Deep learning models are increasingly deployed in real-world applications. These models are often deployed on the server-side and receive user data in an information-rich representation to solve a specific task, such as image classification. Since images can contain sensitive information, which users might not be willing to share, privacy protection becomes increasingly important. Adversarial Representation Learning (ARL) is a common approach to train an encoder that runs on the client-side and obfuscates an image. It is assumed, that the obfuscated image can safely be transmitted and used for the task on the server without privacy concerns. However, in this work, we find that training a reconstruction attacker can successfully recover the original image of existing ARL methods. To this end, we introduce a novel ARL method enhanced through low-pass ifltering, limiting the available information amount to be encoded in the frequency domain. Our experimental results reveal that our approach withstands reconstruction attacks while outperforming previous state-of-the-art methods regarding the privacy-utility trade-of. We further conduct a user study to qualitatively assess our defense of the reconstruction attack. privacy-preserving machine learning, adversarial representation learning, image frequency filtering
crosoft Cognitive Services, frequently deploy deep learning models in real-world applications in recent years. The models run on the providers’ server can receive and process user information in an information-rich representation to solve a specific task. For example, the users send their face images from their smartphone (client) to the server and receive the processed results, such as face identification. However, the raw images can also contain veal or share, violating the users’ privacy. An adversary could take over and abuse the images of the users. In one possible attack scenario, adversaries can train a new attacker model (e.g. neural network) that retrieves private attributes, such as gender, emotional state, and race.
without the users’ knowledge. Hence, an obfuscation method should be used to protect the users’ privacy.
ing [
Most previous ARL methods solve the problem of
privacy-safe transmission by optimizing 1) utility task
loss and 2) proxy adversary task loss [
We present a novel ARL method that leverages fre- image and 2) the privacy attribute (in this case, gender ). Our quency filtering, leveraging an extreme low-pass fre- method successfully defends the reconstruction attack while quency filter (Figure 1). The representation filtering on all other approaches fail. Detailed results are further discussed the frequency domain efectively limits the amount of in- in Section 5. formation to be encoded. Our experimental results show that our approach outperforms previous state-of-the-art methods regarding the privacy-utility trade-of. We also images are used for the inference which means that there present that our proposed method withstands the recon- are still potential threats for data breaches when inferring struction attack better than existing ARL methods, which the target. are evaluated through visual metrics and a user study.
Data-privacy in Computer Vision For privacy-safe
data transmission, several approaches have been
proposed to tackle the problem of raw image sharing.
Federated learning [
MaxEnt [23] formulate the ARL problem as an adversarial non-zero-sum game and minimizes the amount of non-utility information, which they quantify through entropy. Adversarial representation learning with nonlinear functions through kernel representation with theoretical guarantees are introduced in [33]. While most of the previous methods represent the obfuscated output leverages domain-preserving transformations, i.e. images to images. Above mentioned ARL methods mainly focused on designing special loss functions or model architectures. To the best of our knowledge, our method is the first ARL method that focuses on the efective encoding of privacy-safe representation in the frequency domain.
There are three common attacks on privacy in ma- tor, resulting in () = ̂ . Note that in prior works, the
chine learning. The first is the membership inference
attack [34], which attempts to infer whether a data sam- a feature map difering in shape from the original input
intermediate representation ̂ was often represented as
as the intermediate feature of a DNN, Bertran et al. [
R × ×3 , where with a number of various attributes ∼
. Some of the
attributes are private attributes ∼ and some are
utility attributes ∼ , such that =
∪
. Given a
utility task model , we search for an intermediate
representation ̂, from which can infer the utility attributes,
but not the privacy attributes. This transformation can
also be represented through a DNN , termed
obfuscaple is used for the machine learning model training. This
attack is more related to the attack on the server-side
sion attack [35] which attempts to infer raw data from
processed representation. This is the same attack
scenario as the aforementioned reconstruction attack. The
images. However, similar to [
Prior works have explored the behavior of DNNs from a frequency perspective. Overall, there is solid evidence that both high-frequency features and low-frequency features can be helpful for classification [ 36, 37]. It has been demonstrated that DNNs have an increased bias toward texture compared to the object’s shape [38]. On the other hand, DNNs trained only on low-pass filtered images also generalize well and are capable of achieving high accuracies [36]. Yin et al. [36] shows that adversarial training and Gaussian data augmentation shift DNNs towards utilizing low-frequency information in the input. Wang et al. [37] points out that convolutional neural an attacker can attempt to retrieve information about the private attributes from the intermediate representation.
