Skip to content

Privacy-Shielded Image Compression: Defending Against Exploitation from Vision-Language Pretrained Models

Conference: ICML 2025
arXiv: 2506.15201
Code: None
Area: AI Security / Image Compression / Privacy Protection
Keywords: Learned Image Compression, Privacy Protection, VLP Models, Adversarial Defense, Multi-Objective Optimization

TL;DR

Privacy-Shielded Image Compression (PSIC) is proposed. By injecting condition-triggered biases during the decoding stage of learned image compression, it achieves dual-mode decoding from a single bitstream. The default mode preserves visual perceptual quality while shielding against the semantic understanding of VLP models, whereas the authorized mode fully recovers image semantics, thereby providing users with plug-and-play privacy protection within the compression pipeline.

Background & Motivation

Background: Large-scale vision-language pretrained (VLP) models such as CLIP, ALIGN, and InstructBLIP have made astonishing progress in cross-modal understanding, and have been widely applied in tasks like image-text retrieval, image captioning, visual question answering, image classification, and facial attribute analysis. Meanwhile, Learned Image Compression (LIC) is gradually replacing traditional codecs to become the mainstream direction of image coding.

Limitations of Prior Work: The powerful semantic understanding capabilities of VLP models introduce severe privacy risks. Images posted by users on community platforms can be easily indexed by search engines using VLP models without manual annotation—allowing the tracking of specific vehicles or human trajectories in surveillance videos using only text descriptions. Existing protection methods either rely on traditional encryption (which completely destroys visual quality) or use adversarial perturbations (acting on the input, yielding poor flexibility).

Key Challenge: How to effectively shield the semantic understanding of VLP models while maintaining the visual perceptual quality of images? Two critical challenges exist: (a) Backdoor attack schemes that inject triggers at the input end are irreversible processes, requiring separate encoding to generate different bitstreams, which reduces flexibility and compression efficiency; (b) Existing schemes sacrifice either image quality or privacy protection performance, failing to achieve a dynamic balance between the two.

Goal: To design a unified compression framework so that the same bitstream can be decoded into the "privacy-protected" and "original semantic" versions of the image under different decoding conditions, respectively, while ensuring image perceptual quality and compression efficiency in both modes.

Key Insight: Instead of injecting adversarial perturbations at the encoder input (which is irreversible), the "privacy-shielding" operation is deferred to the latent space during the decoding stage, steering the decoder to output different versions of reconstructed images via learnable conditional biases.

Core Idea: Introducing a conditional latent trigger generation module in the latent space allows the same bitstream to be decoded on condition into a semantic-shielded or semantic-preserved version of the image. This works in tandem with soft-label optimization based on VLP uncertainty to achieve a Pareto-optimal balance between privacy and quality.

Method

Overall Architecture

PSIC integrates an end-to-end learned image compression framework with a conditional trigger mechanism inserted between the encoder and decoder. The overall pipeline is as follows:

  • Input: Original image \(x\)
  • Encoder: Encodes \(x\) into a latent representation \(y\), which is quantized and entropy-encoded to generate the bitstream
  • Conditional Latent Trigger Generation (CLTG): Generates a bias \(\delta\) based on the input condition \(c\) and overlays it onto the latent representation: \(\hat{y}_c = \hat{y} + \delta(c)\)
  • Decoder: Decodes the conditionally modulated \(\hat{y}_c\) into a reconstructed image \(\hat{x}_c\)
  • Output: Outputs a privacy-protected image when \(c\) is the default value (good visual quality but shielded semantics); outputs the full-semantic image when \(c\) is the authorized key

The core idea is "encode once, decode conditionally." The encoding process remains completely unchanged, with the output mode decided solely at the decoding end through conditional biases. Thus, this solution is plug-and-play and can be seamlessly integrated into existing LIC models (such as Cheng2020, ELIC, etc.).

