We propose a novel image transformation network for generating visually protected images for privacy-preserving deep neural networks (DNNs). The proposed transformation network is trained by using a plain image dataset so that plain images are converted into visually protected ones. Conventional perceptual encryption methods cause some accuracy degradation in image classification and are not robust enough against state-of-the-art attacks. In contrast, the proposed network not only enables us to maintain the image classification accuracy that using plain images achieves but is also strongly robust against attacks including DNN-based ones. Furthermore, there is no need to manage any security keys as the conventional methods require. In an image classification experiment, the proposed network is demonstrated to strongly protect the visual information of plain images while maintaining a high classification accuracy under the use of two typical classification networks: ResNet and VGG. In addition, it is shown that the visually protected images are robust enough against various attacks in an experiment in which we tried to restore the visual information of plain images.
In this paper, we propose a combined use of transformed images and vision transformer (ViT) models transformed with a secret key. We show for the first time that models trained with plain images can be directly transformed to models trained with encrypted images on the basis of the ViT architecture, and the performance of the transformed models is the same as models trained with plain images when using test images encrypted with the key. In addition, the proposed scheme does not require any specially prepared data for training models or network modification, so it also allows us to easily update the secret key. In an experiment, the effectiveness of the proposed scheme is evaluated in terms of performance degradation and model protection performance in an image classification task on the CIFAR-10 dataset.
In this paper, we propose a novel robust visual classification framework that uses double quantization (dquant) to defend against adversarial examples in a specific attack scenario called ''subsequent adversarial examples'' where test images are injected with adversarial noise. The proposed system can remove the adversarial noise completely on this particular attack scenario. First, we analyze the potential sources of adversarial noise and classify adversarial examples into three classes. We then propose a novel effective solution, dquant, to target a specific class of adversarial examples. The first quantization is 1-bit dithering applied to both training and test images. The second one is linear quantization, which is applied to test images just before being inputted to a model to remove any adversarial noise. The linear quantizer guarantees that original 1-bit test images will be restored regardless of adversarial noise distance, and, therefore, dquant maintains identical accuracy whether or not the model is under attack. The results show that dquant achieves comparable accuracy, 85.28 % on the CIFAR-10 and 94.99 % on the Oxford-IIIT Pet datasets against three state-of-the-art adversaries with even a previously untested maximum adversarial distance of 64.INDEX TERMS Adversarial robustness, adversarial defense, deep learning.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.