Exploiting vulnerabilities of deep neural networks for privacy protection

TL;DR

This paper introduces a novel adversarial attack method that enhances privacy protection of visual content by effectively defending against unseen classifiers and common defenses, outperforming existing attacks.

Contribution

The authors propose an iterative, randomized adversarial attack based on FGSM that generalizes to unseen classifiers and defenses, improving privacy protection.

Findings

Outperforms eleven state-of-the-art attacks in both targeted and untargeted settings.

Effective against unseen classifiers like ResNet, AlexNet, DenseNet.

Robust against defenses such as re-quantization, median filtering, JPEG compression.

Abstract

Adversarial perturbations can be added to images to protect their content from unwanted inferences. These perturbations may, however, be ineffective against classifiers that were not {seen} during the generation of the perturbation, or against defenses {based on re-quantization, median filtering or JPEG compression. To address these limitations, we present an adversarial attack {that is} specifically designed to protect visual content against { unseen} classifiers and known defenses. We craft perturbations using an iterative process that is based on the Fast Gradient Signed Method and {that} randomly selects a classifier and a defense, at each iteration}. This randomization prevents an undesirable overfitting to a specific classifier or defense. We validate the proposed attack in both targeted and untargeted settings on the private classes of the Places365-Standard dataset. Using ResNet18, ResNet50, AlexNet and DenseNet161 {as classifiers}, the performance of the proposed attack exceeds that of eleven state-of-the-art attacks. The implementation is available at https://github.com/smartcameras/RP-FGSM/.