南京大学学报(自然科学版) ›› 2023, Vol. 59 ›› Issue (4): 644659.doi: 10.13232/j.cnki.jnju.2023.04.011
Haiju Fan1,2(), Xiaona Qin1,2, Ming Li1,2
摘要:
为了整合对图像的隐私保护、版权保护、完整性保护,提出一种压缩域基于相似码字替换的对抗嵌入方法.该方法属于对抗攻击和信息隐藏的交叉新领域,将传统对抗攻击方法中人为添加的无意义噪声替换成有意义的秘密信息,使对抗嵌入图像错误分类,防止攻击者在云端海量数据库中通过神经网络分类模型捕获特定类别的图像,实现对图像的隐私保护;而且,可以从对抗嵌入图像中完整提取隐藏的秘密信息,实现对图像的版权保护.该对抗嵌入方法的攻击对象是图像的压缩形式?矢量量化索引,攻击中使用该索引的不同相似码字索引替换嵌入的秘密信息,可以实现在高压缩率情况下对图像的双重保护.使用遗传算法优化相似索引扰动,可以有效地降低真实类别的概率,误导分类模型的输出.实验结果证明,在CIFAR?10测试数据集上,使用三种经典的网络分类模型(Resnet,NIN,VGG16),提出的对抗嵌入方法使90.83%的图像以85.44%的平均置信度被错误分类,且嵌入容量可以达到0.75 bpp.
中图分类号:
1 | Schmidhuber J. Deep learning in neural networks:An overview. Neural Networks,2015(61):85-117. |
2 | Taigman Y, Yang M, Ranzato M,et al. DeepFace:Closing the gap to human?level performance in face verification∥Proceedings of 2014 IEEE Conference on Computer Vision and Pattern Recognition. Columbus,OH,USA:IEEE,2014:1701-1708. |
3 | Barreno M, Nelson B, Joseph A D,et al. The security of machine learning. Machine Learning,2010,81(2):121-148. |
4 | Barreno M, Nelson B, Sears R,et al. Can machine learning be secure?∥Proceedings of 2006 ACM Symposium on Information,Computer and Communications Security. Taipei,China:Associa?tion for Computing Machinery,2006:16-25. |
5 | Szegedy C, Zaremba W, Sutskever I,et al. Intriguing properties of neural networks∥Proceedings of the 2nd International Conference on Learning Represen?tations. Banff,Canada:ICLR,DOI:10.48550/arXiv.1312.6199,2014. |
6 | Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples∥Proceedings of the 3rd International Conference on Learning Represen?tations. San Diego,CA,USA:ICLR,DOI:10.48550/arXiv.1412.6572,2015. |
7 | Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world∥Yampolskiy R V. Artificial intelligence safety and security. New York,NY,USA:Chapman and Hall,2018:99-112. |
8 | Moosavi?Dezfooli S M, Fawzi A, Fawzi O,et al. Universal adversarial perturbations∥Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Honolulu,HI,USA:IEEE,2017:86-94. |
9 | Papernot N, McDaniel P, Jha S,et al. The limitations of deep learning in adversarial settings∥Proceedings of 2016 IEEE European Symposium on Security and Privacy. Saarbruecken,Germany:IEEE,2016:372-387. |
10 | Su J W, Vargas D V, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation,2019,23(5):828-841. |
11 | Aydemir A E, Temizel A, Temizel T T. The effects of JPEG and JPEG2000 compression on attacks using adversarial examples. 2018,arXiv:. |
12 | Shin R, Song D. JPEG?resistant adversarial images∥Proceedings of NIPS 2017 Workshop on Machine Learning and Computer Security. Long Beach,CA,USA:Neural Information Processing Systems,https:∥machine?learning?and?security.github.io/papers/mlsec17_paper_54.pdf,2017. |
13 | Swilem A. Fast vector quantization encoding algorithms for image compression. International Journal of Mobile Computing and Multimedia Communications,2009,1(1):16-28. |
14 | Fahmy G F, Panchanathan S. A lifting based system for compression and classification trade off in the JPEG2000 framework. Journal of Visual Communication and Image Representation,2004,15(2):145-162. |
15 | Yamatani K, Saito N. Improvement of DCT?based compression algorithms using poisson's equation. IEEE Transactions on Image Processing,2006,15(12):3672-3689. |
16 | Liu M L, Song T T, Luo W Q,et al. Adversarial steganography embedding via stego generation and selection. IEEE Transactions on Dependable and Secure Computing,2023,20(3):2375-2389. |
17 | Li L, Fan M Y, Liu D F. AdvSGAN:Adversarial image steganography with adversarial networks. Multimedia Tools and Applications,2021,80(17):25539-25555. |
