{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T07:04:16Z","timestamp":1768547056333,"version":"3.49.0"},"reference-count":73,"publisher":"Association for Computing Machinery (ACM)","issue":"11","license":[{"start":{"date-parts":[[2024,9,12]],"date-time":"2024-09-12T00:00:00Z","timestamp":1726099200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Multimedia Comput. Commun. Appl."],"published-print":{"date-parts":[[2024,11,30]]},"abstract":"Sharing facial pictures through online services, especially on social networks, has become a common habit for thousands of users. This practice hides a possible threat to privacy: the owners of such services, as well as malicious users, could automatically extract information from faces using modern and effective neural networks. In this article, we propose the harmless use of adversarial attacks, i.e., variations of images that are almost imperceptible to the human eye and that are typically generated with the malicious purpose to mislead Convolutional Neural Networks (CNNs). Such attacks have been instead adopted to (1) obfuscate soft biometrics (gender, age, ethnicity) but (2) without degrading the quality of the face images posted online. We achieve the above-mentioned two conflicting goals by modifying the implementations of four of the most popular adversarial attacks, namely FGSM, PGD, DeepFool, and C&W, in order to constrain the average amount of noise they generate on the image and the maximum perturbation they add on the single pixel. We demonstrate, in an experimental framework including three popular CNNs, namely VGG16, SENet, and MobileNetV3, that the considered obfuscation method, which requires at most 4 seconds for each image, is effective not only when we have a complete knowledge of the neural network that extracts the soft biometrics (white box attacks) but also when the adversarial attacks are generated in a more realistic black box scenario. Finally, we prove that an opponent can implement defense techniques to partially reduce the effect of the obfuscation, but substantially paying in terms of accuracy over clean images; this result, confirmed by the experiments carried out with three popular defense methods, namely adversarial training, denoising autoencoder, and Kullback-Leibler autoencoder, shows that it is not convenient for the opponent to defend himself and that the proposed approach is robust to defenses.<\/jats:p>","DOI":"10.1145\/3656474","type":"journal-article","created":{"date-parts":[[2024,4,6]],"date-time":"2024-04-06T10:19:41Z","timestamp":1712398781000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Facial Soft-biometrics Obfuscation through Adversarial Attacks"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9130-5533","authenticated-orcid":false,"given":"Vincenzo","family":"Carletti","sequence":"first","affiliation":[{"name":"University of Salerno, Fisciano, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7096-1902","authenticated-orcid":false,"given":"Pasquale","family":"Foggia","sequence":"additional","affiliation":[{"name":"University of Salerno, Fisciano, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5495-2432","authenticated-orcid":false,"given":"Antonio","family":"Greco","sequence":"additional","affiliation":[{"name":"University of Salerno, Fisciano, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4687-7994","authenticated-orcid":false,"given":"Alessia","family":"Saggese","sequence":"additional","affiliation":[{"name":"University of Salerno, Fisciano, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2948-741X","authenticated-orcid":false,"given":"Mario","family":"Vento","sequence":"additional","affiliation":[{"name":"University of Salerno, Fisciano, Italy"}]}],"member":"320","published-online":{"date-parts":[[2024,9,12]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","unstructured":"Izzat Alsmadi Kashif Ahmad Mahmoud Nazzal Firoj Alam Ala Al-Fuqaha Abdallah Khreishah and Abdulelah Algosaibi. 2021. Adversarial attacks and defenses for social network text processing applications: Techniques challenges and future research directions. 10.48550\/arXiv.2110.13980","DOI":"10.48550\/arXiv.2110.13980"},{"key":"e_1_3_1_3_2","first-page":"1","volume-title":"14th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS)","author":"Azzopardi George","year":"2017","unstructured":"George Azzopardi, Antonio Greco, Alessia Saggese, and Mario Vento. 2017. Fast gender recognition in videos using a novel descriptor based on the gradient magnitudes of facial landmarks. In 14th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS). IEEE, 1\u20136."},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2823378"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-019-09689-5"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3209542.3209552"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcci.2019.03.002"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/fg.2018.00020"},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2019.2910522"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-019-01267-5"},{"key":"e_1_3_1_13_2","article-title":"On evaluating adversarial robustness","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas Rauber, Dimitris Tsipras, Ian Goodfellow, Aleksander Madry, and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 (2019).","journal-title":"arXiv preprint arXiv:1902.06705"},{"key":"e_1_3_1_14_2","article-title":"Defensive distillation is not robust to adversarial examples","author":"Carlini Nicholas","year":"2016","unstructured":"Nicholas Carlini and David Wagner. 