Stealthy Porn: Understanding Real-World Adversarial Images for - PowerPoint PPT Presentation

Stealthy Porn: Understanding Real-World Adversarial Images for Illicit Online Promotion Yuan, Di Tang , Xiaojing Liao, XiaoFeng Wang, Xuan Feng, Kan Yi Chen, Menghan Sun, Haoran Lu, Kehuan Zhang

A C ASE IN THE W ILD Sexual stream t.cn Sina’s URL shortener service p*.z*.s*.com SoHu redirector s*.top landing domain Illicit content detector Evade

����� A DVERSARIAL I MAGES IN THE R EAL -W ORLD Earn your money I am so attractive, and always on photos to catch the eyes. APPIs I am y ov r need Adversarial Promotional Porn Images

APPI S ARE D IFFERENT Adversarial Examples Corrupted Images • large noise • small noise I am y ov r need • meaningless • nearly indistinguishable

APPI S C OMPOSITION Noise Abnormal shape Transparent box Promotional information I am y ov r need Color strips

Two common characters: M ALÈNA : F INDING S TEALTHY P ORN ✤ Promotional content. ✤ less obfuscated explicit content I am y ov r need

M ALÈNA : F INDING S TEALTHY P ORN promotional evasiveness content I image type APPIs explicit content

M ALÈNA : F INDING S TEALTHY P ORN promotional evasiveness content I image type APPIs explicit content

M ALÈNA : F INDING S TEALTHY P ORN promotional evasiveness content I image type APPIs explicit content

M ALÈNA : P ROMOTIONAL C ONTENT I DENTIFIER Text: PiexlLink QRcode: ZBar, ZXing, BoofCV WeChat

M ALÈNA : P ROMOTIONAL C ONTENT I DENTIFIER Text: QRcode: PiexlLink

M ALÈNA : F INDING S TEALTHY P ORN promotional evasiveness content I image type APPIs explicit content

M ALÈNA : R EGIONAL E XPLICIT C ONTENT D ETECTOR

M ALÈNA : R EGIONAL E XPLICIT C ONTENT D ETECTOR

M ALÈNA : R EGIONAL E XPLICIT C ONTENT D ETECTOR Explicit ResNet-50

M ALÈNA : F INDING S TEALTHY P ORN promotional evasiveness content I image type APPIs explicit content

M ALÈNA : P ERFORMANCE Tieba, Weibo) • Performance: 91% precision , 85% recall • Result: 4,353/6,163 APPIs , from 4M images, 76K posts (Baidu

M EASUREMENT ✤ Visual pattern. ✤ Promotional content. ✤ Distribution channels.

Original Blur Noise Rotation Occlusion Texture Color manipulation Transparentization M EASUREMENT : V ISUAL P ATTERN

M EASUREMENT : V ISUAL P ATTERN • Rotation ➤ 45 and 135 degrees are effective

M EASUREMENT : V ISUAL P ATTERN • Rotation ➤ 45 and 135 degrees are effective • Noising ➤ Less noising is enough

M EASUREMENT : V ISUAL P ATTERN • Rotation ➤ 45 and 135 degrees are effective • Noising ➤ Less noising is enough • Color-manipulation ➤ Green is evasive colour

M EASUREMENT : P ROMOTIONAL C ONTENT

M EASUREMENT : P ROMOTIONAL C ONTENT

M EASUREMENT : P ROMOTIONAL C ONTENT Reuse of promotional content Reuse of explicit content 232 / 612 (37%) 3981 / 4353 (91%)

M EASUREMENT : P ROMOTIONAL C ONTENT Reuse of promotional content Reuse of explicit content 232 / 612 (37%) 3981 / 4353 (91%)

M EASUREMENT : D ISTRIBUTION C HANNELS Compromised accounts: rarely post comment only on hot microblog Dedicated accounts: > 30 posts/day with meaningless sentences 60% 45% 30% 51% 15% 24% 0% Compromised Dedicated

L ESSION L EARNED Visual pattern. Harden current models. Promotional content. Regularize promotion channel. Distribution channels. Secure accounts.

adversarial images deserves further studies T AKE - AWAYS ✤ APPIs are prevalent ✤ Understanding criminal goal and ecosystem behind ✤ Hardening machine learning model against APPI attack

T HANK Y OU !