隐私保护的图像替代数据生成方法  

作　　者：李婉莹 刘学艳 杨博[1,2] LI Wanying;LIU Xueyan;YANG Bo(College of Computer Science and Technology,Jilin University,Changchun 130012,China;Key Laboratory of Symbolic Computing and Knowledge Engineering of Ministry of Education,Jilin University,Changchun 130012,China)

机构地区：[1]吉林大学计算机科学与技术学院,长春130012 [2]吉林大学符号计算与知识工程教育部重点实验室,长春130012

出　　处：《吉林大学学报（信息科学版）》2024年第1期59-66,共8页Journal of Jilin University（Information Science Edition）

基　　金：国家自然科学基金资助项目(U22A2098,62172185,62202200,62206105);国家重点研发计划基金资助项目(2021ZD0112501,2021ZD0112502);吉林省重点科技研发基金资助项目(20180201067GX,20180201044GX);吉林省自然科学基金资助项目(20200201036JC)。

摘　　要：针对现有图像数据集存在的隐私保护需求,提出一种图像数据集隐私保护场景及该场景下隐私保护的图像替代数据生成方法。该场景利用经隐私保护方法处理后的替代图像数据集取代原始图像数据集,其中替代图像与原始图像一一对应,人类无法识别替代图像所属类别,替代图像可训练现有的深度学习图像分类算法,且具有较好的分类效果。同时针对上述场景,改进了基于投影梯度下降(PGD:Project Gradient Descent)攻击的数据隐私保护方法,将原始PGD攻击目标由标签改为图像,即图像对图像的攻击,并使用经过对抗训练的鲁棒模型进行图像对图像攻击作为替代数据的生成方法。在标准测试集上,替代后的CIFAR(Canadian Institute For Advanced Research 10)数据集和CINIC数据集在图像分类任务上分别取得了87.15%和74.04%的测试正确率。实验结果表明,该方法能在保证替代数据集对人类隐私性的前提下,生成原始数据集的替代数据集,并保证现有方法在该数据集上的分类性能。Aiming at the privacy protection requirements of existing image datasets,a privacy⁃preserving scenario of image datasets and a privacy⁃preserving image alternative data generation method is proposed.The scenario is to replace the original image dataset with an alternative image dataset processed by a privacy⁃preserving method,where the substitute image is in one⁃to⁃one correspondence with the original image.And humans can not identify the category of the substitute image,the substitute image can be used to train existing deep learning images classification algorithm,having a good classification effect.For this scenario,the data privacy protection method based on the PGD(Project Gradient Descent)attack is improved,and the attack target of the original PGD attack is changed from the label to the image,that is the image⁃to⁃image attack.A robust model for image⁃to⁃image attacks as a method for generating alternative data.On the standard testset,the replaced CIFAR(Canadian Institute For Advanced Research 10)dataset and CINIC dataset achieved 87.15%and 74.04%test accuracy on the image classification task.Experimental results show that the method is able to generate an alternative dataset to the original dataset while guaranteeing the privacy of the alternative dataset to humans,and guarantees the classification performance of existing methods on this dataset.

关 键 词：深度学习 隐私保护 计算机视觉 对抗攻击 对抗样本 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]