2016. Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311 (2016).","journal-title":"arXiv preprint arXiv:1607.04311"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_1_16_2","unstructured":"Valeriia Cherepanova Micah Goldblum Harrison Foley Shiyuan Duan John Dickerson Gavin Taylor and Tom Goldstein. 2021. LowKey: Leveraging adversarial attacks to protect social media users from facial recognition. (2021)."},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/2978568"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2480381"},{"issue":"2","key":"e_1_3_1_19_2","doi-asserted-by":"crossref","first-page":"739","DOI":"10.1007\/s11042-010-0635-7","article-title":"Bag of soft biometrics for person identification","volume":"51","author":"Dantcheva Antitza","year":"2011","unstructured":"Antitza Dantcheva, Carmelo Velardo, Angela D\u2019Angelo, and Jean-Luc Dugelay. 2011. Bag of soft biometrics for person identification. Multimedia Tools and Applications 51, 2 (2011), 739\u2013777.","journal-title":"Multimedia Tools and Applications"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.05.053"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-16-4884-7_3"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2017.08.367"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3154793"},{"key":"e_1_3_1_25_2","volume-title":"International Conference on Learning Representations","author":"Goodfellow Ian","year":"2015","unstructured":"Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1412.6572"},{"issue":"7","key":"e_1_3_1_26_2","first-page":"1","article-title":"Benchmarking deep network architectures for ethnicity recognition using a new large face dataset","volume":"31","author":"Greco Antonio","year":"2020","unstructured":"Antonio Greco, Gennaro Percannella, Mario Vento, and Vincenzo Vigilante. 2020. Benchmarking deep network architectures for ethnicity recognition using a new large face dataset. Machine Vision and Applications 31, 7 (2020), 1\u201313.","journal-title":"Machine Vision and Applications"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-021-05981-0"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-84882-301-3_8"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_1_30_2","volume-title":"IEEE\/CVF International Conference on Computer Vision (ICCV)","author":"Howard Andrew","year":"2019","unstructured":"Andrew Howard, Mark Sandler, Grace Chu, Liang-Chieh Chen, Bo Chen, Mingxing Tan, Weijun Wang, Yukun Zhu, Ruoming Pang, Vijay Vasudevan, Quoc V. Le, and Hartwig Adam. 2019. Searching for MobileNetV3. In IEEE\/CVF International Conference on Computer Vision (ICCV)."},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","unstructured":"Andrew G. Howard Menglong Zhu Bo Chen Dmitry Kalenichenko Weijun Wang Tobias Weyand Marco Andreetto and Hartwig Adam. 2017. MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. 10.48550\/ARXIV.1704.04861","DOI":"10.48550\/ARXIV.1704.04861"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00745"},{"key":"e_1_3_1_33_2","unstructured":"Ruitong Huang Bing Xu Dale Schuurmans and Csaba Szepesvari. 2016. Learning with a Strong Adversary. arxiv:1511.03034 [cs.LG]"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1117\/12.542890"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-54526-4_39"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/tifs.2016.2555792"},{"key":"e_1_3_1_37_2","unstructured":"Simon Kemp. 2022. Digital 2022: Global Overview Report. https:\/\/datareportal.com\/reports\/digital-2022-global-overview-report"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1201\/9781351251389-8"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2015.7301352"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2019.00013"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-25538-0_37"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1177\/0022243719881113"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2020.09.001"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","unstructured":"Bo Liu Ming Ding Sina Shaham Wenny Rahayu Farhad Farokhi and Zihuai Lin. 2021. When machine learning meets privacy: A survey and outlook. Comput. Surveys 54 2 (2021) 1\u201336. 10.1145\/3436755","DOI":"10.1145\/3436755"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/1897438"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. 10.48550\/arXiv.1706.06083","DOI":"10.48550\/arXiv.1706.06083"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/MIPR.2018.00084"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1177\/2053951720904386"},{"key":"e_1_3_1_50_2","first-page":"34","volume-title":"IEEE Conference on Computer Vision and Pattern Recognition Workshops","author":"Ghazi Mostafa Mehdipour","year":"2016","unstructured":"Mostafa Mehdipour Ghazi and Hazim Kemal Ekenel. 2016. A comprehensive analysis of deep learning based representation for face recognition. In IEEE Conference on Computer Vision and Pattern Recognition Workshops. 34\u201341."