基于矢量量化域相似码字替换的对抗嵌入方法

Similar codeword substitution adversarial embedding method based on vector quantization domain

为了整合对图像的隐私保护、版权保护、完整性保护,提出一种压缩域基于相似码字替换的对抗嵌入方法.该方法属于对抗攻击和信息隐藏的交叉新领域,将传统对抗攻击方法中人为添加的无意义噪声替换成有意义的秘密信息,使对抗嵌入图像错误分类,防止攻击者在云端海量数据库中通过神经网络分类模型捕获特定类别的图像,实现对图像的隐私保护;而且,可以从对抗嵌入图像中完整提取隐藏的秘密信息,实现对图像的版权保护.该对抗嵌入方法的攻击对象是图像的压缩形式-矢量量化索引,攻击中使用该索引的不同相似码字索引替换嵌入的秘密信息,可以实现在高压缩率情况下对图像的双重保护.使用遗传算法优化相似索引扰动,可以有效地降低真实类别的概率,误导分类模型的输出.实验结果证明,在CIFAR-10测试数据集上,使用三种经典的网络分类模型(Resnet,NIN,VGG16),提出的对抗嵌入方法使90.83%的图像以85.44%的平均置信度被错误分类,且嵌入容量可以达到0.75 bpp.

To integrate the privacy protection,copyright protection and integrity protection aspects for images,this paper proposes the adversarial embedding method based similar codeword substitution for compressed domain.The proposed method belongs to the emerging field between adversarial attack and data hiding,adding meaningful secret information instead of the meaningless noise artificially in traditional adversarial attack methods.It makes the adversarial embedding image misclassified preventing attackers from capturing specific categories of images in the cloud massive database through neural network models,realizing privacy protection.It also extracts secret data completely,which realizes the copyright protection.The proposed adversarial embedding method targets the compressed form of the image-the vector quantization index.It uses different similar codeword indexes to embed secret information,which achieves double protection for images at a high compression ratio.In this paper,genetic algorithm is used to optimize the similar index perturbation,which effectively reduces the probability of true label,misleading the model output.Experimental results show that for the CIFAR⁃10 test dataset,on three common network models(Resnet,NIN,VGG16),the adversarial embedding method results in 90.83%images being misclassified with 85.44%confidence on average,while the embedding capacity reaches 0.75 bpp.