A Comparative Study of Image Disguising Methods for Confidential Outsourced Learning

TL;DR

This paper compares image disguising techniques like DisguisedNets and InstaHide to protect data privacy in outsourced deep learning, analyzing their security, utility, and cost trade-offs through extensive experiments.

Contribution

It introduces and evaluates novel image disguising mechanisms, combining multiple transformations to improve privacy protection while maintaining model utility.

Findings

RMT offers better security under Level-1 threat with preserved model quality.

AES provides higher security under Level-2 threat but may impact model performance.

DisguisedNets effectively protect models from model-targeted attacks.

Abstract

Large training data and expensive model tweaking are standard features of deep learning for images. As a result, data owners often utilize cloud resources to develop large-scale complex models, which raises privacy concerns. Existing solutions are either too expensive to be practical or do not sufficiently protect the confidentiality of data and models. In this paper, we study and compare novel \emph{image disguising} mechanisms, DisguisedNets and InstaHide, aiming to achieve a better trade-off among the level of protection for outsourced DNN model training, the expenses, and the utility of data. DisguisedNets are novel combinations of image blocktization, block-level random permutation, and two block-level secure transformations: random multidimensional projection (RMT) and AES pixel-level encryption (AES). InstaHide is an image mixup and random pixel flipping technique \cite{huang20}. We have analyzed and evaluated them under a multi-level threat model. RMT provides a better security guarantee than InstaHide, under the Level-1 adversarial knowledge with well-preserved model quality. In contrast, AES provides a security guarantee under the Level-2 adversarial knowledge, but it may affect model quality more. The unique features of image disguising also help us to protect models from model-targeted attacks. We have done an extensive experimental evaluation to understand how these methods work in different settings for different datasets.