Adversarially Learned Representations for Information Obfuscation - - PowerPoint PPT Presentation

Adversarially Learned Representations for Information Obfuscation and Inference

Martin Bertran1, Natalia Martinez1, Afroditi Papadaki2 Qiang Qiu1, Miguel Rodrigues2, Galen Reeves1, Guillermo Sapiro1

• 1. Duke University
• 2. University College London

Motivation

2

Why do users share their data? Facial Image

Service Provider

Utility Subject verification Shared data

User decision

Motivation

2

Why do users share their data? Facial Image

Service Provider

Utility Subject verification Shared data Sensitive attributes Emotion Gender

User decision

Race

Motivation

3

Can we do better?

Motivation

3

Can we do better? Facial Image

Service Provider

Shared data Sensitive attributes Gender

User decision

Utility Subject verification Filtered Image Learn space-preserving representations that obfuscate sensitive information while preserving utility.

Motivation

4

Example: Preserve gender & obfuscate emotion

P(Serious) = 0.98 P(Female) = 0.99 P(Male) = 0.98 P(Smile) = 0.78

Original Filtered

P(Serious) = 0.31 P(Female) = 0.99 P(Male) = 0.98 P(Smile) = 0.38

Motivation

5

Example: Preserve subject & obfuscate gender

P(Male) = 0.99 Subject verified

Original Filtered

P(Female) = 0.54 P(Female) = 0.99 Subject verified Subject verified P(Male) = 0.70 Subject verified

Sample of related work

6

• (2003) Chechik et al. Extracting relevant structures with side

information.

• (2016) Basciftci et al. On privacy-utility tradeoffs for constrained

data release mechanisms.

• (2018) Madras et al. Learning adversarially fair and transferable

representations.

• (2018) Sun et al. A hybrid model for identity obfuscation by face

replacement.

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

X ∼ p(X|U, S)

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

X ∼ p(X|U, S)

Y ∼ p(Y |X)

Our objective!

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

X ∼ p(X|U, S)

Y ∼ p(Y |X)

Our objective!

Want to learn such that :

Y ∼ p(Y |X) p(S|Y ) ∼ p(S)

p(U|Y ) ∼ p(U|X)

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

X ∼ p(X|U, S)

Y ∼ p(Y |X)

Our objective!

Want to learn such that :

Y ∼ p(Y |X) p(S|Y ) ∼ p(S)

p(U|Y ) ∼ p(U|X)

• DKL[p(S|Y )||p(S)]

min

Problem formulation

7

Utility variable Sensible variable High-dimensional data Sanitized data

(U, S) ∼ p(U, S)

X ∼ p(X|U, S)

Y ∼ p(Y |X)

Our objective!

Want to learn such that :

Y ∼ p(Y |X) p(S|Y ) ∼ p(S)

p(U|Y ) ∼ p(U|X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

EY [.]

I(S; Y )

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

EY [.]

EX,Y [.]

I(U; X|Y )

I(S; Y )

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

EY [.]

EX,Y [.]

I(U; X|Y )

I(S; Y )

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

EY [.]

EX,Y [.]

I(U; X|Y )

I(S; Y )

min I(U; X|Y )

p(Y |X)

s.t. I(S; Y ) ≤ k

Objective:

Problem formulation

8

Want to learn such that:

Y ∼ p(Y |X)

• DKL[p(S|Y )||p(S)]

min

DKL[p(U|X)||p(U|Y )]

min

EY [.]

EX,Y [.]

I(U; X|Y )

I(S; Y )

min I(U; X|Y )

p(Y |X)

I(S; Y ) ≤ k

Objective:

∼ max

p(Y |X)

I(U; Y )

s.t.

Performance bounds

9

Given the objective min I(U; X|Y )

p(Y |X)

s.t. I(S; Y ) ≤ k

Performance bounds

9

Given the objective min I(U; X|Y )

p(Y |X)

s.t. I(S; Y ) ≤ k

What are the intrinsic limits on the trade-offs for this problem?

Performance bounds

9

Given the objective min I(U; X|Y )

p(Y |X)

s.t. I(S; Y ) ≤ k

What are the intrinsic limits on the trade-offs for this problem? Lemma 1. finite alphabets, .

min I(U; X|Y )

p(Y |X)

s.t. I(S; Y ) ≤ k

≥

I(U; X) − I(U; Y )

I(U; Y ) ≤ I(U; X)

p(Y |U, S)

min

s.t. I(S; Y ) ≤ k

Then:

(U, S) ∈ U × S

X ∼ p(X|U, S)

• With finite we can compute a sequence of upper bounds: Restricted

cardinality sequence (RCS).

|Y|

Performance bounds

10

Given the objective min I(U; X|Y )

p(Y |X)

s.t. : I(S; Y ) ≤ k

Lemma 2.

(X, U, S) ∼ p(X, U, S)

Given What are the intrinsic limits on the trade-offs for this problem? I(U; X|Y ) ≥ −I(S; Y ) + I(U; S) − I(U; S|X)

Performance bounds

10

Given the objective min I(U; X|Y )

p(Y |X)

s.t. : I(S; Y ) ≤ k

Lemma 2.

