{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,27]],"date-time":"2026-02-27T00:15:15Z","timestamp":1772151315027,"version":"3.50.1"},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,8,21]],"date-time":"2023-08-21T00:00:00Z","timestamp":1692576000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2023,8,31]]},"abstract":"<jats:p>Large training data and expensive model tweaking are standard features of deep learning with images. As a result, data owners often utilize cloud resources to develop large-scale complex models, which also raises privacy concerns. Existing cryptographic solutions for training deep neural networks (DNNs) are too expensive, cannot effectively utilize cloud GPU resources, and also put a significant burden on client-side pre-processing. This article presents an image disguising approach: DisguisedNets, which allows users to securely outsource images to the cloud and enables confidential, efficient GPU-based model training. DisguisedNets uses a novel combination of image blocktization, block-level random permutation, and block-level secure transformations: random multidimensional projection (RMT) or AES pixel-level encryption (AES) to transform training data. Users can use existing DNN training methods and GPU resources without any modification to training models with disguised images. We have analyzed and evaluated the methods under a multi-level threat model and compared them with another similar method\u2014InstaHide. We also show that the image disguising approach, including both DisguisedNets and InstaHide, can effectively protect models from model-targeted attacks.<\/jats:p>","DOI":"10.1145\/3609506","type":"journal-article","created":{"date-parts":[[2023,7,15]],"date-time":"2023-07-15T09:42:26Z","timestamp":1689414146000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["DisguisedNets: Secure Image Outsourcing for Confidential Model Training in Clouds"],"prefix":"10.1145","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9996-156X","authenticated-orcid":false,"given":"Keke","family":"Chen","sequence":"first","affiliation":[{"name":"Marquette University, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-4945-7310","authenticated-orcid":false,"given":"Yuechun","family":"Gu","sequence":"additional","affiliation":[{"name":"Marquette University, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6667-4724","authenticated-orcid":false,"given":"Sagar","family":"Sharma","sequence":"additional","affiliation":[{"name":"TikTok, Inc, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,8,21]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2812196"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.5555\/2033036.2033075"},{"key":"e_1_3_2_5_2","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201921)","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, and Florian Tram\u00e8r. 2021. Is private learning possible with instance encoding? In Proceedings of the IEEE Symposium on Security and Privacy (S&P\u201921)."},{"key":"e_1_3_2_6_2","article-title":"Adversarial attacks and defences: A survey","volume":"1810","author":"Chakraborty Anirban","year":"2018","unstructured":"Anirban Chakraborty, Manaar Alam, Vishal Dey, Anupam Chattopadhyay, and Debdeep Mukhopadhyay. 2018. Adversarial attacks and defences: A survey. CoRR abs\/1810.00069 (2018).","journal-title":"CoRR"},{"key":"e_1_3_2_7_2","article-title":"GCreep: Google engineer stalked teens, spied on chats.","author":"Chen Andrian","year":"2010","unstructured":"Andrian Chen. 2010. GCreep: Google engineer stalked teens, spied on chats. Gawker, Retrieved from http:\/\/gawker.com\/5637234\/","journal-title":"Gawker"},{"key":"e_1_3_2_8_2","first-page":"86","article-title":"Intel SGX Explained","volume":"2016","author":"Costan Victor","year":"2016","unstructured":"Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive 2016 (2016), 86.","journal-title":"IACR Cryptology ePrint Archive"},{"key":"e_1_3_2_9_2","volume-title":"Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications","author":"Duncan A. J.","year":"2012","unstructured":"A. J. Duncan, S. Creese, and M. Goldsmith. 2012. Insider attacks in cloud computing. In Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications."},{"key":"e_1_3_2_10_2","first-page":"1","volume-title":"Proceedings of the International Colloquium on Automata, Languages andProgramming","author":"Dwork Cynthia","year":"2006","unstructured":"Cynthia Dwork. 2006. Differential privacy. In Proceedings of the International Colloquium on Automata, Languages andProgramming. Springer, 1\u201312."},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-95729-6_10"},{"issue":"6","key":"e_1_3_2_12_2","first-page":"126","article-title":"Security vulnerabilities of SGX and countermeasures: A survey","volume":"54","author":"Fei Shufan","year":"2021","unstructured":"Shufan Fei, Zheng Yan, Wenxiu Ding, and Haomeng Xie. 2021. Security vulnerabilities of SGX and countermeasures: A survey. ACM Comput. Surv. 54, 6, Article 126 (2021), 36 pages.","journal-title":"ACM Comput. Surv."},{"key":"e_1_3_2_13_2","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Fredrikson Matt","year":"2015","unstructured":"Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. 2015. