With the rapid development of network technology and the popularity of digital cameras, images have become a important information carrier. At the same time, with widespread use of image editing tools, the authenticity and integrity of images are greatly challenged. Some people use these tools to tamper with images maliciously, which can make a series of negative impacts on the society, especially in the field of news, military, business and judicial expertise. For example, some attackers use tampered images for military or political purpose, which can cause a crisis of confidence. Therefore, digital image forensics technologies arise at the historic moment for verifying the authenticity of images.
In the past decade, a number of algorithms have been proposed in image forensic community. In particular, methods based on deep learning play an important role due to its excellent performance. Yang
 proposed the laplacian convolutional neural networks to detect recaptured images. Kang combined convolutional neural networks(CNN) and MFR to deal with median filtering forensics and Tang  improved its performance using MFNet. For source camera identification, the schemes using deep learning have also been proposed in these works[4-7]. Barni  used three kinds of CNN architecture: CNN in the pixel domain, CNN in noise domain, and CNN embedding DCT histograms, to detect double JPEG compressed images. In addition, Bayar  presented a deep learning approach for universal image manipulation detection. Of special interest is that the above algorithms have better performance than the traditional methods.
Despite superior performance of deep learning-based methods, there lies a security threat: adversarial examples. According to the reports[10-15], a deep learning model can get an error output with high confidence for the input data with added slightly noise(adversarial examples). For this phenomenon, there has been no comments so far from the image forensics community. However, the safety of deep-learning methods should be be considered, otherwise it will cause serious consequences. For example, recaptured image forensic can effectively resist the face presentation attack. If the deep learning-based recaptured image detection algorithms is easily misleaded by adversarial examples, personal and property safety protected by face recognition system will be threatened.
In this paper, focusing on the safety of deep learning-based image forensic algorithms, we first experimentally verify its vulnerability by adding noise to the clean images. Specially, two different methods of generating adversarial examples are referred, that is, adding perturbation in the direction of the biggest change of the loss function or in the direction of being classified as least-likely class. It should be noted that, in order to simplify our discussion, the recaptured image forensic scheme based on laplacian convolutional neural network, as a typical deep learning-based image forensic scheme, is taken into account in this work. Then, in order to resist against attack of adversarial examples, a penalty term to the loss function is added which is the 2-norm of the gradient of the loss with respect to the input images, and an novel training method is adopt to train the model by fusing the normal and adversarial images. Experimental results show that the proposed method has the advantages of safety and achieve great performance in the cases of different methods of adding noise with random strength.
The rest of the paper is organized as follows. In Section 2, the structure of laplacian convolutional neural network is briefly introduced. In Section 3, the vulnerability of deep learning-based method to adversarial examples is explained and a safe CNN-based scheme to resist against attack of noise is proposed. The experiment results are conducted in Section 4, and conclusions are drawn in Section 5.
2 Previous Work
In this section we briefly introduce a deep learning-based recaptured image forensic algorithm  which achieved state-of-the-art performance. The architecture of the work include two parts: single enhancement layer and general convolutional neural networks structure. In the single enhancement layer, laplacian filter was used to enhance the signal.
In the second part, the filtered images are fed into the first convolution unit which includes: a convolution layer, a batch normalization layer, relu function and an average pooling layer. The later four convolution units have the same composition as the first unit with only one difference that the pooling layer in the fifth unit is replaced by global average pooling. Finally, a full connection layer is used as a classification layer. For more details, the kernels size of convolution layer iswith 1 step size, and the kernels size of pooling layer is with 2 step size.
3 Proposed Method
Although image forensics schemes based on deep learning have achieved exceptional performance, there still be a serious drawback. That is, images will be likely to be misclassified if some noise is added onto the images in a particular way. In this section, firstly, the vulnerability of the deep learning-based image forensics algorithm is experimentally verified. Then, two kinds of strategies which can resist noise attack effectively to increase security of the deep learning-based methods are present.
3.1 Vulnerability Analysis of Deep Learning-Based Image Forensics
In the Figure. 1, suppose is the loss function and is an sample point that can be classified correctly. For a well-trained model, is a relatively small values. If a slight perturbation is added onto along a particular direction, the will become a larger value, which means the classification result will be changed with high possibility.
According to the above idea, two specific methods of adding noise are used. For simplicity, the notations are as follows:
- A normal image example, the pixels values of which are integer numbers in the range [0,255].
- True class for an image
- An adversarial example generated by some method.
