R-CNN to discard all the bounding boxes. In this way, the generated adversarial social image can successfully deceive the Faster R-CNN detector when it is uploaded to the social platforms.

We propose an Object Disappearance Algorithm which is presented in Algorithm 1, to generate adversarial examples and prevent Faster R-CNN from predicting any bounding box (the first aspect as discussed in Section 3.1). The proposed method focuses on attacking the classification network at the second stage (i.e., the classification stage) of Faster R-CNN. The adversarial attack includes two steps. First, the pre-detection on the original image $x$ is performed to obtain the predicted classes, including the correct and incorrect prediction results. We define the correctly predicted classes as the sensitive classes that need to be protected. In this paper, for an unprocessed social image, the sensitive objects are the objects that appear in the image and can be detected by object detector, and the non-sensitive objects are the objects that do not appear in the image. For different social images, the sensitive objects and the non-sensitive objects are different. Then, the non-sensitive class set ${Y^{\prime}}=\{{y^{\prime}_{1}},{y^{\prime}_{2}},...,{y^{\prime}_{K-d}}\}$ is selected, where $K$ is the number of classes that an object detector can recognize, and $d$ is the number of classes that are detected in the original image. ${y^{\prime}_{1}},{y^{\prime}_{2}},...,{y^{\prime}_{K-d}}$ do not belong to these correctly detected classes and are the classes of objects that do not appear in the original image $x$. Second, the region proposals ${r_{1}},{r_{2}},...,{r_{m}}$ are obtained in the classification stage of Faster R-CNN, and the perturbations are constructed iteratively in the original image $x$ with the following formula:

where $x{{}^{\prime}_{i}}$ is an adversarial example generated in the $i$-th iteration. $r_{j}$ represents the j-th predicted bounding box, and the total number of bounding boxes is $m$. ${y^{\prime}_{t}}$ is the label of the non-sensitive class and ${y^{\prime}_{t}}\in{Y^{\prime}}$. $y^{\prime}_{t}$ is not a fixed class label and is sequentially selected from the set ${Y^{\prime}}$ in each iteration. $F$ represents the classification network of Faster R-CNN, and $L$ is the loss function that computes the difference between the output $F(x{{}^{\prime}_{i}})$ of the classification network and the non-sensitive class label $y^{\prime}_{t}$.

In each iteration, we sequentially select the non-sensitive class ${y^{\prime}_{t}}$ from the set ${Y^{\prime}}$. Then, we construct the adversarial perturbation with formula (2) and utilize the constraint $||x{{}^{\prime}_{i}}-x{{}^{\prime}_{i-1}}||<\varepsilon$ to make the perturbation visually invisible, where $\varepsilon$ restricts the intensity of the generated perturbations. After the adversarial example $x{{}^{\prime}_{i}}$ for the $i$-th iteration is generated, the classification network $F$ is used to predict the classes of objects for all the bounding boxes ${r_{1}},{r_{2}},...,{r_{m}}$. Subsequently, the scores ${S}$ of each class for all the bounding boxes ${r_{1}},{r_{2}},...,{r_{m}}$ will be obtained. $S$ can be considered as a matrix as follows:

where $s_{ij}$ is the score of class $j$ for the $i$-th bounding box ($i=1,2,...,m$, $j=1,2,...,K$). The maximum score ${s_{max}}$ is then calculated, where ${s_{max}}$ represents the maximum score of all classes for all the bounding boxes ${r_{1}},{r_{2}},...,{r_{m}}$ in the generated adversarial example $x{{}^{\prime}_{i}}$. We denote the maximum number of iterations as $I$. The iteration process is terminated when the iteration number reaches $I$ or ${s_{max}}$ is lower than the threshold, which means that there is no bounding box that can be detected by Faster R-CNN.

Here, we explain the reason why the above algorithm can cause all objects in the generated adversarial example invisible. For sensitive classes in an image, adding perturbation with Equation (2) can change the classification boundary of sensitive classes and reduce the scores of them. Thus, the scores of sensitive objects are below the detection threshold. For non-sensitive classes, the multi-classes perturbing method restraints the increase of non-sensitive objects’ scores with insufficient iterations. As a result, the scores of non-sensitive objects are also below the detection threshold. As a result, the score of each class for any bounding boxes will be lower than the threshold, which makes Faster R-CNN discard all the bounding boxes and detect nothing in the adversarial social image.

