DataCook: Crafting Anti-Adversarial Examples for Healthcare Data Copyright Protection

To clearly present DataCook, we contrast it with unprotected data and watermarking [39] as shown in Fig. 1, highlighting DataCook’s difference and advantages. To better explain the comparison, We define a raw image dataset as $\mathcal{D}^{r}=\{(x^{r}_{i},y_{i})\}_{i=1}^{N}$, where the input space $\mathcal{X}^{r}=\{x^{r}_{i}\}_{i=1}^{N}\subset\mathbb{R}^{d}$ corresponds to the raw images and the label space $\mathcal{Y}=\{y_{i}\}_{i=1}^{N}=\{1,\ldots,c\}$ represents their associated labels. Here, $N$ denotes the number of samples, drawn from the distribution $\mathcal{D}^{r}$, covering the combined space of inputs and labels, $\mathcal{X}^{r}\times\mathcal{Y}$. A classification model $f^{r}=f^{r}_{\theta^{r}}:\mathcal{X}^{r}\rightarrow\mathbb{R}^{c}$ with logits output is parameterized by $\theta^{r}$, optimized based on $\mathcal{D}^{r}$. This process is denoted as $\theta^{r}=\theta^{r}(\{\mathcal{X}^{r},\mathcal{Y}\})$. Additionally, a protected image dataset, derived from the raw image dataset via specific processing steps, introduces a distribution $\mathcal{D}^{p}$. This protected image dataset maintains the same label space $\mathcal{Y}$ but occupies a modified input space $\mathcal{X}^{p}=\{x^{p}_{i}\}_{i=1}^{N}\subset\mathbb{R}^{d}$, ensuring that the dataset spans the domain $\mathcal{X}^{p}\times\mathcal{Y}$. A corresponding classification model $f^{p}_{\theta^{p}}:\mathcal{X}^{p}\rightarrow\mathbb{R}^{c}$ with logits output, parameterized by $\theta^{p}=\theta^{p}(\{\mathcal{X}^{p},\mathcal{Y}\})$, is trained on $\mathcal{D}^{p}$ and denoted as $f^{p}$.

Unprotected: Raw data can be directly utilized by unauthorized third parties for model development and deployment phases.

Watermarking [39]: Users receive watermarked data along with authorized methods for watermark removal to access the raw data. In the deployment stage, if model $f^{p}$ is trained on watermark-protected data, model $f^{p}$ exhibits an inability to classify both watermark-test data and raw test data effectively (crush performance). To preserve the model’s classification capability (normal performance), watermarks must be removed before model development. Once the watermark is removed and occurs data breaches, the data is vulnerable without any protective measures.

DataCook: The proposed DataCook transforms raw data into protected data before dataset distribution. In the deployment stage, models $f^{p}$ trained on DataCook-protected data achieve normal performance on DataCook-test data but have crush performance on raw test data. Even occurs a data breach after distribution and unauthorized third-party use leaks data for model development, new data still need DataCook processed to ensure the model’s classification capability in the model development stage where only data from authorized users can undergo DataCook processing. This process grants copyright holders control over authorization during the deployment phase and effectively mitigates data breach risks.

To achieve DataCook, the primary objective is to minimize the performance of model $f^{p}$ when it is evaluated on the raw image dataset $\mathcal{D}^{r}$ to prioritize data copyright protection. Concurrently, it is vital to ensure that the performance of model $f^{p}$ on the protected image dataset $\mathcal{D}^{p}$ closely matches the performance of model $f^{r}$ on the raw image dataset $\mathcal{D}^{p}$ to preserves model normal performance. Additionally, to ensure similarity, the distance between the raw image space $\mathcal{X}^{r}$ and the protected image space $\mathcal{X}^{p}$ must be minimized. we adopted the Structural Similarity (SSIM) index as a distance metric between the raw image space and the protected image space, aiming to minimize the intrusiveness of the transformation. Thus, The optimization task can be formalized as:

where $\mathcal{E}(f,\mathcal{D})$ denotes the evaluation metric for model $f$ on dataset $\mathcal{D}$; $\alpha$ is a threshold for the distance between $\mathcal{X}^{r}$ and $\mathcal{X}^{p}$; $\epsilon$ Represents an acceptable performance discrepancy, ideally zero; $f^{p}=f^{p}_{\theta^{p}}$ is parameterized by $\theta^{p}=\theta^{p}(\{\mathcal{X}^{p},\mathcal{Y}\})$.

Our strategy capitalizes on the potential of adversarial examples, which we have found to be particularly suited for resolving this optimization task. Adversarial examples are crafted by introducing a subtle perturbation $\zeta$ to the input raw image $x^{r}_{i}$ as shown in Eq. 4, aimed at minimally yet significantly impacting the model’s prediction accuracy [47].

Perturbations are informed by data gradients, making them a targeted feature rather than mere noise [28]. Their subtlety and difficulty in detection ensure that adversarial examples satisfy the similarity criteria in Eq. 3 and adversarial examples serving in adversarial training to bolster model robustness [31, 46, 45, 2] which align with Eq. 2 to maintain model performance. However, the potential of adversarial training to reduce model performance led us to develop the concept of anti-adversarial examples [40, 44]. Contrary to traditional adversarial examples that aim to degrade performance, anti-adversarial examples are designed to improve it, directly addressing the criteria of Eq. 2. Our method confronts the complex challenge delineated by Eq. 1, with forthcoming experiments aimed at validating that our anti-adversarial examples not only adhere to the guidelines of Eq. 2 and Eq. 3 but also achieve the overarching goals of Eq. 1.

As illustrated in Fig. 2, we detail the process of generating anti-adversarial examples. Firstly, employing a pre-trained surrogate model $f^{r}$ to predict the output of a raw image $x^{r}_{i}$ and use the highest probability output as a pseudo-label $\hat{y}_{i}$, anti-adversarial examples are crafted by maximizing the logistic probability of the pseudo label as shown in Eq. 5, contrasting with adversarial examples that aim to minimize this probability in Eq. 4:

where $\mathcal{L}$ is the loss function tailored to maximize the logistic probability of $\hat{y}_{i}$ directly. We set SSIM threshold of 0.8 to maintain visual similarity.