=Paper=
{{Paper
|id=Vol-2670/MediaEval_19_paper_11
|storemode=property
|title=MediaEval 2019: Concealed FGSM Perturbations for Privacy Preservation
|pdfUrl=https://ceur-ws.org/Vol-2670/MediaEval_19_paper_11.pdf
|volume=Vol-2670
|authors=Panagiotis Linardos,Suzanne Little,Kevin McGuinness
|dblpUrl=https://dblp.org/rec/conf/mediaeval/LinardosLM19
}}
==MediaEval 2019: Concealed FGSM Perturbations for Privacy Preservation==
https://ceur-ws.org/Vol-2670/MediaEval_19_paper_11.pdf
MediaEval 2019: Concealed FGSM Perturbations for Privacy
Preservation
Panagiotis Linardos, Suzanne Little, Kevin McGuinness
Dublin City University
linardos.akis@gmail.com
ABSTRACT
This work tackles the Pixel Privacy task put forth by MediaEval
2019. Our goal is to manipulate images in a way that conceals them
from automatic scene classifiers while preserving the original image
quality. We use the fast gradient sign method, which normally has
a corrupting influence on image appeal, and devise two methods
to minimize the damage. The first approach uses a map of pixel
locations that are either salient or flat, and directs perturbations (a) Original Image (b) Sobel Map
away from them. The second approach subtracts the gradient of an
aesthetics evaluation model from the gradient of the attack model
to guide the perturbations towards a direction that preserves appeal.
We make our code available at: https://git.io/JesXr.
1 INTRODUCTION
The Pixel Privacy task, introduced by MediaEval [7], aims at devel-
oping methods for manipulating images in a way that fools auto-
(c) Reverse Saliency Map (d) Final Map
matic scene classifiers (referred to as attack models). As an added
constraint, the images should not exhibit a decrease in aesthetic
quality. The organizers made available the Places365-Standard data Figure 1: Maps used to constrain perturbations on less ob-
set [11] along with a pre-trained ResNet [3] attack model for the vious areas. The reverse saliency map along with the Sobel
task. map produce the final map.
The contribution of image enhancement techniques in privacy
protection has been previously explored [1], showing that even
popular filters used in social media have a cloaking effect against filter [9], which detects areas where edges are more prevalent.
geo-location algorithms. A more recent work by Liu et al. [6] pro- Gaussian blurring (σ =10) is applied to spread the detected edges,
posed a perturbation-based approach (white-box) and a transfer forming the final Sobel map. The saliency map is reversed so that
style approach (black-box). Similar to the first module in that work, the pixels corresponding to salient areas are zeroed out. Then,
we propose two perturbation-based approaches and explore ways to pixels where the mean value is below average on the Sobel map
localize the perturbations in a manner that does not reduce appeal. (hence more likely to be on a flat area) are also zeroed out. The
resulting map M, the sign of the network’s gradient g, and the value
2 APPROACH ϵ are multiplied and added to the original image I, completing the
We developed two approaches, both of which utilize FGSM [2]. modification. Figure 1 illustrates an example of map generation.
FGSM uses the gradient of the attack model and changes the pixel
I modified = M ◦ sдn(д(I )) ◦ ϵ + I (1)
values by nudging them towards the direction that maximizes the
loss. Furthermore, the strength of these perturbations varies and is Additionally, we used a popular filter for image manipulation,
represented by the ϵ value. namely tilt-shift to inspect how it affects the efficacy of our ap-
proach. Tilt-shift essentially blurs parts of the background while
2.1 Salient Defence intensifying foreground. In our case we used the saliency maps as
Our first approach combines two maps: one is a measure of saliency an estimate of the foreground to be intensified, blurring the rest.
and the other a measure of flatness. Salient areas are the ones that
are more likely to attract the eye of an observer, and are predicted 2.2 Coupled Optimization
by a DNN. In particular, we use SalBCE [5] trained on the SALICON The second approach exploits the gradients of both the attack model
dataset [4]. Furthermore, perturbations become more obvious when and the aesthetics evaluation algorithm. The aesthetics evaluation
they are located in flat areas. For this reason, we also used a Sobel in our case is the NIMA algorithm [10]. Since the networks differ
Copyright 2019 for this paper by its authors. Use
significantly, the gradients are first scaled to be brought to the
permitted under Creative Commons License Attribution same range [0,1]. Afterwards, NIMA’s gradient is subtracted from
4.0 International (CC BY 4.0). ResNet’s and as a result we get the sign of the total gradient and
MediaEval’19, 27-29 October 2019, Sophia Antipolis, France
�MediaEval’19, 27-29 October 2019, Sophia Antipolis, France P. Linardos et al.
(a) Vanilla FGSM, ϵ = 0.05 (b) Salient Defence, ϵ = 0.05
(c) Salient Defence & tshift, ϵ = (d) Coupled Optimization, ϵ =
0.01 0.05
Figure 3: The most promising configurations contrasted
with the vanilla FGSM.
Figure 2: Attack model accuracy under differing values of ϵ.
