结合矩阵分解与差分隐私的人脸图像发布

张啸剑; 付聪聪; 孟小峰

doi:10.11834/jig.190308

图像处理和编码 | 浏览量 : 0 下载量: 109 CSCD: 3

PDF
导出
分享
收藏
专辑

结合矩阵分解与差分隐私的人脸图像发布
Private facial image publication through matrix decomposition
2020年25卷第4期页码：655-668
收稿：2019-06-28，

修回：2019-8-30，

录用：2019-9-6，

纸质出版：2020-04-16
DOI： 10.11834/jig.190308
稿件说明：

移动端阅览

张啸剑, 付聪聪, 孟小峰. 结合矩阵分解与差分隐私的人脸图像发布[J]. 中国图象图形学报, 2020,25(4):655-668. DOI： 10.11834/jig.190308.

Xiaojian Zhang, Congcong Fu, Xiaofeng Meng. Private facial image publication through matrix decomposition[J]. Journal of Image and Graphics, 2020, 25(4): 655-668. DOI： 10.11834/jig.190308.

摘要

目的

人脸图像蕴含着丰富的个人敏感信息，直接发布可能会造成个人隐私泄露。为了保护人脸图像中的隐私信息，提出3种基于矩阵分解与差分隐私技术相结合的人脸图像发布算法，即LRA（low rank-based private facial image release algorithm）、SRA（SVD-based private facial image release algorithm）和ESRA（enhanced SVD-based private facial image release algorithm）。

方法

为了减少拉普拉斯机制带来的噪音误差，3种算法均将人脸图像作为实数域2维矩阵，充分利用矩阵低秩分解与奇异值分解技术压缩图像。在SRA和ESRA算法中，如何选择矩阵压缩参数

会直接制约由拉普拉斯机制引起的噪音误差以及由矩阵压缩导致的重构误差。SRA算法利用启发式设置参数

，然而

值增大导致过大的噪音误差，

值减小导致过大的重构误差。为了有效均衡这两种误差，ESRA算法引入一种基于指数机制的挑选参数

的方法，能够在不同的分解矩阵中挑选合理的矩阵尺寸来压缩人脸图像，然后利用拉普拉斯机制对挑选的矩阵添加相应的噪音，进而使整个处理过程满足

-差分隐私。

结果

基于6种真实人脸图像数据集，采用支持向量机（support vector machine，SVM）分类技术与信息熵验证6种算法的正确性。从算法的准确率、召回率、F1-Score，以及信息熵度量结果显示，提出的LRA、SRA与ESRA算法均优于LAP（Laplace-based facial image protection）、LRM（low-rank mechanism）以及MM（matrix mechanism）算法，其中ESRA算法在Faces95数据集上的准确率和F1-Score分别是LRA、LRM和MM算法的40倍、20倍和1倍多。相对于其他5种算法，ESRA算法对数据集大的变化相对稳定，可用性最好。

结论

本文算法能够实现满足

-差分隐私的敏感人脸图像发布，具有较好的可用性与鲁棒性，并且为灰度人脸图像的隐私保护提供了新的指导方法与思路，能有效用于社交平台和医疗系统等领域。

Abstract

Objective

Facial images are widely used in many applications such as social media

medical systems

and smart transportation systems. Such data

however

are inherently sensitive and private. Individuals' private information may be leaked if their facial images are released directly in the application systems. In social network platforms

attackers can use the facial images of individuals to attack their sensitive information. Many classical privacy-preserving methods

such as

-anonymous and data encryption

have been proposed to handle the privacy problem in facial images. However

the classical methods always rely on strong background assumptions

which cannot be supported in real-world applications. Differential privacy is the state-of-the-art method used to address the privacy concerns in data publication

which provides rigorous guarantees for the privacy of each user by adding randomized noise in Google Chrome

Apple iOS

and macOS. Therefore

to protect the private information in facial images

this paper proposes three efficient algorithms

namely

low rank-based private facial image release algorithm (LRA)

singular value decomposition (SVD)-based private facial image release algorithm (SRA)

and enhanced SVD-based private facial image release algorithm (ESRA)

which are based on matrix decomposition combined with differential privacy.

