Exploiting vulnerabilities of deep neural networks for privacy protection
This work addresses privacy protection for visual content against machine learning inference, but it is incremental as it builds on existing adversarial attack methods.
The paper tackles the problem of adversarial perturbations being ineffective against unseen classifiers and defenses by proposing a randomized iterative attack based on FGSM, which outperforms eleven state-of-the-art attacks on the Places365-Standard dataset using multiple classifiers like ResNet18 and ResNet50.
Adversarial perturbations can be added to images to protect their content from unwanted inferences. These perturbations may, however, be ineffective against classifiers that were not {seen} during the generation of the perturbation, or against defenses {based on re-quantization, median filtering or JPEG compression. To address these limitations, we present an adversarial attack {that is} specifically designed to protect visual content against { unseen} classifiers and known defenses. We craft perturbations using an iterative process that is based on the Fast Gradient Signed Method and {that} randomly selects a classifier and a defense, at each iteration}. This randomization prevents an undesirable overfitting to a specific classifier or defense. We validate the proposed attack in both targeted and untargeted settings on the private classes of the Places365-Standard dataset. Using ResNet18, ResNet50, AlexNet and DenseNet161 {as classifiers}, the performance of the proposed attack exceeds that of eleven state-of-the-art attacks. The implementation is available at https://github.com/smartcameras/RP-FGSM/.