Methods ϵ Top-1 Acc.↓ NIMA Score↑
0.01 0.937 4.63
multiply that by ϵ: Salient Defence
0.05 0.735 4.58
I modified = sдn(дResNet (I ) − дNIMA (I )) ◦ ϵ + I (2) Salient Defence & tilt-shift 0.01 0.868 4.75
0.01 0.917 4.63
Coupled Optimization
0.05 0.458 4.54
3 RESULTS AND ANALYSIS Original Test Set - 1.0 4.64
In our initial experiments, we used the full-resolution images from
Places365 and applied a variety of ϵ values to investigate how they Table 1: Results on MediaEval test set. Top-1 accuracy refers
affect the accuracy of the attack model (Figure 2). Salient Defence to the the prediction accuracy of the attack model (ResNet50
perturbs less pixels, which explains the lower impact on accuracy trained on Places365-standard data set). The NIMA Score col-
compared to the vanilla FGSM. We also note that the tilt-shift filter umn represents the average of the aesthetics scores.
further reduces the efficacy of those perturbations. The coupled
optimization approach, has a higher impact on the accuracy of the
attack model, as it manipulates all the pixels of the image.
The test set, as evaluated by the MediaEval team (Table 1) was 4 DISCUSSION AND OUTLOOK
first downsampled to 256 × 256 and the algorithms were applied An obvious shortcoming of our salient defence algorithm is that
afterwards. Note that this set includes only images that ResNet saliency is subject to change after manipulations to the image.
predicts successfully, and so the initial accuracy (ϵ = 0) is 100%. One way of improving this would be to predict the saliency of the
In that case it seems that the tilt-shift effect actually adds to the perturbed image and reapply the modification on the original using
efficacy of the perturbations, bringing the accuracy of the attack this information. Also, the Sobel filter assigns gradients in the image
model down while increasing the aesthetics score. such as that of the horizon as similar to edge-dense areas, resulting
To test NIMA’s sensitivity to perturbations, we used FGSM in a map where some flat areas are not obscured. Furthermore, we
(vanilla) with a very high ϵ = 0.15 on a small subset (100) of the have shown that NIMA is not reliable when assessing the corrupting
validation images. This type of attack effectively ruins the visual quality of low-level noise such as FGSM perturbations. We believe
appeal; however, the NIMA score drops by only a small amount that aesthetic algorithms trained for low-level cues would improve
(from 4.26 to 3.98). This indicates that NIMA has a low-sensitivity to the efficacy of our coupled optimization approach.
adversarial perturbations. This could be explained by the fact that
NIMA was trained on AVA [8], a dataset collected by photographers. ACKNOWLEDGMENTS
The model is, therefore, sensitive to high-level concepts of aesthetic This publication has emanated from research conducted with the
appeal, such as the rule of thirds, but has not been trained to be financial support of Science Foundation Ireland (SFI) under grant
sensitive to the low-level corrupting influence of perturbations. number SFI/15/SIRG/3283 and SFI/12/RC/2289
�Pixel Privacy MediaEval’19, 27-29 October 2019, Sophia Antipolis, France
REFERENCES
[1] Jaeyoung Choi, Martha Larson, Xinchao Li, Kevin Li, Gerald Friedland, and
Alan Hanjalic. 2017. The geo-privacy bonus of popular photo enhancements. In
Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval.
ACM, 84–92.
[2] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and
harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[3] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual
learning for image recognition. In Proceedings of the IEEE conference on computer
vision and pattern recognition. 770–778.
[4] Ming Jiang, Shengsheng Huang, Juanyong Duan, and Qi Zhao. 2015. SALICON:
Saliency in context. In Proceedings of the IEEE conference on computer vision and
pattern recognition. 1072–1080.
[5] Panagiotis Linardos, Eva Mohedano, Juan Jose Nieto, Noel E O’Connor, Xavier
Giro-i Nieto, and Kevin McGuinness. 2019. Simple vs complex temporal recur-
rences for video saliency prediction. arXiv preprint arXiv:1907.01869 (2019).
[6] Zhuoran Liu and Zhengyu Zhao. 2018. First Steps in Pixel Privacy: Exploring
Deep Learning-based Image Enhancement against Large-Scale Image Inference..
In MediaEval.
[7] Zhuoran Liu, Zhengyu Zhao, and Martha Larson. 2019. Pixel Privacy 2019:
Protecting Sensitive Scene Information in Images. In Working Notes Proceedings
of the MediaEval 2019 Workshop.
[8] Naila Murray, Luca Marchesotti, and Florent Perronnin. 2012. AVA: A large-scale
database for aesthetic visual analysis. In 2012 IEEE Conference on Computer Vision
and Pattern Recognition. IEEE, 2408–2415.
[9] Irwin Sobel and Gary Feldman. 1968. A 3x3 isotropic gradient operator for image
processing. a talk at the Stanford Artificial Project in (1968), 271–272.
[10] Hossein Talebi and Peyman Milanfar. 2018. NIMA: Neural image assessment.
IEEE Transactions on Image Processing 27, 8 (2018), 3998–4011.
[11] Bolei Zhou, Agata Lapedriza, Aditya Khosla, Aude Oliva, and Antonio Torralba.
2017. Places: A 10 million image database for scene recognition. IEEE transactions
on pattern analysis and machine intelligence 40, 6 (2017), 1452–1464.