In this section, we describe another method (denoted as $M_{sen}$) of generating adversarial examples which can protect the customized sensitive objects in the social images. In a social photo, some objects are usually sensitive and private, such as: (i) Person. The person in a social photo may involve users’ personal information. For example, a common V-shaped gesture photo may contain the fingerprint information of an user. (ii) Commercialized objects. Some commercial objects (such as handbags, sports balls, and books) may reveal users’ interests. The leakage of these commercialized objects may bring unnecessary advertising to users. To avoid the disclosure of the sensitive objects in the shared social photos, the proposed method can also provide users with privacy settings, where users can customize the sensitive objects that he wants to protect and the specific class $y_{non}$ that he wants the sensitive objects to be misclassified as. The proposed method can achieve this purpose by iteratively constructing perturbations on social images with the following formula:

The perturbation is iteratively constructed until that, for every bounding box, the scores of the customized sensitive objects are lower than the threshold. $M_{sen}$ can cause the score of the class $y_{non}$ to be higher than the threshold, which will make Faster R-CNN classify the customized sensitive objects as the class $y_{non}$. As a result, Faster R-CNN cannot detect the customized sensitive object and will present the bounding boxes with wrong class (the non-sensitive class $y_{non}$).

We denote the method introduced in Section 3.3 as $M_{all}$, and the method in this section as $M_{sen}$. We use $AE_{all}$ and $AE_{sen}$ to represent the adversarial examples generated by $M_{all}$ and $M_{sen}$, respectively. The difference between the workflows of $M_{all}$ and $M_{sen}$ is shown in Fig. 2. $M_{all}$ performs pre-detection on the original social image to obtain the non-sensitive classes and utilizes multiple non-sensitive classes to generate adversarial example, while $M_{sen}$ does not perform pre-detection and utilizes a fixed non-sensitive class $y_{non}$ to generate adversarial example.

In a word, this paper provides two adversarial example based method ($M_{all}$ and $M_{sen}$) to protect the privacy of social photos. $M_{all}$ hides all objects in a social image from being detected by Faster R-CNN, while $M_{sen}$ is used to protect the sensitive objects customized by the users.

In our experiments, we evaluate the performance of the proposed method on the Faster R-CNN [12] Inception v2 [32] model. The model has been pre-trained on the Microsoft Common Objects in Context (MS-COCO) dataset [13] with Tensorflow [33] platform. We conduct the experiment on MS-COCO dataset [13] and PASCAL VOC 2007 dataset [14]. The MS-COCO dataset has more than 200,000 images for object detection. It contains 80 object categories including people, vehicles, animals, sports goods, and other common items [13]. The PASCAL VOC 2007 dataset [14] has 20 categories, most of which are the same as the categories in MS-COCO dataset. We randomly select 1,000 images from MS-COCO dataset [13], and 1,000 images from PASCAL VOC 2007 dataset [14], respectively, to evaluate the proposed method.

We use two metrics, named privacy-preserving success rate and privacy leakage rate, to evaluate the proposed method on protecting the privacy of social images. As mentioned in Section 3.3 and Section 3.4, the proposed social privacy-preserving method can generate two kinds of adversarial examples. As discussed in Section 3.4, we use $AE_{all}$ to represent the adversarial examples that aim to make all objects invisible, and $AE_{sen}$ to represent the adversarial examples that aim to hide the customized sensitive object. The privacy-preserving success rate ($R_{all}$) for adversarial examples $AE_{all}$ can be formalized as:

where $N_{all}$ is the number of adversarial social images $AE_{all}$ in which Faster R-CNN cannot present any bounding boxes. $N$ is the number of all the adversarial social images. The privacy-preserving success rate ($R_{sen}$) for adversarial examples $AE_{sen}$ can be formalized as:

where $N_{sen}$ is the number of adversarial examples $AE_{sen}$ in which Faster R-CNN classifies the customized sensitive class incorrectly.

To further explore the effectiveness of the proposed method on preventing the privacy leakage, we use a metric named privacy leakage rate. The privacy leakage rate represents how many sensitive contents are detected by Faster R-CNN in social images. The privacy leakage rate $P_{all}$ for the adversarial social images that aim to hide all the objects ($AE_{all}$) can be calculated as follows:

where $A$ is the number of bounding boxes that are detected in all the adversarial social images $AE_{all}$, including the correct and incorrect detection results. $O$ is the number of bounding boxes that are detected in all the original social images, including the correct and incorrect detection results. The privacy leakage rate $P_{sen}$ for the adversarial social images that aim to hide the customized sensitive objects ($AE_{sen}$) can be expressed as:

where $A_{sen}$ is the number of bounding boxes of the customized sensitive classes that are correctly detected in the adversarial social images $AE_{sen}$. $O_{sen}$ is the number of bounding boxes of customized sensitive classes that are correctly detected in the original social images.