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the ACM Conference on Computer and Communications Security."},{"key":"e_1_3_2_14_2","first-page":"17","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Fredrikson Matthew","year":"2014","unstructured":"Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security\u201914). USENIX Association, 17\u201332."},{"key":"e_1_3_2_15_2","volume-title":"Geometric Methods and Applications for Computer Science and Engineering","author":"Gallier Jean","year":"2000","unstructured":"Jean Gallier. 2000. Geometric Methods and Applications for Computer Science and Engineering. Springer-Verlag, New York."},{"key":"e_1_3_2_16_2","first-page":"201","volume-title":"Proceedings of the 33rd International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"48","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In Proceedings of the 33rd International Conference on Machine Learning (Proceedings of Machine Learning Research), Maria Florina Balcan and Kilian Q. Weinberger (Eds.), Vol. 48. 201\u2013210."},{"key":"e_1_3_2_17_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Goodfellow Ian","year":"2015","unstructured":"Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations. Retrieved from http:\/\/arxiv.org\/abs\/1412.6572"},{"key":"e_1_3_2_18_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Guo Chuan","year":"2018","unstructured":"Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens van der Maaten. 2018. Countering adversarial images using input transformations. In Proceedings of the International Conference on Learning Representations. Retrieved from https:\/\/openreview.net\/forum?id=SyJ7ClWCb"},{"issue":"2","key":"e_1_3_2_19_2","article-title":"Generation of random orthogonal matrix","volume":"27","author":"Heiberger Richard M.","year":"1978","unstructured":"Richard M. Heiberger. 1978. Generation of random orthogonal matrix. J. R. Stat. Soc. 27, 2 (1978).","journal-title":"J. R. Stat. Soc."},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3523273"},{"key":"e_1_3_2_22_2","first-page":"4507","volume-title":"Proceedings of the 37th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"119","author":"Huang Yangsibo","year":"2020","unstructured":"Yangsibo Huang, Zhao Song, Kai Li, and Sanjeev Arora. 2020. InstaHide: Instance-hiding schemes for private distributed learning. In Proceedings of the 37th International Conference on Machine Learning (Proceedings of Machine Learning Research), Hal Daum\u00e9 III and Aarti Singh (Eds.), Vol. 119. PMLR, 4507\u20134518."},{"key":"e_1_3_2_23_2","first-page":"809","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922)","author":"Huang Zhicong","year":"2022","unstructured":"Zhicong Huang, Wen-jie Lu, Cheng Hong, and Jiansheng Ding. 2022. Cheetah: Lean and fast secure two-party deep neural network inference. In Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922). USENIX Association, 809\u2013826. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/huang-zhicong"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489288"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1561\/2200000083"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1201\/9781420010756"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3065386"},{"key":"e_1_3_2_28_2","volume-title":"Labeled Faces in the Wild: Updates and New Reporting Procedures","author":"Learned-Miller Gary B. Huang and Erik","year":"2014","unstructured":"Gary B. Huang and Erik Learned-Miller. 2014. Labeled Faces in the Wild: Updates and New Reporting Procedures. Technical Report UM-CS-2014-003. University of Massachusetts, Amherst."},{"key":"e_1_3_2_29_2","article-title":"PrivyNet: A Flexible framework for privacy-preserving deep neural network training with a fine-grained privacy control","volume":"1709","author":"Li Meng","year":"2017","unstructured":"Meng Li, Liangzhen Lai, Naveen Suda, Vikas Chandra, and David Z. Pan. 2017. PrivyNet: A Flexible framework for privacy-preserving deep neural network training with a fine-grained privacy control. CoRR abs\/1709.06161 (2017).","journal-title":"CoRR"},{"issue":"9","key":"e_1_3_2_30_2","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1353-4858(15)30080-5","article-title":"The Ashley Madison affair.","volume":"2015","author":"Mansfield-Devine Steve","year":"2015","unstructured":"Steve Mansfield-Devine. 2015. The Ashley Madison affair. Netw. Secur. 2015, 9 (2015), 8\u201316.","journal-title":"Netw. Secur."},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i17.17746"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/JBHI.2020.2991043"},{"key":"e_1_3_2_34_2","first-page":"6521","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR\u201919)","author":"Raff E.","year":"2019","unstructured":"E. Raff, J. Sylvester, S. Forsyth, and M. McLean. 2019. Barrage of random transforms for adversarially robust defense. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR\u201919). 6521\u20136530."},{"key":"e_1_3_2_35_2","volume-title":"Proceedings of the 27th Annual Conference on Computer and Communications Security (ACM CCS\u201920)","author":"Rathee Deevashwer","year":"2020","unstructured":"Deevashwer Rathee, Mayank Rathee, Nishant Kumar, Nishanth Chandran, Divya Gupta, Aseem Rastogi, and Rahul Sharma. 