- Loss function that used to train a neural network.
- Sign function.
- Clip function.
Fast Gradient Sign Method (FGSM) is to find the direction by making the partial derivatives of the loss by the input image
. By adding noise on the clean image examples along this direction, the loss will be changed most and the probability of making a misclassification is the highest.
Unlike the FGSM method using the true label to compute the direction, Least-Likely Class Method (LLCM) use the predicted label of the well-trained model to compute the direction and hoping to make the noised images be classified as the least likely class.
There are some adversarial examples which are generated using FGSM with in Figure. 2, and the upper part is adversarial examples generated by Yang’s model and corresponding detection results. And is the true label of each image, is the predicted label, and is the probability that the image is classified as predicted label. One can be seen that the attack effect is so obvious that slight noise can lead to incorrect classification with high probability.
3.2 Secure Image Forensics Using Deep Learning
To counter against the threat of adversarial examples, we proposed a secure deep learning method for image forensics. The architecture of our CNN model is showed in Figure. 3. The main idea is to make the loss relatively smooth on the input images and their neighboring regions. Firstly, a penalty term is added on the loss function which is the 2-norm of the gradient of loss with respect to clean images. So the loss function is shown as equation (5).
where, is the weight coefficient and is binary cross-entropy:
where is output of the last layer of the model.
This term can constraint the loss to be relatively smooth so that not change too much when the input changes slightly, which equals predictions will not change significantly.
Moreover, a novel training strategy is applied by fusing adversarial examples and clean images together as training set. Its process is as shown in Figure. 4, for every mini-batch including clean images, the first images are took out and added noise. Then the rest clean images and the noised examples are merged to a new mini-batch . And when computing the loss of the new mini-batch, different weights to the clean image loss and adversarial image loss are applied. The loss of one batch can be computed:
where, is weight parameter. In our experiment, we empirically set =64, =32, and .
Noted that for each step, only one method - FGSM is used to generate adversarial examples with the loss of current training phase. In order to ensure that proposed method can be against various degrees of attack, adversarial examples are generated using different strength
which is chosen in a uniform distribution. By doing so, the model will converge to a point where the loss is a relatively small value whether the input is clean images or noised images. This equals that the loss is relatively smooth in local neighborhoods of training points.
The second row in the Figure. 2 shows the adversarial examples generated by proposed model using FGSM with and corresponding detection results. It can be observed that the proposed method can resist against the adversarial examples’ attack effectively and make a correct classification with high confidence.
In this section, firstly, the vulnerability of the original deep learning scheme are evaluated by adding noise on the clean image with two different methods. And then the safety performance of proposed deep learning method to adversarial examples are checked.
The images used in our experiment are exactly the same as the work . Four groups of datasets with size of , , and are used. Each group has 10000 original images and 10000 recaptured images. Then every group is divided into training set, validation set and test set by percent 40/10/50. the batch size is set as 64 and iteration number is set as 100k. The initial learning rate is 0.0001 and decays to 0.9 times every 10k iteration. The noise strength is chosen by a series of experiments. Some attacked images are given in Figure. 5, (a) and (e) are clean images, and (b) (c) (d) are adversarial images generated by FGSM with noise strength , , , respectively, (d) (e) (f) are adversarial images generated by LLCM. It can be found that the distortion of the images become ever more obvious with the increase of the noise intensity. While, slight noise () is hard to be observed. So noise strength is chosen in the range of .
4.1 Experiment 1
In order to evaluate the vulnerability of Yang’s scheme to adversarial examples. We first train laplacian convolutional neural network model by Yang’ algorithm and generate adversarial examples using two methods on our test dataset which include 10000 images in one group of each size. The detection accuracy for clean images is shown in Table 1 and the classification accuracy of adversarial images is described in the Table 2.
One can be seen from the Table 2 that these two methods are both effective in attacking the model trained by deep learning based methods. FSGM is slightly better than LLCM no matter what size of the images. And there is a tendency that the bigger the image sizes are, the smaller gap between FSGM and LLCM. This is because that LLCM use predicted result to compute the gradient direction instead of the true label, so better attack effect can be made when the model can give more accurate result. And that is be proved in n the work that larger images can get higher classification accuracy.
Another phenomenon need to be explained that the attack effect is not always raised with the increase in noise strength. We guess the reason is that the optimum point is crossed when a relatively large noise strength is used.