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patrec.2015.08.006"},{"key":"e_1_3_1_54_2","first-page":"682","volume-title":"European Conference on Computer Vision Workshops","author":"Othman Asem","year":"2015","unstructured":"Asem Othman and Arun Ross. 2015. Privacy of facial soft biometrics: Suppressing gender but retaining identity. In European Conference on Computer Vision Workshops. Springer, 682\u2013696."},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","unstructured":"Prajit Ramachandran Barret Zoph and Quoc V. Le. 2017. Searching for Activation Functions. 10.48550\/ARXIV.1710.05941","DOI":"10.48550\/ARXIV.1710.05941"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-444-53859-8.00013-8"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.image.2016.05.020"},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","unstructured":"Ishai Rosenberg Asaf Shabtai Yuval Elovici and Lior Rokach. 2021. Adversarial machine learning attacks and defense methods in the cyber security domain. 36 pages. 10.1145\/3453158","DOI":"10.1145\/3453158"},{"key":"e_1_3_1_60_2","first-page":"1","volume-title":"53rd Conference on Information Sciences and Systems (CISS)","author":"Sahay Rajeev","year":"2019","unstructured":"Rajeev Sahay, Rehana Mahfuz, and Aly El Gamal. 2019. Combatting adversarial attacks through denoising and dimensionality reduction: A cascaded autoencoder approach. In 53rd Conference on Information Sciences and Systems (CISS). IEEE, 1\u20136."},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/BTAS.2008.4699354"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/MDAT.2020.2971217"},{"key":"e_1_3_1_64_2","first-page":"1589","volume-title":"29th USENIX Security Symposium","author":"Shan Shawn","year":"2020","unstructured":"Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Y Zhao. 2020. Fawkes: Protecting personal privacy against unauthorized deep learning models. In 29th USENIX Security Symposium. 1589\u20131604."},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. 10.48550\/arXiv.1409.1556","DOI":"10.48550\/arXiv.1409.1556"},{"key":"e_1_3_1_66_2","volume-title":"6th International Conference on Learning Representations (ICLR), Conference Track Proceedings","author":"Song Yang","year":"2018","unstructured":"Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2018. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In 6th International Conference on Learning Representations (ICLR), Conference Track Proceedings."},{"key":"e_1_3_1_67_2","first-page":"553","volume-title":"European Conference on Computer Vision (ECCV)","author":"Sun Qianru","year":"2018","unstructured":"Qianru Sun, Ayush Tewari, Weipeng Xu, Mario Fritz, Christian Theobalt, and Bernt Schiele. 2018. A hybrid model for identity obfuscation by face replacement. In European Conference on Computer Vision (ECCV). 553\u2013569."},{"key":"e_1_3_1_68_2","volume-title":"International Conference on Learning Representations","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1312.6199"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2019.00012"},{"key":"e_1_3_1_70_2","unstructured":"Michael Tschannen Olivier Frederic Bachem and Mario Lu\u010di\u0107. 2018. Recent advances in autoencoder-based representation learning. (2018)."},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","unstructured":"Giovanni Vacanti and Arnaud Van Looveren. 2020. Adversarial detection and correction by matching prediction distributions. 10.48550\/arXiv.2002.09364","DOI":"10.48550\/arXiv.2002.09364"},{"issue":"1","key":"e_1_3_1_72_2","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1007\/s11390-019-1898-8","article-title":"Privacy-protective-GAN for privacy preserving face de-identification","volume":"34","author":"Wu Yifan","year":"2019","unstructured":"Yifan Wu, Fan Yang, Yong Xu, and Haibin Ling. 2019. Privacy-protective-GAN for privacy preserving face de-identification. Journal of Computer Science and Technology 34, 1 (2019), 47\u201360.","journal-title":"Journal of Computer Science and Technology"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00059"},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","unstructured":"Kaiyu Yang Klint Qinami Li Fei-Fei Jia Deng and Olga Russakovsky. 2020. Towards fairer datasets: Filtering and balancing the distribution of the people subtree in the ImageNet hierarchy. In Proceedings of the 2020 Conference on Fairness Accountability and Transparency. ACM 547\u2013558. 10.1145\/3351095.3375709","DOI":"10.1145\/3351095.3375709"}],"container-title":["ACM Transactions on Multimedia Computing, Communications, and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3656474","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3656474","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:49:00Z","timestamp":1750286940000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3656474"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,12]]},"references-count":73,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2024,11,30]]}},"alternative-id":["10.1145\/3656474"],"URL":"https:\/\/doi.org\/10.1145\/3656474","relation":{},"ISSN":["1551-6857","1551-6865"],"issn-type":[{"value":"1551-6857","type":"print"},{"value":"1551-6865","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,9,12]]},"assertion":[{"value":"2023-07-28","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-03-25","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-12","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}