Security Consideration For Deep Learning-Based Image Forensics

03/29/2018 ∙ by Wei Zhao, et al. ∙ BEIJING JIAOTONG UNIVERSITY 0

Recently, image forensics community has paied attention to the research on the design of effective algorithms based on deep learning technology and facts proved that combining the domain knowledge of image forensics and deep learning would achieve more robust and better performance than the traditional schemes. Instead of improving it, in this paper, the safety of deep learning based methods in the field of image forensics is taken into account. To the best of our knowledge, this is a first work focusing on this topic. Specifically, we experimentally find that the method using deep learning would fail when adding the slight noise into the images (adversarial images). Furthermore, two kinds of strategys are proposed to enforce security of deep learning-based method. Firstly, an extra penalty term to the loss function is added, which is referred to the 2-norm of the gradient of the loss with respect to the input images, and then an novel training method are adopt to train the model by fusing the normal and adversarial images. Experimental results show that the proposed algorithm can achieve good performance even in the case of adversarial images and provide a safety consideration for deep learning-based image forensics

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 4

page 6

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

With the rapid development of network technology and the popularity of digital cameras, images have become a important information carrier. At the same time, with widespread use of image editing tools, the authenticity and integrity of images are greatly challenged. Some people use these tools to tamper with images maliciously, which can make a series of negative impacts on the society, especially in the field of news, military, business and judicial expertise. For example, some attackers use tampered images for military or political purpose, which can cause a crisis of confidence. Therefore, digital image forensics technologies arise at the historic moment for verifying the authenticity of images.

In the past decade, a number of algorithms have been proposed in image forensic community. In particular, methods based on deep learning play an important role due to its excellent performance. Yang

[1] proposed the laplacian convolutional neural networks to detect recaptured images. Kang

[2] combined convolutional neural networks(CNN) and MFR to deal with median filtering forensics and Tang [3] improved its performance using MFNet. For source camera identification, the schemes using deep learning have also been proposed in these works[4-7]. Barni [8] used three kinds of CNN architecture: CNN in the pixel domain, CNN in noise domain, and CNN embedding DCT histograms, to detect double JPEG compressed images. In addition, Bayar [9] presented a deep learning approach for universal image manipulation detection. Of special interest is that the above algorithms have better performance than the traditional methods.

Despite superior performance of deep learning-based methods, there lies a security threat: adversarial examples. According to the reports[10-15], a deep learning model can get an error output with high confidence for the input data with added slightly noise(adversarial examples). For this phenomenon, there has been no comments so far from the image forensics community. However, the safety of deep-learning methods should be be considered, otherwise it will cause serious consequences. For example, recaptured image forensic can effectively resist the face presentation attack. If the deep learning-based recaptured image detection algorithms is easily misleaded by adversarial examples, personal and property safety protected by face recognition system will be threatened.

In this paper, focusing on the safety of deep learning-based image forensic algorithms, we first experimentally verify its vulnerability by adding noise to the clean images. Specially, two different methods of generating adversarial examples are referred, that is, adding perturbation in the direction of the biggest change of the loss function or in the direction of being classified as least-likely class. It should be noted that, in order to simplify our discussion, the recaptured image forensic scheme based on laplacian convolutional neural network, as a typical deep learning-based image forensic scheme, is taken into account in this work. Then, in order to resist against attack of adversarial examples, a penalty term to the loss function is added which is the 2-norm of the gradient of the loss with respect to the input images, and an novel training method is adopt to train the model by fusing the normal and adversarial images. Experimental results show that the proposed method has the advantages of safety and achieve great performance in the cases of different methods of adding noise with random strength.

The rest of the paper is organized as follows. In Section 2, the structure of laplacian convolutional neural network is briefly introduced. In Section 3, the vulnerability of deep learning-based method to adversarial examples is explained and a safe CNN-based scheme to resist against attack of noise is proposed. The experiment results are conducted in Section 4, and conclusions are drawn in Section 5.

2 Previous Work

In this section we briefly introduce a deep learning-based recaptured image forensic algorithm [1] which achieved state-of-the-art performance. The architecture of the work include two parts: single enhancement layer and general convolutional neural networks structure. In the single enhancement layer, laplacian filter was used to enhance the signal.

(1)

In the second part, the filtered images are fed into the first convolution unit which includes: a convolution layer, a batch normalization layer, relu function and an average pooling layer. The later four convolution units have the same composition as the first unit with only one difference that the pooling layer in the fifth unit is replaced by global average pooling. Finally, a full connection layer is used as a classification layer. For more details, the kernels size of convolution layer is

with 1 step size, and the kernels size of pooling layer is with 2 step size.