In this section, we use the privacy-preserving success rate to evaluate the proposed method. Fig. 3 shows four examples to illustrate the effectiveness of the proposed method. The four examples consist of the original images, the detection results of the original images, the detection results of adversarial examples $AE_{all}$, and the detection results of adversarial examples $AE_{sen}$, respectively. Faster R-CNN can easily recognize all the sensitive objects if the shared images are unprocessed, as shown in Fig. 3 and Fig. 3. Specifically, all the persons are accurately detected in Fig. 3. However, Faster R-CNN detects nothing in the adversarial examples $AE_{all}$, as shown in Fig. 3. Meanwhile, it is hard for humans to observe the differences between adversarial examples $AE_{all}$ and the original images. In Fig. 3, all the persons in adversarial examples $AE_{sen}$ are misclassified as other objects. The above results indicate that, the proposed method can protect the social privacy effectively without affecting the visual effect of social images.

The privacy-preserving success rates of the proposed method are shown in TABLE 1. In the experiment, we select 1,000 images in each dataset and test the privacy-preserving success rates for the adversarial social image $AE_{all}$ and $AE_{sen}$, respectively. The success rates of $AE_{all}$ on MS-COCO and PASCAL VOC 2007 datasets are 96.1% and 99.3%, respectively. The success rates of $AE_{sen}$ on the two datasets are 96.5% and 99.4%, respectively. The privacy-preserving success rates of $AE_{all}$ and $AE_{sen}$ are very close and both reach a very high level. The results indicate that the proposed method performs well on protecting the privacy of social photos.

In this section, we use privacy leakage rate to evaluate the proposed method. We calculate the privacy leakage rates for $AE_{all}$ and $AE_{sen}$ on MS-COCO and PASCAL VOC 2007 datasets, respectively. As shown in TABLE 2, the privacy leakage rates for adversarial social images $AE_{all}$ on the two datasets are 0.57% and 0.07%, respectively, and the privacy leakage rates for adversarial social images $AE_{sen}$ on the two datasets are 2.23% and 0.18%, respectively. The privacy leakage rates of $AE_{all}$ and $AE_{sen}$ both reach a very low level. The results indicate that, our method can protect the sensitive objects from being detected by Faster R-CNN.

Considering that our method may have different privacy protection effects for different sensitive objects, we select 9 different sensitive objects and calculate the privacy leakage rates of these objects, respectively. The 9 classes are person, elephant, airplane, laptop, traffic light, book, sports ball, parking meter, and cell phone. In the experiment, we select 300 images from MS-COCO dataset [13] for each class. Fig. 4 shows the privacy leakage rates of the nine sensitive objects in the adversarial social images $AE_{sen}$. The result indicates that, the proposed method can effectively prevent the privacy information in the social image from being detected. The privacy leakage rates of the nine sensitive classes are all in a very low level (lower than 2%). Moreover, the privacy leakage rate of the elephant class is as low as 0.26%.

In the proposed method, there are two parameters that may affect the performance: the perturbation constraint $\varepsilon$ and the detection threshold $T$. The perturbation constraint $\varepsilon$ constrains the intensity of the perturbation, which makes the difference between the original image and the adversarial example difficult to be noticed. The detection threshold $T$ determines the number of bounding boxes that are presented by Faster R-CNN.

We set the values of the perturbation constraint $\varepsilon$ to be $1/255$$\sim$$10/255$ because these values of $\varepsilon$ are small enough and can make the generated perturbations difficult to be noticed. The privacy-preserving success rate ${R}_{sen}$ and the privacy leakage rate ${P}_{sen}$ of adversarial social images $AE_{sen}$ under different $\varepsilon$ settings are shown in Fig. 5. It can be seen that when $\varepsilon<3/255$, both the privacy-preserving success rate ${R}_{sen}$ and the privacy leakage rate ${P}_{sen}$ change drastically as $\varepsilon$ increases, and ${R}_{sen}$ and ${P}_{sen}$ tend to stabilize when $\varepsilon>3/255$. Moreover, when $\varepsilon=3/255$, the value of ${R}_{sen}$ already reaches a high level (96.5%) and the value of ${P}_{sen}$ is only 2.52%. Note that, the larger the value of $\varepsilon$ is, the larger the perturbation strength to an image. A large perturbation strength may affect the visual quality of the perturbed image. Therefore, $\varepsilon=3/255$ has the optimal performance when considering the trade-off between privacy preserving effect and perturbation strength.

