Abstract: Aiming at the privacy protection requirements of existing image datasets, a privacy-preserving scenario of image datasets and a privacy-preserving image alternative data generation method is proposed. The scenario is to replace the original image dataset with an alternative image dataset processed by a privacy-preserving method, where the substitute image is in one-to-one correspondence with the original image. And humans can not identify the category of the substitute image, the substitute image can be used to train existing deep learning images classification algorithm, having a good classification effect. For this scenario, the data privacy protection method based on the PGD ( Project Gradient Descent) attack is improved, and the attack target of the original PGD attack is changed from the label to the image, that is the image-to-image attack. A robust model for image-to- image attacks as a method for generating alternative data. On the standard testset, the replaced CIFAR(Canadian Institute For Advanced Research 10)dataset and CINIC dataset achieved 87. 15% and 74. 04% test accuracy on the image classification task. Experimental results show that the method is able to generate an alternative dataset to the original dataset while guaranteeing the privacy of the alternative dataset to humans, and guarantees the classification performance of existing methods on this dataset. 

Key words: deep learning')">

deep learning, privacy protection, computer vision, adversarial attack, adversarial example