This can be realized either by directly inferring private information from the intermediate representation (information leakage attack) or through the reconstruction of the original input images from the intermediate representations (reconstruction attack). In the information leakage attack scenario an attacker is able to obtain data pairs consisting of the corresponding intermediate representation and their respective private attributes {, ̂ }. In this scenario an attacker can attempt to train a model , which leaks the private information from the repre sentations ()̂ =
. In the reconstruction attack, given image pairs of the original image and the intermediate representation {, }̂
the attacker attempts to obtain a model which retrieves the original image from the intermediate representation ()̂ = . In this work, we since they are proven to be powerful for image processing networks (CNNs) mainly exploit high-frequency compo- represent both attacker models and through DNNs, nents. Similarly, Abello et al. [39] find that mid or highlevel frequencies are disproportionately critical for CNNs. tasks.
mation can be encoded in diferent frequency ranges of images. We propose encoding information in the lowfrequency band of images to securely transfer them between diferent parties. 4.
C ×
Fourier transform is a common tool to perform frequency analysis [41]. We consider the 2D discrete Fourier transformation ℱ ∶ R ×
→
and the inverse Fourier transformation as ℱ −1.
After applying ℱ on an image, low frequencies are located
in the center of a Fourier image, while high frequencies
are located toward the boundaries. For low-pass
filtering, we set all frequency components outside of a central
circle with radius in the frequency domain to zero and retically, the utility (higher the better) is upper bounded
apply ℱ −1 afterward. We normalize the radius to be in by 100%. In practice, however, we consider the upper
the range of [
Frequency Obfuscation We depict our proposed We also perform a reconstruction attack on the obfusmethodology in Figure 1. Given an input image, the objec- cated images to recover corresponding original images. tive is to obfuscate the image to achieve the best privacy- We evaluate the reconstruction attacks quantitative and utility trade-of. Our obfuscator module consists of an qualitatively by calculating similarity scores between the encoder architecture followed by frequency-filtering. We original and reconstructed images and conducting a user choose the commonly used U-Net [42] architecture as study on the reconstructed images. our encoder and pass the original image through it. Formally, we express this as () , where we indicated the 5. Experiments encoder with . The subsequent frequency filtering is realized via a low-pass filter (()) . This procedure 5.1. Setup completes the generation of the intermediate representation through the obfuscator =̂ () = (()) . Dur- Datasets We conduct experiments on CelebA [44], ing obfuscator training, we leverage a task model and a FairFace [45], and CIFAR10 [46]. Following the utility and proxy adversary. The objective of the task model is to privacy task setting from DISCO [22], we set “Smiling” predict the utility attribute from the intermediate rep- as the utility attribute and “Male” as the privacy attribute resentation. The respective task loss can be calculated for CelebA, “Gender” as the utility attribute, and “Race” with = [ℒ ( (()), )], where ℒ indicates the task as the privacy attribute for FairFace. For CIFAR10, the loss function, which is the cross-entropy function in utility task is defined as classifying living objects ( e.g. our setup. The objective of proxy adversary model is “bird”, “cat”, etc.) or non-living objects (e.g. “airplane”, to leak the privacy attribute from the intermediate rep- “automobile”, etc.) and the privacy task as classifying the resentation. The proxy adversary loss can be calculated separate 10 classes. as = [ℒ ( (()), )], where ℒ indicates the privacy loss function, which is also represented as the cross- Implementation details The encoder is a lightweight entropy function. The obfuscator loss is represented as variant of U-Net [42], with 4× fewer intermediate feature = − . channels than the original version. We use an extreme
Similar to the scenario introduced in DISCO [22] a low pass filter with radius, = 0.01 for CelebA and
Fairpractical application scenario of our proposed approach Face, and = 0.05 for CIFAR10. We apply a center-circled
is when the obfuscator module is present on a trusted iflter, which can adjust the level of obfuscation by
changclient device, which sends the intermediate feature repre- ing its radius (bandwidth). Section 6.2 discusses the efect
sentations to a server. Since an adversary can intercept of the radius. We normalize the radius by the length from
the communication between client and server, or the the filter’s center to the corner to make the value in the
server can also be malicious, we consider the server-side range [
various baselines. As a simple baseline obfuscator, we
add Gaussian noise sampled from (0, 2) to the input
image while obeying the image range of pixels in the
range [
In terms of obfuscation, our method shows the best results, followed by LP. It reconfirms the usefulness of our architecture design, the combination of the encoder and the frequency filtering module.
against the reconstruction attack on CelebA. Since the 6. Ablation Study privacy task for the dataset is gender classification, the reconstructed image’s gender should not be correctly clas- 6.1. High-pass filter sified by a human observer if the obfuscation is successful.
