Minimum Noticeable Difference based Adversarial Privacy Preserving Image Generation

TL;DR

This paper introduces a novel framework for generating high-quality adversarial images that minimally differ perceptually from original images while effectively attacking deep learning models, enhancing privacy preservation.

Contribution

It proposes the first quality-preserving adversarial image generation method based on the Minimum Noticeable Difference concept, balancing attack success and perceptual quality.

Findings

Improved PSNR, SSIM, and MOS metrics compared to baseline methods.

Effective in attacking models for image classification and face recognition.

Maintains high perceptual quality of adversarial images.

Abstract

Deep learning models are found to be vulnerable to adversarial examples, as wrong predictions can be caused by small perturbation in input for deep learning models. Most of the existing works of adversarial image generation try to achieve attacks for most models, while few of them make efforts on guaranteeing the perceptual quality of the adversarial examples. High quality adversarial examples matter for many applications, especially for the privacy preserving. In this work, we develop a framework based on the Minimum Noticeable Difference (MND) concept to generate adversarial privacy preserving images that have minimum perceptual difference from the clean ones but are able to attack deep learning models. To achieve this, an adversarial loss is firstly proposed to make the deep learning models attacked by the adversarial images successfully. Then, a perceptual quality-preserving loss is developed by taking the magnitude of perturbation and perturbation-caused structural and gradient changes into account, which aims to preserve high perceptual quality for adversarial image generation. To the best of our knowledge, this is the first work on exploring quality-preserving adversarial image generation based on the MND concept for privacy preserving. To evaluate its performance in terms of perceptual quality, the deep models on image classification and face recognition are tested with the proposed method and several anchor methods in this work. Extensive experimental results demonstrate that the proposed MND framework is capable of generating adversarial images with remarkably improved performance metrics (e.g., PSNR, SSIM, and MOS) than that generated with the anchor methods.