Method

The three algorithms employed the real-valued matrix to model facial images in which each cell corresponds to each pixel point of facial images. Based on the real-valued matrix

the neighborhood of some facial images can be defined easily

which are crucial bases to use Laplace mechanism to generate Laplace noise. Then

LRA

SRA

and ESRA rely on low-rank decomposition and SVD to compress facial images. This step aims to reduce the Laplace noise and boost the accuracy of the publication of facial images. The three algorithms use the Laplace mechanism to inject noise into each value of the compressed facial image to ensure differential privacy. Finally

the three algorithms use matrix algebraic operations to reconstruct the noisy facial image. However

in the SRA and ESRA algorithms

two sources of errors are encountered:1) Laplace error (LE) due to Laplace noise injected and 2) reconstruction error (RE) caused by lossy compression. The two errors are controlled by

parameter

which is the compression factor in the SRA and ESRA algorithms. Setting the compact parameter

constrains the LE and RE. The SRA algorithm sets the parameter in a heuristic manner in which one may fix the value in terms of experiences. However

the choice of

in the SRA algorithm is a problem because a large

leads to excessive LE

while a small

makes the RE extremely large. Furthermore

cannot be directly set based on the real-valued matrix; otherwise

the choice of

itself violates differential privacy. Based on the preceding observation

the ESRA algorithm is proposed to handle the problem caused by the selection of the parameter

. The main idea of the ESRA algorithm involves two steps:employing exponential mechanism to sample

elements in the decomposition matrix and injecting the Laplace noise into the elements. According to the sequential composition of differential privacy

the two steps in the ESRA algorithm meet

-differential privacy.

Result

On the basis of the SVM classification and information entropy technique

two group experiments were conducted over six real facial image datasets (Yale

ORL

CMU

Yale B

Faces95

and Faces94) to evaluate the quality of the facial images generated from the LRA

SRA

ESRA

LAP(Laplace-based facial image protection)

LRM(low-rank mechanism)

and MM(matrix mechanism) algorithms using a variety of metrics

including precision

recall

F1 score

and entropy. Our experiments show that the proposed LRA

SRA

and ESRA algorithms outperform LAP

LRM

and MM in terms of the abovementioned six metrics. For example

based on the Faces95 dataset

=0.1 and matrix=200×180 were set to compare the precision of ESRA

LRM

LRA

and LAP. Result show that the precision of ESRA is 40 and 20 times that of LAP

LRA

and LRM. Based on the six datasets

ESRA achieves better accuracy than LRA and SRA. For example

on the Faces94 dataset

the matrix=200×180 was set and the privacy budget

(i.e.

0.1

0.5

0.9

and 1.3) was varied to study the utility of each algorithm. Results show that the utility measures of all algorithms increase when

increases. When

varies from 0.1 to 1.3

ESRA still achieves better precision

recall

F1-score

and entropy than the other algorithms.

Conclusion

The oretical analysis and extensive experiments were conducted to compare our algorithms with the LAP

LRM

and MM algorithms. Results show that the proposed algorithms could achieve better utility and outperform the existing solutions. In addition

the proposed algorithms provided new ideas and technical support for further research on facial image release with differential privacy in several application systems.

关键词

Keywords

references

Chen Y, Machanavajjhala A, Hay M and Miklau G. 2017. PeGaSus: data-adaptive differentially private stream processing//Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA: ACM: 1375-1388[ DOI: 10.1145/3133956.3134102 http://dx.doi.org/10.1145/3133956.3134102 ]

Dwork C. 2006. Differential privacy//Proceedings of the 33rd International Colloquium on Automata, Languages and Programming (ICALP). Venice, Italy: Springer: 1-12[ DOI: 10.1007/11787006 http://dx.doi.org/10.1007/11787006 ]

Dwork C and Lei J. 2009. Differential privacy and robust statistics//The 41st Annual ACM Symposium on Theory of Computing (STOC). Bethesda, MD, USA: ACM: 371-380[ DOI: 10.1145/1536414.1536466 http://dx.doi.org/10.1145/1536414.1536466 ]

Dwork C, McSherry F,Nissim K and Smith A. 2006. Calibrating noise to sensitivity in private data analysis//Proceedings of the 3rd Theory of Cryptography Conference (TCC). New York, USA: Springer: 363-385[ DOI: 10.1007/9783540327.32532 http://dx.doi.org/10.1007/9783540327.32532 ]

Friedman A, Berkovsky S and Kâafar M A. 2016. A differential privacy framework for matrix factorization recommender systems. User Modeling and User-Adapted Interaction, 26(5):425-458[DOI:10.1007/s11257-016-9177-7]

Gross R and Acquisti A. 2005. Information revelation and privacy in online social networks//Proceedings of 2005 ACM Workshop on Privacy in the Electronic Society. Alexandria, VA, USA: ACM: 71-80[ DOI: 10.1145/1102199.1102214 http://dx.doi.org/10.1145/1102199.1102214 ]