3 Proposed Method

Although image forensics schemes based on deep learning have achieved exceptional performance, there still be a serious drawback. That is, images will be likely to be misclassified if some noise is added onto the images in a particular way. In this section, firstly, the vulnerability of the deep learning-based image forensics algorithm is experimentally verified. Then, two kinds of strategies which can resist noise attack effectively to increase security of the deep learning-based methods are present.

3.1 Vulnerability Analysis of Deep Learning-Based Image Forensics


Figure 1: The explain of the fast change direction

In the Figure. 1, suppose is the loss function and is an sample point that can be classified correctly. For a well-trained model, is a relatively small values. If a slight perturbation is added onto along a particular direction, the will become a larger value, which means the classification result will be changed with high possibility.

According to the above idea, two specific methods of adding noise are used. For simplicity, the notations are as follows:

  • - A normal image example, the pixels values of which are integer numbers in the range [0,255].

  • - True class for an image

  • - An adversarial example generated by some method.

  • - Loss function that used to train a neural network.

  • - Sign function.

  • - Clip function.

(a) : rec
: org


(b) : rec
: org


(c) : org
: rec


(d) : org
: rec


(e) : rec
: rec


(f) : rec
: rec


(g) : org
: org


(h) : org
: org


Figure 2: The adversarial examples and their detection results which is generated by FGSM with using Yang’s and proposed methods, respectively. (a) (b) (c) (d) is generated and detected with Yang’s model. (e) (f) (g) (h) is generated and detected with proposed model.

Fast Gradient Sign Method (FGSM) is to find the direction by making the partial derivatives of the loss by the input image

. By adding noise on the clean image examples along this direction, the loss will be changed most and the probability of making a misclassification is the highest.

(2)

Unlike the FGSM method using the true label to compute the direction, Least-Likely Class Method (LLCM) use the predicted label of the well-trained model to compute the direction and hoping to make the noised images be classified as the least likely class.

(3)
(4)

There are some adversarial examples which are generated using FGSM with in Figure. 2, and the upper part is adversarial examples generated by Yang’s model and corresponding detection results. And is the true label of each image, is the predicted label, and is the probability that the image is classified as predicted label. One can be seen that the attack effect is so obvious that slight noise can lead to incorrect classification with high probability.

3.2 Secure Image Forensics Using Deep Learning


Figure 3: The architecture of Convolutional Neural Networks used in this work

To counter against the threat of adversarial examples, we proposed a secure deep learning method for image forensics. The architecture of our CNN model is showed in Figure. 3. The main idea is to make the loss relatively smooth on the input images and their neighboring regions. Firstly, a penalty term is added on the loss function which is the 2-norm of the gradient of loss with respect to clean images. So the loss function is shown as equation (5).

(5)

where, is the weight coefficient and is binary cross-entropy:

(6)

where is output of the last layer of the model.

This term can constraint the loss to be relatively smooth so that not change too much when the input changes slightly, which equals predictions will not change significantly.

Moreover, a novel training strategy is applied by fusing adversarial examples and clean images together as training set. Its process is as shown in Figure. 4, for every mini-batch including clean images, the first images are took out and added noise. Then the rest clean images and the noised examples are merged to a new mini-batch . And when computing the loss of the new mini-batch, different weights to the clean image loss and adversarial image loss are applied. The loss of one batch can be computed:

(7)

where, is weight parameter. In our experiment, we empirically set =64, =32, and .

Noted that for each step, only one method - FGSM is used to generate adversarial examples with the loss of current training phase. In order to ensure that proposed method can be against various degrees of attack, adversarial examples are generated using different strength

which is chosen in a uniform distribution. By doing so, the model will converge to a point where the loss is a relatively small value whether the input is clean images or noised images. This equals that the loss is relatively smooth in local neighborhoods of training points.


Figure 4: The process of training the model

The second row in the Figure. 2 shows the adversarial examples generated by proposed model using FGSM with and corresponding detection results. It can be observed that the proposed method can resist against the adversarial examples’ attack effectively and make a correct classification with high confidence.

4 Experiments

In this section, firstly, the vulnerability of the original deep learning scheme are evaluated by adding noise on the clean image with two different methods. And then the safety performance of proposed deep learning method to adversarial examples are checked.

The images used in our experiment are exactly the same as the work [1]. Four groups of datasets with size of , , and are used. Each group has 10000 original images and 10000 recaptured images. Then every group is divided into training set, validation set and test set by percent 40/10/50. the batch size is set as 64 and iteration number is set as 100k. The initial learning rate is 0.0001 and decays to 0.9 times every 10k iteration. The noise strength is chosen by a series of experiments. Some attacked images are given in Figure. 5, (a) and (e) are clean images, and (b) (c) (d) are adversarial images generated by FGSM with noise strength , , , respectively, (d) (e) (f) are adversarial images generated by LLCM. It can be found that the distortion of the images become ever more obvious with the increase of the noise intensity. While, slight noise () is hard to be observed. So noise strength is chosen in the range of .