2020. CrypTFlow2: Practical 2-party secure inference. In Proceedings of the 27th Annual Conference on Computer and Communications Security (ACM CCS\u201920). ACM."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-021-00092-8"},{"key":"e_1_3_2_37_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Shafahi Ali","year":"2019","unstructured":"Ali Shafahi, W. Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. 2019. Are adversarial examples inevitable? In Proceedings of the International Conference on Learning Representations. Retrieved from https:\/\/openreview.net\/forum?id=r1lWUoA9FQ"},{"key":"e_1_3_2_38_2","volume-title":"Proceedings of the IEEE Conference on Cloud Computing","author":"Sharma Sagar","year":"2021","unstructured":"Sagar Sharma, A. K. M. Mubashwir Alam, and Keke Chen. 2021. Image disguising for protecting data and model confidentiality in outsourced deep learning. In Proceedings of the IEEE Conference on Cloud Computing."},{"key":"e_1_3_2_39_2","volume-title":"Proceedings of the Poster Session of ACM CCS","author":"Sharma Sagar","year":"2018","unstructured":"Sagar Sharma and Keke Chen. 2018. Image disguising for privacy-preserving outsourced deep learning. In Proceedings of the Poster Session of ACM CCS."},{"key":"e_1_3_2_40_2","first-page":"41","volume-title":"Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS\u201919)","author":"Sharma Sagar","year":"2019","unstructured":"Sagar Sharma and Keke Chen. 2019. Confidential boosting with random linear classifiers for outsourced user-generated data. In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS\u201919). 41\u201365."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/MIC.2018.112102519"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813687"},{"key":"e_1_3_2_43_2","first-page":"3","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Shokri Reza","year":"2017","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In Proceedings of the IEEE Symposium on Security and Privacy. 3\u201318."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-019-0197-0"},{"key":"e_1_3_2_45_2","first-page":"1021","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201921)","author":"Tan Sijun","year":"2021","unstructured":"Sijun Tan, Brian Knott, Yuan Tian, and David J. Wu. 2021. CryptGPU: Fast privacy-preserving machine learning on the GPU. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201921). IEEE, 1021\u20131038."},{"key":"e_1_3_2_46_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In Proceedings of the International Conference on Learning Representations. Retrieved from https:\/\/openreview.net\/forum?id=rJVorjCcKQ"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241142"},{"issue":"2","key":"e_1_3_2_48_2","first-page":"14","article-title":"Breaches to customer account data.","volume":"32","author":"Unger Lucy","year":"2015","unstructured":"Lucy Unger. 2015. Breaches to customer account data. Comput. Internet Law. 32, 2 (2015), 14\u201320.","journal-title":"Comput. Internet Law."},{"key":"e_1_3_2_49_2","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Maaten Laurens van der","year":"2008","unstructured":"Laurens van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. J. Mach. Learn. Res. 9 (2008), 2579\u20132605. Retrieved from http:\/\/www.jmlr.org\/papers\/v9\/vandermaaten08a.html","journal-title":"J. Mach. Learn. Res."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1090\/dimacs\/065"},{"key":"e_1_3_2_51_2","article-title":"NeuraCrypt: Hiding private health data via random neural networks for public training","volume":"2106","author":"Yala Adam","year":"2021","unstructured":"Adam Yala, Homa Esfahanizadeh, Rafael G. L. D\u2019Oliveira, Ken R. Duffy, Manya Ghobadi, Tommi S. Jaakkola, Vinod Vaikuntanathan, Regina Barzilay, and Muriel M\u00e9dard. 2021. NeuraCrypt: Hiding private health data via random neural networks for public training. CoRR abs\/2106.02484 (2021).","journal-title":"CoRR"},{"key":"e_1_3_2_52_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Zhang Hongyi","year":"2018","unstructured":"Hongyi Zhang, Moustapha Ciss\u00e9, Yann N. Dauphin, and David Lopez-Paz. 2018. mixup: Beyond empirical risk minimization. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_53_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition Conference (CVPR\u201920)","author":"Zhang Yuheng","year":"2020","unstructured":"Yuheng Zhang, Ruoxi Jia, Hengzhi Pei, Wenxiao Wang, Bo Li, and Dawn Song. 2020. The secret revealer: Generative model-inversion attacks against deep neural networks. In Proceedings of the Computer Vision and Pattern Recognition Conference (CVPR\u201920)."}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3609506","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3609506","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:46:24Z","timestamp":1750178784000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3609506"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,21]]},"references-count":52,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,8,31]]}},"alternative-id":["10.1145\/3609506"],"URL":"https:\/\/doi.org\/10.1145\/3609506","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,8,21]]},"assertion":[{"value":"2023-04-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-06-28","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}