Abstract
State-of-the-art machine learning algorithms can be fooled by carefully crafted adversarial examples. As such, adversarial examples present a concrete problem in AI safety. In this work we turn the tables and ask the following question: can we harness the power of adversarial examples to prevent malicious adversaries from learning identifying information from data while allowing non-malicious entities to benefit from the utility of the same data? For instance, can we use adversarial examples to anonymize biometric dataset of faces while retaining usefulness of this data for other purposes, such as emotion recognition? To address this question, we propose a simple yet effective method, called Siamese Generative Adversarial Privatizer (SGAP), that exploits the properties of a Siamese neural network to find discriminative features that convey identifying information. When coupled with a generative model, our approach is able to correctly locate and disguise identifying information, while minimally reducing the utility of the privatized dataset. Extensive evaluation on a biometric dataset of fingerprints and cartoon faces confirms usefulness of our simple yet effective method.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abadi, M., et al.: On the protection of private information in machine learning systems: two recent approaches. CoRR abs/1708.08022 (2017)
Aneja, D., Colburn, A., Faigin, G., Shapiro, L., Mones, B.: Modeling stylized character expressions via deep learning. In: Lai, S.-H., Lepetit, V., Nishino, K., Sato, Y. (eds.) ACCV 2016. LNCS, vol. 10112, pp. 136–153. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54184-6_9
Baluja, S., Fischer, I.: Adversarial transformation networks: learning to generate adversarial examples. CoRR abs/1703.09387 (2017)
Bromley, J., Guyon, I., LeCun, Y., Säckinger, E., Shah, R.: Signature verification using a “siamese” time delay neural network. In: Advances in Neural Information Processing Systems, vol. 6, pp. 737–744. Morgan-Kaufmann (1994)
Chen, J., Konrad, J., Ishwar, P.: VGAN-based image representation learning for privacy-preserving facial expression recognition. CoRR abs/1803.07100 (2018). http://arxiv.org/abs/1803.07100
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley Series in Telecommunications and Signal Processing. Wiley, New York (2006)
Dwork, C.: Differential privacy: a survey of results. In: International Conference on Theory and Applications of Models of Computation, pp. 1–19 (2008)
Famm, K., Litt, B., Tracey, K.J., Boyden, E.S., Slaoui, M.: Drug discovery: a jump-start for electroceuticals. Nature 496(7444), 159–161 (2013)
Finn, E.S., et al.: Functional connectome fingerprinting: identifying individuals using patterns of brain connectivity. Nat. Neurosci. 18(11), 1664–1671 (2015)
Fisher, R.A.: The use of multiple measurements in taxonomic problems. Ann. Eugen. 7(7), 179–188 (1936)
Fournier, N., Delattre, S.: On the Kozachenko-Leonenko entropy estimator. ArXiv e-prints, February 2016
Glasser, M.F., et al.: A multi-modal parcellation of human cerebral cortex. Nature 536(7615), 171–178 (2016)
Goodfellow, I., et al.: Generative adversarial nets. In: Advances in Neural Information Processing Systems, vol. 27, pp. 2672–2680 (2014)
Gymrek, M., McGuire, A.L., Golan, D., Halperin, E., Erlich, Y.: Identifying personal genomes by surname inference. Science 339(6117), 321–324 (2013)
Harmanci, A., Gerstein, M.: Quantification of private information leakage from phenotype-genotype data: linking attacks. Nat. Methods 13(3), 251–256 (2016)
Hayes, J., Melis, L., Danezis, G., De Cristofaro, E.: LOGAN: evaluating privacy leakage of generative models using generative adversarial networks. ArXiv e-prints (2017)