To conduct the experiment, we randomly sampled 30 im- Previously, we presented the efect of the low-pass freages (15 for male and 15 for female), for which ResNet18 quency filtering module on ARL. The module appropriclassifies the gender correctly. By doing so, we balanced ately limits the amount of encoded information in the each class and addressed the ambiguity of the labels to obfuscated image. It retains the information at a lowprevent unfair results. Then, we obfuscated the images frequency range. Using a high-pass filter, we can leverusing each of the techniques and reconstructed them age the same intuition, by limiting the information to be with their respective attacker models from Section 5.1. encoded in the high-frequency bandwidth. However, in Examples of reconstructed images are shown in Figure 2. the following, we will present results indicating that the We presented 180 reconstructed images to a group of low-pass filter is the superior method to use. people and asked them to identify whether the person We conduct the same experiment from Section 5.2 on in the reconstructed image is male, female, or cannot be FairFace with a high-pass filtering module for 5 radii judged. We provided the last option to let the users skip (0.80, 0.85, 0.90, 0.95, 0.99). Contrary to the low-pass the examples that are hard to judge. The test subjects ifltering, the filter removes frequencies inside the filter were randomly selected and consist of 30 people who live radius, which leads to a radius of 0.99 as the most extreme in Seoul, South Korea, and are in their 20s and 30s. high-pass filter. We call this method HP.
As shown in Figure 3, people correctly identify the gen- The respective results are presented in Table 3. As the der for the original images and the reconstructed ones filtering gets more extreme, the utility accuracy decreases a privacy attack easily. Note that the utility accuracy did not decrease even with the harshest filter. We speculate that the extremely low-pass filtered representation is enough for these specific utility tasks. Figure 4 and Table 3 confirm that the radius is a crucial factor of privacy and utility accuracy. Thus the radius is a hyperparameter that should be tuned based on the privacy-utility gap.
This work proposes a novel ARL method based on frequency filtering, which is robust to privacy leakage attacks while maintaining task utility. Our experiments together with the privacy accuracy. The table also shows suggest that a combination of neural-net encoder and lowthat our approach with a low-pass filter from Table 1 pass filter improves ARL training for the quantitative and outperforms all results from the high-pass filter regarding qualitative metrics. The method outperforms other comthe privacy-utility gap. The best privacy-utility gap with pared methods for the quantitative measure of privacythe high-pass filter is 63.16% with a radius of 0.95, which utility trade-of and reconstruction attack (Section 5). is 2.88%p lower than for the approach with low-pass Our user study suggests that the proposed method efecifltering. It has been demonstrated that DNNs can learn tively defends against reconstruction attacks (Section 5.3). from low-pass filtered images more eficiently than high- The ablation experiments justified the use of a low-pass pass filtered ones [ 36]. Especially with the extreme high- filter and also showed that the filter radius adjusts the pass (r=0.99), the model did not learn for both, the utility privacy-utility trade-of (Section 6). and privacy tasks. For future work we consider the optimization of the
Furthermore, from a practical point of view, we need to client-side model to reduce the computation burden by usreduce the size of the obfuscated image to reduce the cost ing a lightweight architecture such as MobileNetV3 [53]. of transmission or storage. The most commonly used Furthermore, an adaptive selection of the frequencyJPEG compression algorithm leverages the filtering of ifltering hyperparameter might increase the utility accuhigh frequency. If we use a high-pass filter ARL method, racy and decrease the privacy accuracy. encoded information in the high-frequency range would be lost. To this end, encoding information into the lowfrequency range is more suitable than the opposite to References utilize the conventional compression algorithms further. 6.2. The efect of filter radius One of the key points of our proposed method is the frequency filtering module. The module has only one parameter to consider, the filter’s radius. To gain insight into choosing the parameter, we conducted experiments with various radii. The same experiment from Section 5 on FairFace is done with 5 radii (0.01, 0.015, 0.02, 0.025, 0.03). The radius of 0.01 is the most extreme low-pass iflter.