(X, U, S) ∼ p(X, U, S)

Given What are the intrinsic limits on the trade-offs for this problem? Lemma 3.

k ≥ 0

p(Y |X)

I(U; X|Y ) = max(0, 1 − k I(S; X))I(U; X)

I(S; Y ) ≤ k

(X, U, S) ∼ p(X, U, S)

Given , such that:

∀

∃

I(U; X|Y ) ≥ −I(S; Y ) + I(U; S) − I(U; S|X)

Performance bounds

11

Lemmas 1, 2 and 3 can be approximated using contingency tables. I(U; X|Y )

I(S; Y ) ≤

))I(U; X)

I(U; S) I(U; S)

I(S; X)

Lemma 1 (RCS) Lemma 2 (lower bound) Lemma 3 (achievable upper bound) * Sketch under the assumption that

I(U; S|X) = 0

Proposed framework

12

Proposed framework

12

min I(U; X|Y )

s.t. : I(S; Y ) ≤ k

Objective:

p(Y |X) ∼ qθ(X, Z)

Proposed framework

12

min I(U; X|Y )

s.t. : I(S; Y ) ≤ k

Objective: Optimization objective:

[I(U; X|Y ) + λmax{I(S; Y ) − k, 0}2]

min

p(Y |X) ∼ qθ(X, Z) p(Y |X) ∼ qθ(X, Z)

Implementation

13

Optimization objective:

[I(U; X|Y ) + λmax{I(S; Y ) − k, 0}2]

min

qθ(X, Z)

Implementation

13

Optimization objective:

[I(U; X|Y ) + λmax{I(S; Y ) − k, 0}2]

min

qθ(X, Z)

Learning the stochastic mapping :

p(S|Y )

p(U|Y )

p(U|X)

Y = qθ(X, Z)

pη(S|Y )

pφ(U|X) pψ(U|Y )

∼ ∼ ∼

ˆ ψ = argminψEX,U,Z ⇥ − log(pψ(U | qˆ

θ(X, Z))

⇤

ˆ η = argminηEX,S,Z ⇥ − log(pη(S | qˆ

θ(X, Z))

⇤ ˆ φ = argminφEX,U ⇥ − log(pφ(U | X) ⇤

Implementation

13

Optimization objective:

[I(U; X|Y ) + λmax{I(S; Y ) − k, 0}2]

min

qθ(X, Z)

Learning the stochastic mapping :

p(S|Y )

p(U|Y )

p(U|X)

Y = qθ(X, Z)

pη(S|Y )

pφ(U|X) pψ(U|Y )

∼ ∼ ∼

ˆ ψ = argminψEX,U,Z ⇥ − log(pψ(U | qˆ

θ(X, Z))

⇤

ˆ η = argminηEX,S,Z ⇥ − log(pη(S | qˆ

θ(X, Z))

⇤ ˆ φ = argminφEX,U ⇥ − log(pφ(U | X) ⇤

ˆ θ = argminθEX,Z ⇥ DKL[p ˆ

φ(U | X) || p ˆ ψ(U | qθ(X, Z))]]

+λ max(EX,Z ⇥ DKL[pˆ

η(S | qθ(X, Z)) || P(S)]] − k, 0)2

Implementation

13

Optimization objective:

[I(U; X|Y ) + λmax{I(S; Y ) − k, 0}2]

min

qθ(X, Z)

Learning the stochastic mapping :

p(S|Y )

p(U|Y )

p(U|X)

Y = qθ(X, Z)

pη(S|Y )

pφ(U|X) pψ(U|Y )

∼ ∼ ∼

ˆ ψ = argminψEX,U,Z ⇥ − log(pψ(U | qˆ

θ(X, Z))

⇤

ˆ η = argminηEX,S,Z ⇥ − log(pη(S | qˆ

θ(X, Z))

⇤ ˆ φ = argminφEX,U ⇥ − log(pφ(U | X) ⇤

ˆ θ = argminθEX,Z ⇥ DKL[p ˆ

φ(U | X) || p ˆ ψ(U | qθ(X, Z))]]

+λ max(EX,Z ⇥ DKL[pˆ

η(S | qθ(X, Z)) || P(S)]] − k, 0)2

Xception Networks U-NET + noise

Experiments

14

Emotion obfuscation vs gender detection ∞

0.5 0.3

k

Experiments

15

Emotion obfuscation vs gender detection ∞

0.5 0.3

k

Experiments

16

Gender obfuscation vs subject verification ∞

0.3 0.2

k

Experiments

17

Gender obfuscation vs subject verification ∞

0.3 0.2

k

Experiments

18

Subject within Subject k ∞

0.5

Consenting User Nonconsenting User Subject verified Subject verified Subject verified Subject verified

Concluding remarks

19

• Learned representations that preserve utility and obfuscate sensitive information.
• Derived easy-to-compute bounds.
• Experimental results show representations compare favorably against

derived bounds. Limitations:

• Expectation-based approach.
• Reliance on adversary as a proxy for information.
• Transformations are space-preserving. Can reuse existing pipelines.

Thanks!

20

Please visit us at poster #81