4.2 Experiment 2
In this part, the attack effect of adversarial images to proposed model are verified. For clean image, proposed method does not affect the accuracy much. In Table 1, the accuracy of clean images is displayed and it just has a slight and acceptable decline compared with Yang’s.
In the Table 3, detection accuracy of adversarial images generated with two methods in different sizes are presented. On can be seen that our method have a significant effect in against of adversarial examples.
Note that we only inject FGSM adversarial examples into our training set, so proposed model can be against the FGSM noised examples very well. While LLCM adversarial examples are generated in a different way, so the resistance is not as great as FGSM.
Although lots of forensic methods based on deep learning have achieved state-of-the-art performance, there is still a defect that they are vulnerable to adversarial examples. To against this potential threat, we propose a secure deep learning forensic method in which a penalty term is added to the loss function and both normal images and adversarial images are fused into training set. The effectiveness of proposed scheme are evaluated by a set of experiments using four different sizes of images and two different methods of generating adversarial examples with a series of noise strength. Experimental results show that proposed scheme is effective to resist against the attack of adversarial examples.
This work was supported in part by National NSF of China (61672090, 61332012), the National Key Research and Development of China (2016YFB0800404), Fundamental Research Funds for the Central Universities (2015JBZ002, 2017YJS054). We greatly acknowledge the support of NVIDIA Corporation with the donation of the GPU used for this research.
-  Yang, Pengpeng, Rongrong Ni, and Yao Zhao, Recapture image forensics based on laplacian convolutional neural networks. International Workshop on Digital Watermarking. Springer, Cham, 2016.
-  Jiansheng Chen, Xiangui Kang, Ye Liu, and Z. Jane Wang, Median filtering forensics based on convolutional neural networks. IEEE Signal Processing Letters, 2015, 22(11): 1849-1853.
-  Hongshen Tang, Rongrong Ni, Yao Zhao, Xiaolong Li, Median filtering detection of small-size image based on CNN. Journal of Visual Communication and Image Representation, 2018, 51: 162-168.
-  Luca Bondi, Luca Baroffio, David Güera, Paolo Bestagini, Edward J. Delp, and Stefano Tubaro, First Steps Toward Camera Model Identification With Convolutional Neural Networks. IEEE Signal Processing Letters, 2017, 24(3): 259-263.
-  Amel Tuama, Frédéric Comby, and Marc Chaumont, Camera model identification with the use of deep convolutional neural networks. Information Forensics and Security (WIFS), 2016 IEEE International Workshop on. IEEE, 2016: 1-6.
-  Luca Bondi, David Güera, Luca Baroffio, Paolo Bestagini, Edward J. Delp, and Stefano Tubaro. A preliminary study on convolutional neural networks for camera model identification. Electronic Imaging, 2017, 2017(7): 67-76.
Pengpeng Yang, Rongrong Ni, Yao Zhao, and Wei Zhao, Source camera identification based on content-adaptive fusion residual networks
. Pattern Recognition Letters, 2017.
-  M. Barni, L. Bondi, N. Bonettini, P. Bestagini, A. Costanzo1, M. Maggini1, B. Tondi, and S. Tubaro, Aligned and non-aligned double JPEG detection using convolutional neural networks. Journal of Visual Communication and Image Representation, 2017, 49: 153-163.
-  Bayar B, Stamm M C. A deep learning approach to universal image manipulation detection using a new convolutional layer. Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security. ACM, 2016: 5-10.
-  Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus, Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
-  Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy, Explaining and harnessing adversarial examples. CoRR, abs/1412.6572, 2014. URL http://arxiv.org/abs/1412.6572.
-  Nicolas Papernot, Patrick Drew McDaniel, Ian J. Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami, Practical black-box attacks against deep learning systems using adversarial examples. CoRR, abs/1602.02697, 2016a. URL http://arxiv.org/abs/1602.02697.
-  Nicolas Papernot, Patrick Drew McDaniel, XiWu, Somesh Jha, and Ananthram Swami, Distillation is a defense to adversarial perturbations against deep neural networks. CoRR, abs/1511.04508, 015. URL http://arxiv.org/abs/1511.04508.
-  Kurakin, Alexey, Ian Goodfellow, and Samy Bengio, Adversarial machine learning at scale.. arXiv preprint arXiv:1611.01236,2016.
-  Ross A S, Doshi-Velez F, Improving the Adversarial Robustness and Interpretability of Deep Neural Networks by Regularizing their Input Gradients. arXiv preprint arXiv:1711.09404, 2017.