We also study the relationship between $\varepsilon$ and the image quality. Structural Similarity (SSIM) [34] and Peak Signal to Noise Ratio (PSNR) are two quantitative metrics to reflect the visual quality of the processed images. PSNR describes the pixel level difference between two images, while SSIM [34] shows structural changes of a processed image. The higher the value of PSNR and SSIM [34], the more similar between the original image and the modified image. Fig. 6 presents the PSNR and SSIM of the modified images $AE_{sen}$ under different settings of perturbation constraint $\varepsilon$. Both PSNR and SSIM show downward trends with the increase of $\varepsilon$. In other words, the smaller the value of $\varepsilon$, the better the visual quality of the image. Therefore, the value of $\varepsilon$ should be as small as possible to maintain a good visual quality for the adversarial example. In conclusion, $\varepsilon=3/255$ is supposed to be the optimal one when considering the trade-off between image quality and privacy leakage rate.

We further explore the impact of the detection threshold $T$ on the privacy-preserving success rate and privacy leakage rate. The privacy-preserving success rates of $AE_{all}$ and $AE_{sen}$ under different $T$ are shown in Fig. 7. It can be seen that the success rate of $AE_{all}$ increases rapidly as $T$ increases when $T$ is in $[0.2,0.3]$, and the success rate of $AE_{sen}$ is always in a high level. When $T$ reaches $0.3$, the privacy-preserving success rates for $AE_{all}$ and $AE_{sen}$ are 96.1% and 96.5%, respectively. When $T=0.4$, the privacy-preserving success rates for $AE_{all}$ and $AE_{sen}$ are 99.5% and 99.6%, respectively. Generally, for most object detectors, the detection threshold is set to be higher than $0.5$ in order to achieve high detection accuracy. This indicates that, the proposed method has a good performance in terms of privacy preserving when detection threshold $T$ is set to be greater or equal to $0.3$.

In addition, we also calculate the privacy leakage rate of the proposed method under different settings of the detection threshold $T$, as shown in TABLE 3. It is shown that the privacy leakage rate decreases with the increase of $T$. When $T=0.4$, the privacy leakage rates of $AE_{all}$ and $AE_{sen}$ are 0.06% and 0.42%, respectively, which indicate that the proposed method has a good performance in preventing privacy leakage. Generally, for most object detectors, the detection threshold is set to be higher than 0.5 in order to achieve high detection accuracy. The result indicates that, the proposed method can effectively reduce the scores of most bounding boxes to below 0.3, which will lead these bounding boxes to be discarded.

In this section, we compare the proposed method with the traditional image processing methods. The traditional image processing methods includes low brightness, noise, mosaic, blur, and JPEG (Joint Photographic Experts Group) compression [9, 8].

We select 500 images from MS-COCO dataset to conduct the experiment. Fig. 8 shows an example image processed by different methods and the detection results. As shown in Fig. 8(a), if the image is unprocessed, Faster R-CNN is able to accurately identify all the objects. As shown in Fig. 8(b), although low-brightness method seriously degrades the visual quality of the social image, Faster R-CNN can still identify all the objects correctly. As shown in Fig. 8(c)$\sim$Fig. 8(f), the persons are all correctly detected in the images processed by blur, mosaic, noise and JPEG compression method, which indicate that these methods are all ineffective to protect the sensitive objects. As shown in Fig. 8(g) and Fig. 8(h), Faster R-CNN detects nothing in $AE_{all}$ and recognizes person as dining table in $AE_{sen}$, which indicate that the proposed adversarial example based method can successfully deceive Faster R-CNN. The reason why the proposed method can resist the detection is that, the feature of a bounding box extracted by Faster R-CNN can be considered as a point in the hyperplane. The proposed method can change the position of the feature point and makes it cross the classification boundary, which will cause the bounding box to be misclassified or be discarded [8].

TABLE 4 presents the comparison between the proposed method and the above five image processing methods (low brightness, noise, mosaic, blur, and JPEG compression [9, 8]) in terms of privacy-preserving success rate, privacy leakage rate, PSNR, and SSIM. The results indicate that the proposed method can effectively protect the privacy of social images as the privacy-preserving success rates of $AE_{all}$ and $AE_{sen}$ are 96.2% and 96.6%, respectively, and the privacy leakage rates of $AE_{all}$ and $AE_{sen}$ are 0.54% and 2.20%, respectively. The five traditional image processing methods all fail to protect the social privacy as the privacy-preserving success rates of the five methods are all lower than 5.4%. Compared with the five traditional image processing methods, the proposed method has almost no influence on the visual quality of social images as the values of PSNR and SSIM of the proposed method are significantly higher than that of the five traditional image processing methods. Especially, the values of PSNR and SSIM of the proposed $AE_{sen}$ are 46.91 and 0.992, which are much higher than that of other methods.