Reversible Adversarial Perturbation Towards Privacy Protection

The widespread use of deep neural networks in the fields of natural language processing,computer vision,and speech recognition has profoundly changed human production and life,and has also brought new challenges to ethics and social governance.With the development of online social networks and the improvement of communication technology,a large number of personal photos are uploaded to the Internet,and these photos may contain personal sensitive information,such as personal identity,biometrics,health status,and so on.If not properly protected,it may cause leakage of personal privacy.In order to effectively solve this problem,reversible adversarial attack method came into being.On the one hand,reversible adversarial attack method is the same as the traditional adversarial attack which can make the target model make mistakes by adding subtle perturbations that imperceptible to human senses on the image,so as to prevent personal privacy information in the image from being extracted and utilized;on the other hand,it can realize the reversibility of adversarial examples,which can realize the lossless restoration of the original examples from the adversarial examples.Reversible adversarial attack methods provide a solution to the privacy and security issues caused by the development of artificial intelligence technology.In this paper,the generation method of reversible adversarial perturbation is studied,and a reversible adversarial attack method based on histogram shifting is proposed.Based on the reversible data hiding algorithm of histogram shifting,this paper proposes a reversible method that can move the histogram and select the position of the embedded pixel according to the size of the perturbation coefficient.This method can add an adversarial perturbation under the constraint of infinite norm on the selected pixels and can realize the lossless restoration of the original image without auxiliary information.Through experiments on the Image Net dataset and the CIFAR-10 dataset,it is verified that the reversible method can guarantee the visual quality of the image after embedding perturbations,and the added perturbation is not easy to be noticed.In the generation of adversarial perturbation,this paper transforms the problem into the solution of the optimization problem,so that an appropriate perturbation is added to each embedding pixel and the generated adversarial examples can successfully make the target network make mistakes.In the process of solving,the probability vector is sampled by using the Gumbel softmax reparameterization technique,and the discrete random variable is continuously relaxed.After the objective function is set and the framework of the algorithm is formulated,we use iterative optimization method to solve the optimization problem.In the experimental stage,experiments are carried out on the Image Net dataset and the CIFAR-10 dataset,and the effectiveness of the generated adversarial sample attack is verified against deep neural networks such as Vgg19 and Res Net50.The verification experiments on the LFW portrait dataset show that the the proposed method can successfully interfere with the high-performance face recognition system Face Net.