Secure Object Detection Based on Deep Learning

1. Introduction

Using an artificial intelligence (AI)-based approach, there is a well-known technique of object detection that applies deep learning as an automated process to perform analysis on large volumes of images and videos. Certain types of semantic objects, such as vehicles, pathological tumors, and people in digital images and videos, are usually what the object detection stochastically finds [1]. In tracking objects such as tracking movement of objects or tracking persons in a video, object detection is also used [2]. That is, each person, each car, or pathological tumor is often detected in the image and tracked in the video.

Sensitive information through object detection can be extracted through AI-based processing on image and video data. Personal movements, human faces, and personal illnesses analyzed and extracted from images and videos, for example, are all personal information to be protected. Not only the security of the data itself but also the security of AI-based processing and extracted information should be considered. The security problem of the AI-based approach becomes important accordingly as it has been used and will be used in many object detection applications. This paper summarizes the security issues that need to be addressed and analyzes the state-of-the-art security researches on object detection.

The contributions of this paper are as follows:

(1) We have analyzed security threats from cutting-edge research as the AI-based approach to detecting objects raises security concerns. (2) We introduced recent studies to protect privacy, integrity, and robustness and checked the current state of research for secure object detection. (3) We also summarized the remaining security issues to be addressed. It is important to check the remaining issues because many issues came with the new AI-based approach, such as deep learning.

This paper is organized as follows. The security threats of AI-based approaches to detect objects in images and videos are discussed in Section 2. Section 3 analyzes the recent approaches to defend against security threats. The security issues that need to be addressed are outlined in Section 4, and Section 5 concludes this paper.

2. Security Threats of Object Detection

The following features comprise the deep learning-based approach. First, deep learning relies heavily on data, such as data in training sets. Second, it is not easy to identify how decision-making rules were created in training. Security vulnerabilities to robustness and integrity develop because of these characteristics. The privacy of extracted information from deep learning and the data processed in the deep learning should also be protected. We discuss the security threats of AI-based approaches to detect objects in images and videos in this section. Table 1 shows the possible security attacks for object detection based on deep learning.

It is interesting to note that between different network architectures, deep neural networks (DNNs) can be transferrable. Defined as some hostile examples generated for one model, transferability may be misclassified by another model [3]. The transferable adversarial examples may seriously interfere with deep learning applications. Deep learning neural network architecture is shown in Fig. 1.

Consecutive layers of neurons make up a DNN, as shown in Fig. 1. The layers are connected from weighted vectors [TeX:] $$\theta_{F}$$ to an output layer. Between DNNs and these new and invisible inputs, the weights know the interaction. Adversaries can alter samples to have them misclassified by a DNN; some of which are illustrated in Fig. 2. The adversarial crafting process is shown in Fig. 3.

To black-box model attacks, transferability [4,5] can be used. The black-box means the learning model, or the data set is unknown to attackers.

Fig. 1.

A deep learning neural network architecture. Adapted from [ 28].

Fig. 2.

Pairs of normal and adversarial images. Adapted from [ 28].

Fig. 3.

An adversarial crafting process. The model F can misclassify an image using the input of X + δX instead of X. F(X + δX) produces 4 (the adversarial target class) instead of 1 (the original class), and lets an adversarial sample X* be found. Adapted from [ 28].

The attacker controls the training set and test set without knowing the training process, as shown in the study of Papernot et al. [4,5]. The attacker is unaware of training data, training processes, and even the test label in Liu et al. [3].

To distill the information such as algorithm, training data distribution, hyperparameter of fully trained model architecture from the black-box to generate adversarial examples, white-box attacks perform attacks based on adaptive queries [6-8]. The attacks can cause a crucial result with sufficient information to simulate the neural network.

An attacker leads to an adversarial model contaminating the training data at a data poisoning attack [9-12]. The decision boundary is affected from 1 to 2 with one training sample change without changing the sample’s class label when the attacker injects bad data into your model's training pool, as shown in Fig. 4.

The attack model that the attacker contaminates a batch training set is given in Burkard and Lagesse [10], Chen and Zhu [11], and Li et al. [12]. Zhang et al. [9] showed the threats to sequential learners, as in Fig. 5.

Fig. 4.

Linear support vector machines classifier decision boundary. Adapted from [ 29].

