VGAN-Based Image Representation Learning for Privacy-Preserving Facial Expression Recognition

Reliable facial expression recognition plays a critical role in human-machine interactions. However, most of the facial expression analysis methodologies proposed to date pay little or no attention to the protection of a user's privacy. In this paper, we propose a Privacy-Preserving Representation-Learning Variational Generative Adversarial Network (PPRL-VGAN) to learn an image representation that is explicitly disentangled from the identity information. At the same time, this representation is discriminative from the standpoint of facial expression recognition and generative as it allows expression-equivalent face image synthesis. We evaluate the proposed model on two public datasets under various threat scenarios. Quantitative and qualitative results demonstrate that our approach strikes a balance between the preservation of privacy and data utility. We further demonstrate that our model can be effectively applied to other tasks such as expression morphing and image completion

Adversarial Learning of Privacy-Preserving and Task-Oriented Representations

Data privacy has emerged as an important issue as data-driven deep learning has been an essential component of modern machine learning systems. For instance, there could be a potential privacy risk of machine learning systems via the model inversion attack, whose goal is to reconstruct the input data from the latent representation of deep networks. Our work aims at learning a privacy-preserving and task-oriented representation to defend against such model inversion attacks. Specifically, we propose an adversarial reconstruction learning framework that prevents the latent representations decoded into original input data. By simulating the expected behavior of adversary, our framework is realized by minimizing the negative pixel reconstruction loss or the negative feature reconstruction (i.e., perceptual distance) loss. We validate the proposed method on face attribute prediction, showing that our method allows protecting visual privacy with a small decrease in utility performance. In addition, we show the utility-privacy trade-off with different choices of hyperparameter for negative perceptual distance loss at training, allowing service providers to determine the right level of privacy-protection with a certain utility performance. Moreover, we provide an extensive study with different selections of features, tasks, and the data to further analyze their influence on privacy protection

민감 정보 전이를 이용한 안전한 이미지 인코딩 변환

학위논문(석사) -- 서울대학교대학원 : 공과대학 컴퓨터공학부, 2022. 8. 장병탁.Local Differential Privacy (LDP) is a widely accepted mathematical notion of privacy that guarantees a quantified privacy budget on sensitive data. However, it is difficult to apply LDP algorithms to unstructured data such as images since the fundamental mechanism underlying in many LDP algorithms, Randomized Response (RR), is suited for structured, tabular data. In this paper, we propose a novel task-agnostic LDP framework that preserves the privacy of selected sensitive attributes in an image representation while conserving other visual aspects. Our framework includes an adversarially trained transition model that portrays the RR mechanism, allowing it to be easily utilized in other LDP algorithms. We provide strict description of the problem formulation, and show how our model can prevent attacks from a potential adversary trying to obtain the sensitive information. Our experimental results verify that the proposed framework outperforms baseline models in protecting sensitive attributes with minimal performance loss in arbitrary downstream tasks.지역적 차등 정보 보안(Local Differntial Privacy, 이하 LDP)은 널리 알려진 보안에 대한 엄밀한 수학적 정의로, 민감한 데이터에 관해 정량화된 강력한 정보 보안을 보장한다. 하지만 LDP를 이루는 근본적인 메커니즘인 무작위 응답(Randomized Response, 이하 RR)은 테이블 데이터와 같은 구조화된 데이터를위해 만들어졌으므로 널리 알려진 LDP 알고리즘들은 이미지와 같은 비구조화된 데이터에는 적용하기 어렵다는 단점이 있다. 본 연구에서는 해당 단점을 보완하기 위해 이미지 인코딩 상에서 다른 시각적 특징들은 유지하면서 선택된 민감한 정보들의 보안을 유지하는 LDP 프레임워크를 제안한다. 제안된 프레임워크는 적대적 학습을 통해 생성된 전이 모델을 이용해 RR 메커니즘을 모사함으로써 다른 LDP 알고리즘들에도 쉽게 적용이 가능하다는 장점이 있다. 본 논문에서는 문제 상황을 엄밀히 정의하고 제안된 프레임워크가 민감 정보를 탈취하려는 목적을 가진 잠재적 적대자로부터 정보를 보호할 수 있다는 것을 입증한다. 또한 본 논문에서는 실험적 결과를 통해 제안된 모델이 다른 기존 모델들에 비해 데이터의 잠재적인 미래 작업들에 최대한 영향을 적게 끼치면서 정보를 보호할 수 있다는 것을 보인다.1 Introduction 1 1.1 Introduction 1 2 Related Works 5 2.1 Privacy-Preserving Machine Learning 5 2.2 Differential Privacy 6 3 Problem Formulation 9 4 Method 11 4.1 Attribute Inference Attack of the Adversary 11 4.1.1 Differential distance learning 13 4.2 Task-agnostic attribute transition model 15 4.2.1 GAN Architecture 15 4.2.2 Distributional Transition Loss 16 4.2.3 Unsensitive attribute preservation 19 4.3 Local Differentially Private Image Representation Transition Framework 20 5 Experimental Results 21 5.1 Experimental Setup 21 5.2 Multi-Label Classification 21 5.2.1 Sensitive attribute transition evaluation 23 5.3 Evaluation on Other Attributes 26 5.4 Qualitative Results 28 5.5 Experiment on CheXpert dataset 31 6 Conclusion 32 Bibliography 33 초 록 39석

Privacy Enhanced Multimodal Neural Representations for Emotion Recognition

Many mobile applications and virtual conversational agents now aim to recognize and adapt to emotions. To enable this, data are transmitted from users' devices and stored on central servers. Yet, these data contain sensitive information that could be used by mobile applications without user's consent or, maliciously, by an eavesdropping adversary. In this work, we show how multimodal representations trained for a primary task, here emotion recognition, can unintentionally leak demographic information, which could override a selected opt-out option by the user. We analyze how this leakage differs in representations obtained from textual, acoustic, and multimodal data. We use an adversarial learning paradigm to unlearn the private information present in a representation and investigate the effect of varying the strength of the adversarial component on the primary task and on the privacy metric, defined here as the inability of an attacker to predict specific demographic information. We evaluate this paradigm on multiple datasets and show that we can improve the privacy metric while not significantly impacting the performance on the primary task. To the best of our knowledge, this is the first work to analyze how the privacy metric differs across modalities and how multiple privacy concerns can be tackled while still maintaining performance on emotion recognition.Comment: 8 page

Survey: Leakage and Privacy at Inference Time

Leakage of data from publicly available Machine Learning (ML) models is an area of growing significance as commercial and government applications of ML can draw on multiple sources of data, potentially including users' and clients' sensitive data. We provide a comprehensive survey of contemporary advances on several fronts, covering involuntary data leakage which is natural to ML models, potential malevolent leakage which is caused by privacy attacks, and currently available defence mechanisms. We focus on inference-time leakage, as the most likely scenario for publicly available models. We first discuss what leakage is in the context of different data, tasks, and model architectures. We then propose a taxonomy across involuntary and malevolent leakage, available defences, followed by the currently available assessment metrics and applications. We conclude with outstanding challenges and open questions, outlining some promising directions for future research