DP-TRAE: A Dual-Phase Merging Transferable Reversible Adversarial Example for Image Privacy Protection
Xia Du, Jiajie Zhu, Jizhe Zhou, Chi-man Pun, Zheng Lin, Cong Wu, Zhe Chen, Jun Luo
TL;DR
DP-TRAE addresses the challenge of protecting image privacy against DNN analysis by producing reversible adversarial perturbations under a black-box setting. It introduces a dual-phase framework—SA-WA for white-box perturbation generation and MAE-BA for memory-guided black-box exploration—coupled with Huffman-based RDH compression to enable lossless recovery. The method achieves high attack success rates (up to 99% in black-box scenarios) and perfect recovery (100%) across multiple models, including commercial systems, and remains robust under common defenses. This work provides a practical pathway for reversible privacy protection in real-world deployments and opens avenues for extending reversible adversarial strategies to other modalities and large-scale systems.
Abstract
In the field of digital security, Reversible Adversarial Examples (RAE) combine adversarial attacks with reversible data hiding techniques to effectively protect sensitive data and prevent unauthorized analysis by malicious Deep Neural Networks (DNNs). However, existing RAE techniques primarily focus on white-box attacks, lacking a comprehensive evaluation of their effectiveness in black-box scenarios. This limitation impedes their broader deployment in complex, dynamic environments. Further more, traditional black-box attacks are often characterized by poor transferability and high query costs, significantly limiting their practical applicability. To address these challenges, we propose the Dual-Phase Merging Transferable Reversible Attack method, which generates highly transferable initial adversarial perturbations in a white-box model and employs a memory augmented black-box strategy to effectively mislead target mod els. Experimental results demonstrate the superiority of our approach, achieving a 99.0% attack success rate and 100% recovery rate in black-box scenarios, highlighting its robustness in privacy protection. Moreover, we successfully implemented a black-box attack on a commercial model, further substantiating the potential of this approach for practical use.