Figure 4 (left) shows a trend of consistent utility accuracy and increasing privacy accuracy. The utility accuracies are around 89% with a small variance. The privacy accuracies show an increasing tendency from 23.64% to 30.45% as the radius increases. It leads the privacy-utility gap to decrease (Figure 4, right).
The increased privacy accuracy aligns with our intuition of limiting information in the obfuscated representation. The wider radius allows the representation to have more information, leading the adversary to exploit it for [34] R. Shokri, M. Stronati, C. Song, V. Shmatikov, Mem- quality assessment: from error visibility to strucbership inference attacks against machine learning tural similarity, Transactions on Image Processing models, in: Symposium on security and privacy (2004).
(SP), 2017. [49] Z. Wang, E. P. Simoncelli, A. C. Bovik, Multiscale [35] M. Fredrikson, S. Jha, T. Ristenpart, Model inversion structural similarity for image quality assessment, attacks that exploit confidence information and ba- in: The Thrity-Seventh Asilomar Conference on sic countermeasures, in: ACM SIGSAC conference Signals, Systems & Computers, 2003, volume 2, Ieee, on computer and communications security, 2015. 2003, pp. 1398–1402. [36] D. Yin, R. G. Lopes, J. Shlens, E. D. Cubuk, J. Gilmer, [50] A. Horé, D. Ziou, Image quality metrics: Psnr A fourier perspective on model robustness in com- vs. ssim, in: International Conference on Pattern puter vision, in: Advances in neural information Recognition, 2010.
processing systems (NeurIPS), 2019. [51] R. Zhang, P. Isola, A. A. Efros, E. Shechtman, [37] H. Wang, X. Wu, Z. Huang, E. P. Xing, High- O. Wang, The unreasonable efectiveness of deep frequency component helps explain the generaliza- features as a perceptual metric, in: Proceedings of tion of convolutional neural networks, in: Confer- the IEEE conference on computer vision and patence on Computer Vision and Pattern Recognition tern recognition, 2018, pp. 586–595. (CVPR), 2020. [52] T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehti[38] R. Geirhos, P. Rubisch, C. Michaelis, M. Bethge, F. A. nen, T. Aila, Analyzing and improving the imWichmann, W. Brendel, Imagenet-trained cnns are age quality of stylegan, in: Proceedings of the biased towards texture; increasing shape bias im- IEEE/CVF Conference on Computer Vision and Patproves accuracy and robustness., in: International tern Recognition (CVPR), 2020.
Conference on Learning Representations (ICLR), [53] A. Howard, M. Sandler, G. Chu, L.-C. Chen, B. Chen, 2019. M. Tan, W. Wang, Y. Zhu, R. Pang, V. Vasudevan, [39] A. A. Abello, R. Hirata, Z. Wang, Dissecting the et al., Searching for mobilenetv3, in: Proceedings high-frequency bias in convolutional neural net- of the IEEE/CVF International Conference on Comworks, in: Proceedings of the IEEE/CVF Confer- puter Vision, 2019. ence on Computer Vision and Pattern Recognition, 2021, pp. 863–871. [40] A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom,
B. Tran, A. Madry, Adversarial examples are not bugs, they are features, Advances in neural information processing systems (NeurIPS) (2019). [41] J. S. Lim, Two-dimensional signal and image pro
cessing, Englewood Clifs (1990). [42] O. Ronneberger, P. Fischer, T. Brox, U-net: Convolutional networks for biomedical image segmentation, in: International Conference on Medical image computing and computer-assisted intervention, 2015. [43] K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in: Conference on computer vision and pattern recognition (CVPR), 2016. [44] Z. Liu, P. Luo, X. Wang, X. Tang, Deep learning face attributes in the wild, in: International Conference on Computer Vision (ICCV), 2015. [45] K. Karkkainen, J. Joo, Fairface: Face attribute dataset for balanced race, gender, and age for bias measurement and mitigation, in: Winter Conference on Applications of Computer Vision (WACV), 2021. [46] A. Krizhevsky, Learning multiple layers of features
from tiny images, Technical Report, 2009. [47] D. P. Kingma, J. Ba, Adam: A method for stochastic optimization, arXiv preprint arXiv:1412.6980 (2014). [48] Z. Wang, A. Bovik, H. Sheikh, E. Simoncelli, Image