| CPC G06F 21/64 (2013.01) [G06T 1/005 (2013.01); G06T 1/0092 (2013.01); G06T 2201/0065 (2013.01)] | 20 Claims |
|
1. A method for protecting a deep neural network image classifier against receiving perturbed images, the method comprising:
acquiring an original digital image intended for the deep neural network image classifier;
generating a watermarked image by embedding a plurality of watermark bits into the original digital image, wherein embedding the plurality of watermark bits into the original digital image comprises:
identifying a plurality of frequency domain watermark embedding coefficients from the original digital image;
for each frequency domain watermark embedding coefficient, embedding a corresponding embedding value into that watermark embedding coefficient in a frequency domain;
transmitting the watermarked image through a potentially adversarial environment;
receiving a potentially perturbed image from the potentially adversarial environment, wherein the potentially perturbed image is intended for the deep neural network image classifier;
determining whether the potentially perturbed image is an adversely modified or benign image by determining whether the potentially perturbed image includes a plurality of embedded bits in the frequency domain matching the plurality of watermark bits embedded into the original digital image in the frequency domain, wherein the potentially perturbed image is determined to be the benign image when the potentially perturbed image includes the plurality of embedded bits in the frequency domain matching the plurality of watermark bits in the frequency domain and the potentially perturbed image is determined to be the adversely modified image otherwise; and
preventing the potentially perturbed image from being provided to the deep neural network image classifier in response to determining that the potentially perturbed image is the adversely modified image;
wherein the plurality of watermark bits embedded into the original digital image in the frequency domain are robust to JPEG re-compression with a quality factor above a pre-defined compression threshold.
|