Exploiting Type I Adversarial Examples to Hide Data Information: A New Privacy-Preserving Approach

Gao, S; Wang, X; Song, B; Liu, R; Yao, S; Zhou, W; Yu, S

Exploiting Type I Adversarial Examples to Hide Data Information: A New Privacy-Preserving Approach

Gao, S Wang, X Song, B Liu, R Yao, S Zhou, W Yu, S

Permalink

Publisher:: IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
Publication Type:: Journal Article
Citation:: IEEE Transactions on Emerging Topics in Computational Intelligence, 2024, 8, (3), pp. 2518-2528
Issue Date:: 2024-06-01

Closed Access

	Filename	Description	Size
	1716102.pdf	Published version	4.24 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Gao, S
dc.contributor.author	Wang, X
dc.contributor.author	Song, B
dc.contributor.author	Liu, R
dc.contributor.author	Yao, S
dc.contributor.author	Zhou, W
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.date.accessioned	2024-08-07T05:06:41Z
dc.date.available	2024-08-07T05:06:41Z
dc.date.issued	2024-06-01
dc.identifier.citation	IEEE Transactions on Emerging Topics in Computational Intelligence, 2024, 8, (3), pp. 2518-2528
dc.identifier.issn	2471-285X
dc.identifier.issn	2471-285X
dc.identifier.uri	http://hdl.handle.net/10453/180271
dc.description.abstract	Deep neural networks (DNNs) are sensitive to adversarial examples which are generated by corrupting benign examples with imperceptible perturbations, or have significant changes but can still achieve original prediction results. The latter case is termed as the Type I adversarial example which, however, has limited attention in the literature. In this paper, we introduce two methods, termed HRG and GAG, to generate Type I adversarial examples and attempt to apply them to the privacy-preserving Machine Learning as a Service (MLaaS). Existing methods for the privacy-preserving MLaaS are mostly based on cryptographic techniques, which often incur additional communication and computation overhead, while using Type I adversarial examples to hide users' privacy data is a brand-new exploration. Specifically, HRG utilizes the high-level representations of DNNs to guide generators, and GAG leverages the generative adversarial network to transform original images. Our solution does not involve any model modifications and allows DNNs to run directly on transformed data, thus arousing no additional communication and computation overhead. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that HRG can perfectly hide images into noise and achieve similar accuracy as the original accuracy, and GAG can generate natural images that are completely different from the original images with a small loss of accuracy.
dc.language	English
dc.publisher	IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
dc.relation.ispartof	IEEE Transactions on Emerging Topics in Computational Intelligence
dc.relation.isbasedon	10.1109/TETCI.2024.3367812
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject.classification	4603 Computer vision and multimedia computation
dc.subject.classification	4611 Machine learning
dc.title	Exploiting Type I Adversarial Examples to Hide Data Information: A New Privacy-Preserving Approach
dc.type	Journal Article
utslib.citation.volume	8
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	University of Technology Sydney/Strength - CCSP - Centre for Cyber Security and Privacy
utslib.copyright.status	closed_access	*
dc.date.updated	2024-08-07T05:06:34Z
pubs.issue	3
pubs.publication-status	Published
pubs.volume	8
utslib.citation.issue	3

Abstract:

Deep neural networks (DNNs) are sensitive to adversarial examples which are generated by corrupting benign examples with imperceptible perturbations, or have significant changes but can still achieve original prediction results. The latter case is termed as the Type I adversarial example which, however, has limited attention in the literature. In this paper, we introduce two methods, termed HRG and GAG, to generate Type I adversarial examples and attempt to apply them to the privacy-preserving Machine Learning as a Service (MLaaS). Existing methods for the privacy-preserving MLaaS are mostly based on cryptographic techniques, which often incur additional communication and computation overhead, while using Type I adversarial examples to hide users' privacy data is a brand-new exploration. Specifically, HRG utilizes the high-level representations of DNNs to guide generators, and GAG leverages the generative adversarial network to transform original images. Our solution does not involve any model modifications and allows DNNs to run directly on transformed data, thus arousing no additional communication and computation overhead. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that HRG can perfectly hide images into noise and achieve similar accuracy as the original accuracy, and GAG can generate natural images that are completely different from the original images with a small loss of accuracy.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/180271