Gross R, Sweeney L, Cohn J, de la Torre F and Baker S. 2008. Model-based de-identification of facial images//2008 American Medical Informatics Association Annual Symposium. Washington: [s.n.]: 262-273

Hay M, Rastogi V, Miklau G and Suciu D. 2010. Boosting the accuracy of differentially private histograms through consistency. Proceedings of the VLDB Endowment, 3(1/2):1021-1032[DOI:10.14778/1920841.1920970]

Ilia P, Polakis I, Athanasopoulos E, Maggi F and Ioannidis S. 2015. Face/off: preventing privacy leakage from photos in social networks//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, Colorado, USA: ACM: 781-792[ DOI: 10.1145/2810103.2813603 http://dx.doi.org/10.1145/2810103.2813603 ]

Li C, Miklau G, Hay M, McGregor A and Rastogi V. 2015. The matrix mechanism:optimizing linear counting queries under differential privacy. The VLDB Journal, 24(6):757-781[DOI:10.1007/s00778-015-0398-x]

McSherry F. 2010. Privacy integrated queries:an extensible platform for privacy-preserving data analysis. Communications of the ACM, 53(9):89-97[DOI:10.1145/1810891.1810916]

McSherry F and Talwar K. 2007. Mechanism design via differential privacy//Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science. Providence, RI, USA: IEEE: 94-103[ DOI: 10.1109/FOCS.2007.66 http://dx.doi.org/10.1109/FOCS.2007.66 ]

Newton E M, Sweeney L and Malin B. 2005. Preserving privacy by de-identifying face images. IEEE Transactions on Knowledge and Data Engineering, 17(2):232-243[DOI:10.1109/TKDE.2005.32]

Qardaji W, Yang W N and Li N H. 2013. Differentially private grids for geospatial data//Proceedings of the 29th IEEE International Conference on Data Engineering (ICDE). Brisbane, QLD, Australia: IEEE: 32-33[ DOI: 10.1109/ICDE.2013.6544872 http://dx.doi.org/10.1109/ICDE.2013.6544872 ]

Rastogi V and Nath S. 2010. Differentially private aggregation of distributed time-series with transformation and encryption//Proceedings of 2010 ACM SIGMOD International Conference on Management of data. Indianapolis, Indiana, USA: ACM: 735-746[ DOI: 10.1145/1807167.1807247 http://dx.doi.org/10.1145/1807167.1807247 ]

Sadeghi A R, Schneider T and Wehrenberg I. 2009. Efficient privacy-preserving face recognition//Proceedings of the 12th International Conference on Information Security and Cryptology. Seoul, Korea: Springer: 229-244[ DOI: 10.1007/978-3-642-14423-3_16 http://dx.doi.org/10.1007/978-3-642-14423-3_16 ]

Su S, Tang P, Cheng X, Chen R and Wu Z Q. 2016. Differentially private multi-party high-dimensional data publishing//Proceedings of the 32nd IEEE International Conference on Data Engineering. Helsinki, Finland: IEEE: 205-216[ DOI: 10.1109/ICDE.2016.7498241 http://dx.doi.org/10.1109/ICDE.2016.7498241 ]

Xiao X K, Wang G Z and Gehrke J. 2011. Differential privacy via wavelet transforms. IEEE Transactions on Knowledge and Data Engineering, 23(8):1200-1214[DOI:10.1109/TKDE.2010.247]

Xu J, Zhang Z J, Xiao X K, Yang Y, Yu G and Winslett M. 2013. Differentially private histogram publication. The VLDB Journal, 22(6):797-822[DOI:10.1007/s00778-013-0309-y]

Yuan G Z, Yang Y, Zhang Z J and Hao Z F. 2016. Convex optimization for linear query processing under approximate differential privacy//Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD). San Francisco, CA, USA: ACM: 2005-2014[ DOI: 10.1145/2939672.2939818 http://dx.doi.org/10.1145/2939672.2939818 ]

Yuan G Z, Zhang Z J, Winslett M, Xiao X K, Yang Y and Hao Z F. 2015. Optimizing batch linear queries under exact and approximate differential privacy. ACM Transactions on Database Systems, 40(2):1-47[DOI:10.1145/2699501]

Zhang J, Cormode G, Procopiuc C M, Srivastava D and Xiao X K. 2015. Private release of graph statistics using ladder functions//Proceedings of 2015 ACM SIGMOD International Conference on Management of Data. Melbourne, Victoria, Australia: ACM: 731-745[ DOI: 10.1145/2723372.2737785 http://dx.doi.org/10.1145/2723372.2737785 ]