4.1 Experiment 1

In order to evaluate the vulnerability of Yang’s scheme to adversarial examples. We first train laplacian convolutional neural network model by Yang’ algorithm and generate adversarial examples using two methods on our test dataset which include 10000 images in one group of each size. The detection accuracy for clean images is shown in Table 1 and the classification accuracy of adversarial images is described in the Table 2.

One can be seen from the Table 2 that these two methods are both effective in attacking the model trained by deep learning based methods. FSGM is slightly better than LLCM no matter what size of the images. And there is a tendency that the bigger the image sizes are, the smaller gap between FSGM and LLCM. This is because that LLCM use predicted result to compute the gradient direction instead of the true label, so better attack effect can be made when the model can give more accurate result. And that is be proved in n the work[1] that larger images can get higher classification accuracy.

Another phenomenon need to be explained that the attack effect is not always raised with the increase in noise strength. We guess the reason is that the optimum point is crossed when a relatively large noise strength is used.

(a) Clean(=0)
(b) FGSM (=5)
(c) FGSM (=10)
(d) FGSM (=15)
(e) Clean(=0)
(f) LLCM (=5)
(g) LLCM (=10)
(h) LLCM (=15)
Figure 5: visual effect of images based on different attack strength and different attack methods

4.2 Experiment 2

In this part, the attack effect of adversarial images to proposed model are verified. For clean image, proposed method does not affect the accuracy much. In Table 1, the accuracy of clean images is displayed and it just has a slight and acceptable decline compared with Yang’s.

In the Table 3, detection accuracy of adversarial images generated with two methods in different sizes are presented. On can be seen that our method have a significant effect in against of adversarial examples.

Note that we only inject FGSM adversarial examples into our training set, so proposed model can be against the FGSM noised examples very well. While LLCM adversarial examples are generated in a different way, so the resistance is not as great as FGSM.

 

image size

 

Yang 96.7% 98.2% 99.1% 99.4%

 

Prop 96.6% 98.1% 98.5% 99.0%

 

Table 1: The accuracy of clean images in different sizes

 

size method

 

FGSM 2.8% 0.9% 0.5% 0.6% 2.6%
TGSM 7.5% 5.7% 5.2% 5.3% 6.9%

 

FGSM 1.1% 0.2% 1.4% 4.9% 6.5%
TGSM 2.9% 2.0% 3.1% 6.1% 7.5%

 

FGSM 2.6% 3.6% 5.4% 7.5% 9.9%
TGSM 3.9% 4.9% 6.6% 8.6% 11.1%

 

FGSM 3.3% 1.6% 0.9% 0.7% 1.0%
TGSM 4.6% 2.8% 2.2% 1.9% 2.1%

 

Table 2: Detection Accuracy of Adversarial Images for Yang’s Method

 

size method

 

FGSM 93.6% 94.5% 96.1% 96.3% 95.9%
TGSM 90.0% 91.6% 93.0% 93.3% 93.0%

 

FGSM 95.9% 97.1% 97.8% 98.4% 98.7%
TGSM 94.5% 95.6% 96.2% 96.8% 97.1%

 

FGSM 97.4% 98.5% 98.8% 98.9% 98.6%
TGSM 94.3% 95.1% 95.3% 95.4% 95.2%

 

FGSM 99.2% 99.3% 99.3% 99.4% 99.3%
TGSM 98.1% 98.2% 98.3% 98.3% 98.2%

 

Table 3: Detection Accuracy of Adversarial Images for Proposed Method

5 Conclusions

Although lots of forensic methods based on deep learning have achieved state-of-the-art performance, there is still a defect that they are vulnerable to adversarial examples. To against this potential threat, we propose a secure deep learning forensic method in which a penalty term is added to the loss function and both normal images and adversarial images are fused into training set. The effectiveness of proposed scheme are evaluated by a set of experiments using four different sizes of images and two different methods of generating adversarial examples with a series of noise strength. Experimental results show that proposed scheme is effective to resist against the attack of adversarial examples.

Acknowledgments

This work was supported in part by National NSF of China (61672090, 61332012), the National Key Research and Development of China (2016YFB0800404), Fundamental Research Funds for the Central Universities (2015JBZ002, 2017YJS054). We greatly acknowledge the support of NVIDIA Corporation with the donation of the GPU used for this research.

References