Fig. 5.

The attacker injects contaminated samples [TeX:] $$\left\{\mathrm{a}_{t}\right\}$$ , online for the training samples [TeX:] $$\left\{\mathrm{z}_{t}\right\}$$ , and the learner's model [TeX:] $$\left\{\theta_{t}\right\}$$ . Adapted from [ 9].

Fig. 6.

The stop sign is recognized as the speed sign by deep learning. Adapted from [ 13].

Adversarial examples that hinder vision-understanding-based applications are shown in Goodfellow et al. [17], Kurakin et al. [15], Carlini and Wagner [18], and Eykholt et al. [13]. For example, how DNNs are affected by even small perturbations added to the input is provided in Eykholt et al. [13]. Using road sign classification, we proposed robust physical perturbations, as shown in Fig. 6.

With high-speed Internet and high-performance processing of big data, personal data are unconsciously leaked. Machine learning caused high-performance data mining and was developed rapidly [23]. Privacy protection becomes important in deep learning processing and data storage.

The digital form of data can easily be manipulated. The problem is that important images such as medical data can be easily manipulated using image processing software [25].

3. Secure Object Detection by Deep Learning

Recent research for secure object detection by deep learning is given in Table 2.

To split a secret into several shares given to shareholders, we used secret sharing. The secret is reconstructed if sufficiently many shares are recombined. Based on Shamir’s approach [48], previous studies [30,31] were proposed. As a secure machine learning framework, Riazi et al. [32] proposed Chameleon. Chameleon combines generic secure function evaluation (SFE) protocols with additive secret sharing. A privacy-preserving computation of Faster R-CNN to detect pathologic objects in medical images by adding the secret-sharing approach is proposed in Liu et al. [20], as shown in Fig. 7.

Researchers have focused primarily on data storage privacy to protect medical image privacy. However, recent research has been interested in deep learning processing using an encrypted format. Privacy-preserving computations were proposed using homomorphic encryption (HE) and garbled circuit (GC).

Fig. 7.

Privacy-preserving object detection with Fast RNN. Adapted from Liu et al. [ 20] with the permission of the IEEE.

Fig. 8.

Mapping the pixels of the input image to the ciphertext slots. Adapted from [ 34].

HE to hide medical images and to protect their privacy is adopted in Wang et al. [21], Wu [33], Chao et al. [34], and Ma et al. [35]. As shown in Figs. 8 and 9, CaRENets [34] encrypt the input image compactly into ciphertexts, whereas the weight vectors are plaintext. Also, CaRENets homomorphically evaluates the inference phase of MLaaS on encrypted images.

Using GC, we protected the privacy of medical images from the external cloud database [36], as shown in Fig. 10.

Fig. 9.

Vector matrix product in the convolution layer in CaRENets. Adapted from [ 28].

Fig. 10.

A service model based on a garbled circuit. Adapted from Zheng et al. [ 30] with the permission of the IEEE.

Abadi et al. [22] and Noura et al. [37] introduced differential privacy (DP) to preserve privacy in deep learning models. DP describes a promise made by a data holder to a data subject, and the promise is like that of Dwork and Roth [49].

As shown in Fig. 11, Chu et al. [38] detected moving objects in encrypted data by pixel-based treatment. They pursued a light-weight approach without heavy computation.

Fig. 11.

Moving object detection in encrypted images. Adapted from Chu et al. [ 38] with the permission of the Association for Computing Machinery.

By camouflaging the training set, Sen et al. [39] protected sensitive data. A standard logistic regression learner [50] used a camouflaged training set in Fig. 12(a) for the classification of man and woman shown in Fig. 12(b). In Fig. 12(b), the classification showed high accuracy on the images.

Fig. 12.

Example of training set camouflage: (a) camouflaged training set and (b) secret classification task. Adapted from Sen et al [ 39] with the permission of Springer Nature.

While analyzing pathological images, digital watermarking is well known to ensure patient data integrity [40]. Generally, as shown in Fig. 13, a secret key is adopted for the watermarking method. That is, the watermark content with secret key protects the authenticity and integrity of the medical image.

To provide authenticity of patient ID, Selvaraj and Varatharajan [40] and Mousavi et al. [41] also used watermarking. A Whirlpool algorithm with a hash function-based watermarking method was proposed by Selvaraj and Varatharajan [40]. Mousavi et al. [41] surveyed watermarking techniques used in medical images.

