Rethinking Adversarial Examples for Location Privacy Protection

TL;DR

This paper proposes a novel adversarial example technique called MM-PGD for protecting location privacy by confusing landmark recognition systems, utilizing region analysis and two region identification strategies to minimize image manipulation.

Contribution

Introduces mask-guided multimodal projected gradient descent (MM-PGD), a new method for location privacy protection against landmark recognition systems using deep model analysis.

Findings

Effective in defending against black-box landmark recognition systems

Utilizes region analysis to minimize image manipulation

Two strategies: class activation map-based and human-vision-based

Abstract

We have investigated a new application of adversarial examples, namely location privacy protection against landmark recognition systems. We introduce mask-guided multimodal projected gradient descent (MM-PGD), in which adversarial examples are trained on different deep models. Image contents are protected by analyzing the properties of regions to identify the ones most suitable for blending in adversarial examples. We investigated two region identification strategies: class activation map-based MM-PGD, in which the internal behaviors of trained deep models are targeted; and human-vision-based MM-PGD, in which regions that attract less human attention are targeted. Experiments on the Places365 dataset demonstrated that these strategies are potentially effective in defending against black-box landmark recognition systems without the need for much image manipulation.