Scene recognition is a hallmark topic in computer vision, and it provides global semantic information that facilitates diferent tasks. Leveraging large-scale scene datasets, deep learning-based scene recognition algorithms have made great progress in scene recognition [ 11 ]. But these algorithms also raised people’s concerns on social multimedia privacy at the same time [ 6 ]. In the past, privacy protection algorithms mainly focused on leveraging adversarial machine learning, image style transfer [ 8 ] and image enhancement [ 1, 3 ]. Conventional adversary algorithms [ 2, 5 ] are efective for inducing misclassfication but not intentionally designed for increasing image appeal. In most cases, the resulting distortions even degrade the image quality. Methods of image enhancement and style transfer that are able to increase the visual appeal of images do not consider the adversarial function during the transformation process.

In the 2019 Pixel Privacy Task [ 9 ], we propose a baseline approach, called adversarial photo frame (APFrame). The approach strives for a balance between privacy protection and visual appeal of images. APFrame achieves privacy protection against networkbased scene classifier based on adversarial machine learning techniques, while restricting the transformations to the edge of the image, i.e., the photo frame, in order to maintain the visual appeal. Experiments are conducted with diferent photo frame settings of APFrame. The algorithm details and experimental results are discussed in section 2 and section 3.

The working diagram of APFrame is described in Figure 1. Given an image, a photo frame is generated randomly. We start from a white additive frame with all components equaling 1. This frame is fed into the classifier and the gradients of cross-entropy loss with respect to the original label is calculated by back propagation

Deep learning-based scene classifier Use back propagation to update adversarial frame

in order to increase model loss to update the frame. This process is repeated until the classifier outputs a diferent prediction.

Specifically, we consider two alternative constraints used for generating adversarial photo frames, namely, full-flexibility frame and weight-constrained frame. In the full flexibility APFrame, all values are admissible for pixels in the frame, and the resulting frame gives the impression of random couples (e.g., top row in Figure 2). In the weight-constrained frame, All the components in any of the three RGB color channels are required to change uniformly, i.e., only three parameters are learned for increasing the classification loss.

This setting enforces the adversarial frames to only have one color for more natural look. The width of the frame can be predefined to balance the protection efect and visual appeal. A narrow frame leads to less influence on the image content, but normally yields weaker protection efect.

The algorithm is summarized in Equation 1.

minimize − L(f (x + δ ), c0) (1)

δ s.t. c0 , argmax(f (x + δ )),

c where x is the input image, which is correctly predicted into c0 class, and δ is the frame that only has values in the edge of the image with pre-defined width.

f represents the classifier, and L represents the cross-entropy loss function. The objective function is minimized until the predicted label of the classifier is diferent from the ground truth label. Obviously, narrow frame with the weight-constrained setting performs less efective due to the limited searching space of possible transformations.

Figure 2 shows some image examples achieved by APFrame.

We submit five runs to pixel privacy task for the oficial evaluation on our APFrame. Among them, three runs are using full-flexibility constraints with varied widths in the range [ 5,10,15 ], denoted as Ff W5, Ff W10 and Ff W15. The other two runs are using weightconstrained settings with two diferent widths 15 and 20, denoted as WcW15 and WcW20.

We use Adam optimizer [ 4 ] with a learning rate of 1 to perform the gradient descent in Equation 1 on a Tesla P100 GPU.

We proposed APFrame that can achieve adversarial efects against deep scene recognition networks for privacy protection, while maintaining image appeal. Compared with other adversarial machine learning-based techniques, APFrame maintains the visual appeal of images by avoiding modifications in the central part of images, which is arguably the part of the image most important to human viewers. In short, the social function and visual appeal of the images can be maintained to a large degree.

But it still has some disadvantages. For instance, it is not robust to preprocessing methods, e.g., center (random) cropping or resizing. The adversarial photo frames can be erased directly by centercropping which is a common preprocessing step in deep learningbased models. To resolve this issue, developing the techniques that consider the semantics of image content is a direction to research in the future. APFrame can be extended to any shape that indicates diferent number of pixels in image, or implemented as QR code.

We also point out that due to the neural structure of NIMA, the generated adversarial frame patterns may have a transferable impact on the evaluation score [ 7 ]. This encourage us to have a non-neural evaluation scheme to better address human perception in the future.

This work was carried out on the Dutch national e-infrastructure with the support of SURF Cooperative.