Fig. 13.

Typical watermarking system [ 25].

Goodfellow et al. [17], Papernot et al. [28], and Gu and Rigazio [42] defended DNN against adversarial sampling by defensive distillation. For example, Papernot et al. [28] first train an initial network F on data X with T, as shown in Fig. 14. F(X) contains the knowledge of classification. They then train a distilled network Fd at T on the same X using F(X).

Fig. 14.

Defensive distillation to transfer knowledge of probability vectors. Adapted from Papernot et al. [ 28] with the permission of the IEEE.

Fig. 15.

Adversarial detector. Adapted from [ 8].

Fig. 16.

Distribution of the average logit values. It appears clearly that the average logit values are higher for correctly classified MNIST images compared with misclassifications. Adapted from [ 43].

Metzen et al. [8] and Aigrain and Detyniecki [43] showed that adversarial perturbations could be detected. In Fig. 15, adversarial detectors were applied. Using the information provided by the logits of an already pre-trained neural network, Aigrain and Detyniecki [43] detected adversarial perturbations by introspection. The characteristic of logit is shown in Fig. 16.

Robust approaches against black-box attacks are proposed by Tramer et al. [44], Liao et al. [45], Xie et al. [46], and Guo et al. [47]. Tramer et al. [44] proposed adversarial ensemble training that augments training data with perturbations propagated from other models. Conversely, a high-level representation guided denoiser was proposed by Liao et al. [45]. The original image is similar to the adversarial image, but the difference is amplified in the high-level representation of a CNN, as shown in Fig. 17. To suppress the effect of adversarial perturbation, they used an image denoiser. Using both the proposed randomization layers and an adversarially trained model, Xie et al. [46] suggested a randomization-based method, as shown in Fig. 18. Guo et al. [47] applied the convolutional network classifier to images after bit depth reduction, JPEG compression, total variance minimization, and image quilting. They showed that the total variance minimization and image quilting were effective defenses in practice.

Fig. 17.

High-level representation guided denoiser. Adapted from [ 45].

Fig. 18.

Randomization-based defense mechanism. Adapted from [ 46].

4. Additional Issues for Secure Object Detection by Deep Learning

In Table 3, we summarized the additional issues for secure object detection by deep learning.

The privacy-preserving approach using HE or GC runs algorithms that require a lot of computation and large memory. Moreover, deep learning adopting HE or GC should take performance into account. The accuracy of DP can be compromised if the random perturbation is used [22]. Secret sharing causes communication overhead. Communication security is also required.

Watermarking can degrade the quality of the processed image, and its basic issue is how to embed/extract the watermark such that the critical value of an image, that is, the diagnostic value of a medical image, is not compromised [25].

It is not easy to check the adversarial attacks at big data processing. Adversarial attacks can also penetrate deep learning processing, hidden in deep learning error. The attacks must also be urgently defended because deep learning applications are expanding. Many studies about adversarial attacks have focused, however, on presenting new types of adversarial attacks against DNNs at the laboratory. Lightweight and practical defenses against adversarial attacks need to be developed.

5. Conclusion

We analyzed in this study recent security studies on object detection in images and videos. Deep learning-based approaches are heavily dependent on training data and learning model. The extracted information from deep learning is also often needed to be protected. Because deep learning is not transparent, its processing is not easy to verify. These characteristics create security vulnerabilities to robustness, privacy, and integrity. Possible security attacks and defenses for privacy, integrity, and robustness are shown in recent research on object detection. However, there are still many issues that need to be addressed for future applications. It is important to check the remaining issues and to try to solve them because an AI-based approach, such as deep learning, is being used actively.

To infringe privacy and integrity in future research, we will focus on adversary attacks on automatic object detection. It is hard to defend against the attacks because adversary attacks utilize the dependency of the deep learning approach on learning data. The attacks are drawing attention as deep learning is applied for big data. We will investigate the methodology for defending against the adversary attacks on automatic object detection through bibliometric analysis.

Acknowledgement

This research was supported by the Basic Science Research Program through the National Research Foundation of Korea funded by the Ministry of Education, Korea (No. 2017R1D1A1B03034950).