CycleGAN, a Master of Steganography
This exposes a security flaw in a widely used image translation model, which is incremental but important for adversarial robustness.
The paper reveals that CycleGAN learns to hide source image information in generated images via high-frequency signals to meet cyclic consistency, and shows this makes the model vulnerable to adversarial attacks.
CycleGAN (Zhu et al. 2017) is one recent successful approach to learn a transformation between two image distributions. In a series of experiments, we demonstrate an intriguing property of the model: CycleGAN learns to "hide" information about a source image into the images it generates in a nearly imperceptible, high-frequency signal. This trick ensures that the generator can recover the original sample and thus satisfy the cyclic consistency requirement, while the generated image remains realistic. We connect this phenomenon with adversarial attacks by viewing CycleGAN's training procedure as training a generator of adversarial examples and demonstrate that the cyclic consistency loss causes CycleGAN to be especially vulnerable to adversarial attacks.