Adversarial Learning of Privacy-Preserving and Task-Oriented Representations

Xiao, Taihong; Tsai, Yi-Hsuan; Sohn, Kihyuk; Chandraker, Manmohan; Yang, Ming–Hsuan

doi:10.1609/aaai.v34i07.6930

Cited by 38 publications

(37 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Overall, the results of this study show that reconstruction of the original images used for training of CNN models is possible, but is accompanied by some amount of blurring. This finding is also in line with the results from model inversion attack studies in computer vision [ 8 ]. The results of this study also suggest that the reconstructions from the U-Net are better than those for the SegNet.…”

Section: Discussionsupporting

confidence: 90%

“…The inversion attack scenario used in this work was first described for computer vision applications [ 7 , 8 ] and is based on the following assumptions that hold true for most deep learning models that are publicly available and follow an encoder-decoder architecture: The attacker can access the latent space representation of arbitrary input images. The attacker knows the encoder’s architecture that is used to generate the latent space information of the images.…”

Section: Materials and Methodsmentioning

confidence: 99%

“…Four separate evaluation metrics were implemented in this work to measure the reconstruction success in our inversion attack scenario: The first metric is the frequently used Matthews correlation coefficient (MCC) [ 8 ] between the original and the reconstructed image. The second one is the structural similarity coefficient (SSIM) [ 24 ], which is defined as a function of luminance, contrast, and structure of the two images being compared, and ranges between 0 and 1, where 0 denotes no similarity, and 1 denotes that the two images are identical.…”

Section: Materials and Methodsmentioning

confidence: 99%

“…A third type of attack is the model stealing attack [ 18 , 19 ] with the primary aim of inferring the parameters and hyper-parameters of the deep learning model. The last attack type is the model inversion attack [ 7 , 8 , 20 ]. In this case, an attacker tries to reconstruct the original data used for training of the deep learning model.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Until recently, patient data confidentiality was thought to be protected in trained deep learning models, which were assumed to be black boxes and learn from a plethora of information. Recent research in computer vision [ 7 , 8 ] has shown that it is possible to reconstruct, for example, facial photos used for training of a deep neural network to the extent that allows a person to be identified. However, it remains unknown if such methods could also be used to reconstruct complex 3D medical imaging data.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Analysis of the Vulnerability of Two Common Deep Learning-Based Medical Image Segmentation Techniques to Model Inversion Attacks

Subbanna

Wilms

Tuladhar

et al. 2021

Sensors

View full text Add to dashboard Cite

Recent research in computer vision has shown that original images used for training of deep learning models can be reconstructed using so-called inversion attacks. However, the feasibility of this attack type has not been investigated for complex 3D medical images. Thus, the aim of this study was to examine the vulnerability of deep learning techniques used in medical imaging to model inversion attacks and investigate multiple quantitative metrics to evaluate the quality of the reconstructed images. For the development and evaluation of model inversion attacks, the public LPBA40 database consisting of 40 brain MRI scans with corresponding segmentations of the gyri and deep grey matter brain structures were used to train two popular deep convolutional neural networks, namely a U-Net and SegNet, and corresponding inversion decoders. Matthews correlation coefficient, the structural similarity index measure (SSIM), and the magnitude of the deformation field resulting from non-linear registration of the original and reconstructed images were used to evaluate the reconstruction accuracy. A comparison of the similarity metrics revealed that the SSIM is best suited to evaluate the reconstruction accuray, followed closely by the magnitude of the deformation field. The quantitative evaluation of the reconstructed images revealed SSIM scores of 0.73±0.12 and 0.61±0.12 for the U-Net and the SegNet, respectively. The qualitative evaluation showed that training images can be reconstructed with some degradation due to blurring but can be correctly matched to the original images in the majority of the cases. In conclusion, the results of this study indicate that it is possible to reconstruct patient data used for training of convolutional neural networks and that the SSIM is a good metric to assess the reconstruction accuracy.

show abstract

Section: Discussionsupporting

confidence: 90%

Section: Materials and Methodsmentioning

confidence: 99%

Section: Materials and Methodsmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Analysis of the Vulnerability of Two Common Deep Learning-Based Medical Image Segmentation Techniques to Model Inversion Attacks

Subbanna

Wilms

Tuladhar

et al. 2021

Sensors

View full text Add to dashboard Cite

show abstract

Adversarial learning techniques for security and privacy preservation: A comprehensive review

Hathaliya

Tanwar

Sharma

2022

Security and Privacy

View full text Add to dashboard Cite

In recent years, the use of smart devices has increased exponentially, resulting in massive amounts of data. To handle this data, effective data storage and management has required. Cloud computing (CC) is a promising solution to deal with this huge amount of data. Electronic devices are collecting real‐time data from sensors and applications through a wireless communication channel in the digital era. In some cases, CC cannot protect against various malicious attacks in the wireless communication channel. To address this issue, we have used machine learning (ML) and deep learning (DL) techniques for attack detection in a wireless channel on an early basis. It trains a model to predict malicious activities of attackers, which aids in the security of CC's sensitive data. We employed adversarial learning techniques (AL) to add fake data into the model to ensure that the trained model was correct. The trained model can distinguish between the fake and real data from the training samples and improve the training samples' performance. AL provides different defense mechanisms to preserve the privacy of ML‐ and DL‐based model but does not ensure the system's robustness. To improve the system's robustness, we have used federated learning with blockchain technology to make a system more robust, reliable, accurate, and transparent. This integration aids in providing high‐graded security against adversarial attacks. This paper presents a comprehensive review to highlight the recent improvements in AL techniques. Moreover, we explored the various AL applications in security and privacy preservation. Finally, open research issues and future directions are discussed to show future research avenues.

show abstract