18 | Li L, Zhang W M, Qin C,et al. Adversarial batch image steganography against CNN?based pooled steganalysis. Signal Processing,2021(181):107920. |
19 | Tang W X, Li B, Tan S Q,et al. CNN?based adversarial embedding for image steganography. IEEE Transactions on Information Forensics and Security,2019,14(8):2074-2087. |
20 | Li S Y, Ye D P, Jiang S Z,et al. Anti?steganalysis for image on convolutional neural networks. Multimedia Tools and Applications,2020,79(7):4315-4331. |
21 | Zhang Y W, Zhang W M, Chen K J,et al. Adversarial examples against deep neural network based steganalysis∥Proceedings of the 6th ACM Workshop on Information Hiding and Multimedia Security. Innsbruck,Austria:Association for Computing Machinery,2018:67-72. |
22 | Zhou L C, Feng G R, Shen L Q,et al. On security enhancement of steganography via generative adversarial image. IEEE Signal Processing Letters,2019(27):166-170. |
23 | Ghamizi S, Cordy M, Papadakis M,et al. Adversarial Embedding:A robust and elusive steganography and watermarking technique. 2019,arXiv:. |
24 | Jia X J, Wei X X, Cao X C,et al. Adv?watermark:A novel watermark perturbation for adversarial examples∥Proceedings of the 28th ACM Interna?tional Conference on Multimedia. Seattle,WA,USA:Association for Computing Machinery,2020:1579-1587. |
25 | Pu B Z, Wei X X, Zhao S J,et al. MedLocker:A transferable adversarial watermarking for preventing unauthorized analysis of medical image dataset. 2023,arXiv:. |
26 | Zhou S, Liu C, Ye D Y,et al. Adversarial attacks and defenses in deep learning:From a perspective of cybersecurity. ACM Computing Surveys,2022,55(8):1-39. |
27 | Rosasco L, De Vito E, Caponnetto A,et al. Are loss functions all the same? Neural Computation,2004,16(5):1063-1076. |
28 | Nasrabadi N M, King R A. Image coding using vector quantization:A review. IEEE Transactions on Communications,1988,36(8):957-971. |
29 | Sivakumar P, Ravi S. Vector quantization based image compression. International Journal of Innovative Technology and Exploring Engineering,2012,1(1):89-94. |
30 | Linde Y, Buzo A, Gray R. An algorithm for vector quantizer design. IEEE Transactions on Commu?nications,1980,28(1):84-95. |
31 | 杨启文,蒋静坪,张国宏. 遗传算法优化速度的改进. 软件学报,2001,12(2):270-275. |
Yang Q W, Jiang J P, Zhang G H. Improving optimization speed for genetic algorithms. Journal of Software,2001,12(2):270-275. |
[1] | 孟元, 张轶哲, 张功萱, 宋辉. 基于特征类内紧凑性的不平衡医学图像分类方法[J]. 南京大学学报(自然科学版), 2023, 59(4): 580-589. |
[2] | 刘志中, 李林霞, 孟令强. 基于混合图神经网络的个性化POI推荐方法研究[J]. 南京大学学报(自然科学版), 2023, 59(3): 373-387. |
[3] | 杨京虎, 段亮, 岳昆, 李忠斌. 基于子事件的对话长文本情感分析[J]. 南京大学学报(自然科学版), 2023, 59(3): 483-493. |
[4] | 杨雨佳, 肖庆来, 陈健, 曾松伟. 融合空间和统计特征的CNN⁃GRU臭氧浓度预测模型研究[J]. 南京大学学报(自然科学版), 2023, 59(2): 322-332. |
[5] | 张蕾, 钱峰, 赵姝, 陈洁, 杨雪洁, 张燕平. 基于卷积图神经网络的多粒度表示学习框架[J]. 南京大学学报(自然科学版), 2023, 59(1): 43-54. |
[6] | 许睿, 刘相阳, 文益民, 沈世铭, 李建. 基于后向气团轨迹的大气污染特征时序混合模型研究[J]. 南京大学学报(自然科学版), 2022, 58(6): 1041-1049. |
[7] | 蔡国永, 兰天. 基于多头注意力和词共现关系的方面级情感分析[J]. 南京大学学报(自然科学版), 2022, 58(5): 884-893. |
[8] | 李灏天, 刘晓宙, 何爱军. 基于机器学习和超声成像的缺陷识别与分析[J]. 南京大学学报(自然科学版), 2022, 58(4): 670-679. |
[9] | 杜渊洋, 邓成伟, 张建. 基于深度卷积神经网络的RNA三维结构打分函数[J]. 南京大学学报(自然科学版), 2022, 58(3): 369-376. |
[10] | 王扬, 陈智斌, 杨笑笑, 吴兆蕊. 深度强化学习结合图注意力模型求解TSP问题[J]. 南京大学学报(自然科学版), 2022, 58(3): 420-429. |
[11] | 高菲, 杨柳, 李晖. 开放集识别研究综述[J]. 南京大学学报(自然科学版), 2022, 58(1): 115-134. |
[12] | 张玮, 赵永虹, 邱桃荣. 基于注意力机制和深度学习的运动想象脑电信号分类方法[J]. 南京大学学报(自然科学版), 2022, 58(1): 29-37. |
[13] | 邵世宽, 张宏钧, 肖钦锋, 王晶, 刘晓辉, 林友芳. 基于无监督对抗学习的时间序列异常检测[J]. 南京大学学报(自然科学版), 2021, 57(6): 1042-1052. |
[14] | 樊炎, 匡绍龙, 许重宝, 孙立宁, 张虹淼. 一种同步提取运动想象信号时⁃频⁃空特征的卷积神经网络算法[J]. 南京大学学报(自然科学版), 2021, 57(6): 1064-1074. |
[15] | 孟浩, 刘强. 基于FPGA的卷积神经网络训练加速器设计[J]. 南京大学学报(自然科学版), 2021, 57(6): 1075-1082. |
|