Exploiting and Defending Against the Approximate Linearity of Apple's
NeuralHash
- URL: http://arxiv.org/abs/2207.14258v1
- Date: Thu, 28 Jul 2022 17:45:01 GMT
- Title: Exploiting and Defending Against the Approximate Linearity of Apple's
NeuralHash
- Authors: Jagdeep Singh Bhatia, Kevin Meng
- Abstract summary: Apple's NeuralHash aims to detect the presence of illegal content on users' devices without compromising consumer privacy.
We make the surprising discovery that NeuralHash is approximately linear, which inspires the development of novel black-box attacks.
We propose a simple fix using classical cryptographic standards.
- Score: 5.3888140834268246
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Perceptual hashes map images with identical semantic content to the same
$n$-bit hash value, while mapping semantically-different images to different
hashes. These algorithms carry important applications in cybersecurity such as
copyright infringement detection, content fingerprinting, and surveillance.
Apple's NeuralHash is one such system that aims to detect the presence of
illegal content on users' devices without compromising consumer privacy. We
make the surprising discovery that NeuralHash is approximately linear, which
inspires the development of novel black-box attacks that can (i) evade
detection of "illegal" images, (ii) generate near-collisions, and (iii) leak
information about hashed images, all without access to model parameters. These
vulnerabilities pose serious threats to NeuralHash's security goals; to address
them, we propose a simple fix using classical cryptographic standards.
Related papers
- Human-imperceptible, Machine-recognizable Images [76.01951148048603]
A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data.
This paper proposes an efficient privacy-preserving learning paradigm, where images are encrypted to become human-imperceptible, machine-recognizable''
We show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information.
arXiv Detail & Related papers (2023-06-06T13:41:37Z) - BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean
Label [20.236328601459203]
We propose BadHash, the first generative-based imperceptible backdoor attack against deep hashing.
We show that BadHash can generate imperceptible poisoned samples with strong attack ability and transferability over state-of-the-art deep hashing schemes.
arXiv Detail & Related papers (2022-07-01T09:10:25Z) - Self-Distilled Hashing for Deep Image Retrieval [25.645550298697938]
In hash-based image retrieval systems, transformed input from the original usually generates different codes.
We propose a novel self-distilled hashing scheme to minimize the discrepancy while exploiting the potential of augmented data.
We also introduce hash proxy-based similarity learning and binary cross entropy-based quantization loss to provide fine quality hash codes.
arXiv Detail & Related papers (2021-12-16T12:01:50Z) - Learning to Break Deep Perceptual Hashing: The Use Case NeuralHash [29.722113621868978]
Apple recently revealed its deep perceptual hashing system NeuralHash to detect child sexual abuse material.
Public criticism arose regarding the protection of user privacy and the system's reliability.
We show that current deep perceptual hashing may not be robust.
arXiv Detail & Related papers (2021-11-12T09:49:27Z) - Backdoor Attack on Hash-based Image Retrieval via Clean-label Data
Poisoning [54.15013757920703]
We propose the confusing perturbations-induced backdoor attack (CIBA)
It injects a small number of poisoned images with the correct label into the training data.
We have conducted extensive experiments to verify the effectiveness of our proposed CIBA.
arXiv Detail & Related papers (2021-09-18T07:56:59Z) - Prototype-supervised Adversarial Network for Targeted Attack of Deep
Hashing [65.32148145602865]
deep hashing networks are vulnerable to adversarial examples.
We propose a novel prototype-supervised adversarial network (ProS-GAN)
To the best of our knowledge, this is the first generation-based method to attack deep hashing networks.
arXiv Detail & Related papers (2021-05-17T00:31:37Z) - Adversarial collision attacks on image hashing functions [9.391375268580806]
We show that it is possible to modify an image to produce an unrelated hash, and an exact hash collision can be produced via minuscule perturbations.
In a white box setting, these collisions can be replicated across nearly every image pair and hash type.
We offer several potential mitigations to gradient-based image hash attacks.
arXiv Detail & Related papers (2020-11-18T18:59:02Z) - Deep Reinforcement Learning with Label Embedding Reward for Supervised
Image Hashing [85.84690941656528]
We introduce a novel decision-making approach for deep supervised hashing.
We learn a deep Q-network with a novel label embedding reward defined by Bose-Chaudhuri-Hocquenghem codes.
Our approach outperforms state-of-the-art supervised hashing methods under various code lengths.
arXiv Detail & Related papers (2020-08-10T09:17:20Z) - InfoScrub: Towards Attribute Privacy by Targeted Obfuscation [77.49428268918703]
We study techniques that allow individuals to limit the private information leaked in visual data.
We tackle this problem in a novel image obfuscation framework.
We find our approach generates obfuscated images faithful to the original input images, and additionally increase uncertainty by 6.2$times$ (or up to 0.85 bits) over the non-obfuscated counterparts.
arXiv Detail & Related papers (2020-05-20T19:48:04Z) - Targeted Attack for Deep Hashing based Retrieval [57.582221494035856]
We propose a novel method, dubbed deep hashing targeted attack (DHTA), to study the targeted attack on such retrieval.
We first formulate the targeted attack as a point-to-set optimization, which minimizes the average distance between the hash code of an adversarial example and those of a set of objects with the target label.
To balance the performance and perceptibility, we propose to minimize the Hamming distance between the hash code of the adversarial example and the anchor code under the $ellinfty$ restriction on the perturbation.
arXiv Detail & Related papers (2020-04-15T08:36:58Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.