Huang, C., Kairouz, P., Chen, X., Sankar, L., Rajagopal, R.: Context-aware generative adversarial privacy. CoRR abs/1710.09549 (2017)
Kairouz, P., Bonawitz, K., Ramage, D.: Discrete distribution estimation under local privacy. CoRR abs/1602.07387 (2016)
Kos, J., Fischer, I., Song, D.: Adversarial examples for generative models. CoRR abs/1702.06832 (2017)
Lee, H., Han, S., Lee, J.: Generative adversarial trainer: defense to adversarial perturbations with GAN. CoRR abs/1705.03387 (2017)
Liang, B., Li, H., Su, M., Li, X., Shi, W., Wang, X.: Detecting adversarial examples in deep networks with adaptive noise reduction. CoRR abs/1705.08378 (2017)
van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9, 2579–2605 (2008). http://www.jmlr.org/papers/v9/vandermaaten08a.html
Mirjalili, V., Raschka, S., Namboodiri, A.M., Ross, A.: Semi-adversarial networks: convolutional autoencoders for imparting privacy to face images. CoRR abs/1712.00321 (2017)
Mirjalili, V., Ross, A.: Soft biometric privacy: retaining biometric utility of face images while perturbing gender. In: IJCB, pp. 564–573 (2017)
Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: 2008 IEEE Symposium on Security and Privacy, SP 2008, pp. 111–125. IEEE (2008)
NIST: NIST 8-bit gray scale images of fingerprint image groups (FIGS)
Oh, S.J., Fritz, M., Schiele, B.: Adversarial image perturbation for privacy protection - a game theory perspective. CoRR abs/1703.09471 (2017)
Orekondy, T., Fritz, M., Schiele, B.: Connecting pixels to privacy and utility: automatic redaction of private information in images. In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), June 2018
Rajpurkar, P., Hannun, A.Y., Haghpanahi, M., Bourn, C., Ng, A.Y.: Cardiologist-level arrhythmia detection with convolutional neural networks. ArXiv e-prints (2017)
Raval, N., Machanavajjhala, A., Cox, L.P.: Protecting visual secrets using adversarial nets. In: CVPR Workshop Proceedings (2017)
Sun, Q., Ma, L., Oh, S.J., Gool, L.V., Schiele, B., Fritz, M.: Natural and effective obfuscation by head inpainting. CoRR abs/1711.09001 (2017)
Sweeney, L., Abu, A., Winn, J.: Identifying participants in the personal genome project by name (a re-identification experiment). CoRR abs/1304.7605 (2013)
Tripathy, A., Wang, Y., Ishwar, P.: Privacy-preserving adversarial networks. CoRR abs/1712.07008 (2017)
Trzcinski, T., Lepetit, V.: Efficient discriminative projections for compact binary descriptors. In: Fitzgibbon, A., Lazebnik, S., Perona, P., Sato, Y., Schmid, C. (eds.) ECCV 2012. LNCS, vol. 7572, pp. 228–242. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33718-5_17
Wang, Z., Bovik, A.C., Sheikh, H.R., Simoncelli, E.P.: Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process. 13(4), 600–612 (2004)
Zhao, H., Gallo, O., Frosio, I., Kautz, J.: Loss functions for neural networks for image processing. CoRR abs/1511.08861 (2015). http://arxiv.org/abs/1511.08861
Acknowledgment
The work was partially supported as RENOIR Project by the European Union Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 691152 (project RENOIR) and by Ministry of Science and Higher Education (Poland), grant No. W34/H2020/2016. We thank NVIDIA Corporation for donating Titan Xp GPU that was used for this research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Oleszkiewicz, W., Kairouz, P., Piczak, K., Rajagopal, R., Trzciński, T. (2019). Siamese Generative Adversarial Privatizer for Biometric Data. In: Jawahar, C., Li, H., Mori, G., Schindler, K. (eds) Computer Vision – ACCV 2018. ACCV 2018. Lecture Notes in Computer Science(), vol 11365. Springer, Cham. https://doi.org/10.1007/978-3-030-20873-8_31
Download citation
DOI: https://doi.org/10.1007/978-3-030-20873-8_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20872-1
Online ISBN: 978-3-030-20873-8
eBook Packages: Computer ScienceComputer Science (R0)