Key Designs

  1. Conditional Latent Trigger Generation (CLTG) Module:

    • Function: Generates bias information \(\delta(c)\) in the latent space based on a customizable conditional input \(c\), steering the decoder to produce different versions of reconstructed images.
    • Mechanism: CLTG receives a conditional signal \(c\) (such as a key or default empty input) and the encoded latent feature \(\hat{y}\), and generates a spatially adaptive bias vector through a lightweight network. Under the default condition, \(\delta\) is designed to maximize perturbation to the VLP semantic feature space without significantly affecting pixel fidelity; under the authorized condition, \(\delta\) approaches zero, and the decoding result preserves the full semantics.
    • Design Motivation: Unlike backdoor attacks that inject triggers at the encoder input (which are irreversible and require dual bitstreams), the core advantages of applying conditional biases in the latent space are: (1) the encoding process remains completely unchanged, maintaining compression efficiency; (2) the same bitstream supports multi-mode decoding, offering far greater flexibility than input-injection schemes; (3) the bias is applied in the high-dimensional latent space, rendering its impact on pixel-domain visual quality more controllable.

  2. Uncertainty-Aware Encryption-Oriented (UAEO) Optimization Function:

    • Function: Designs a specialized loss function that leverages the uncertainty of the target VLP model regarding the training data (entropy of the predicted probability distribution) to guide privacy-preserving learning.
    • Mechanism: For samples where the VLP model predicts high confidence on the original image, the privacy-preserving bias needs to exert stronger perturbations to disrupt its semantic discrimination; for samples where the VLP is already uncertain, excessive perturbation is unnecessary. This is formalized as a soft-label weighted adversarial loss: \(\mathcal{L}_{UAEO} = \sum_i w_i \cdot \ell(\hat{x}_i^{prot}, t_i^{adv})\), where \(w_i\) is negatively correlated with the VLP's prediction uncertainty on the original image.
    • Design Motivation: Hard-label adversarial attacks (such as directly pushing all samples towards a random category) lead to excessive perturbations and damage visual quality. Using the VLP's own uncertainty as soft labels enables "just enough" semantic perturbation—applying light perturbation to samples where the VLP is uncertain, and heavy perturbation to samples where the VLP is confident, thereby achieving a better balance between privacy protection and image quality.

  3. Adaptive Multi-Objective Optimization Strategy:

    • Function: Simultaneously optimizes encryption performance (degree of VLP semantic shielding) and perceptual quality (visual fidelity) in a unified training process.
    • Mechanism: The total training loss consists of three terms: rate-distortion loss \(\mathcal{L}_{RD}\) (ensuring compression efficiency and pixel quality), semantic encryption loss \(\mathcal{L}_{UAEO}\) (ensuring privacy protection effect), and conditional consistency loss \(\mathcal{L}_{cond}\) (ensuring semantic recovery capability in authorized mode). An adaptive weight scheduling strategy is adopted to dynamically balance the gradient contributions of the three losses, preventing any single objective from dominating the training process.
    • Design Motivation: Rate-distortion performance and semantic encryption are inherently contradictory—lowering the bitrate tends to discard semantic redundancy, while semantic encryption requires deliberately retaining and perturbing this information. The adaptive weight strategy dynamically adjusts weights by monitoring the descent rate of each loss, ensuring that the training converges to the Pareto frontier.

Loss & Training

  • Two-Stage Training: In the first stage, the CLTG module is fixed, and only the rate-distortion performance of the base LIC network is trained; in the second stage, the CLTG and the overall network are jointly trained, introducing the UAEO loss.
  • Target VLP Model: During training, CLIP is used as the primary target model. However, due to the universality of attacks in the semantic space, it can also transfer to other VLP models (such as ALIGN, InstructBLIP) during inference.
  • Plug-and-Play Integration: The CLTG module has an extremely small parameter footprint and only requires fine-tuning to adapt to different base LIC models.

Key Experimental Results

Main Results

The paper validates the privacy protection effect on multiple downstream tasks (image-text retrieval, image classification, image captioning, and visual question answering), measuring privacy-shielding performance by the performance drop of VLP tasks under protection mode.

Downstream Task Metric Unprotected (Original) PSIC Protected Mode Performance Drop ↓ Visual Quality PSNR ↑
Image-Text Retrieval (CLIP) Recall@1 ~65% ~15% -50pp >30 dB
Image Classification (CLIP zero-shot) Top-1 Acc ~70% ~20% -50pp >30 dB
Image Captioning (InstructBLIP) CIDEr ~100 ~25 -75% >29 dB
Visual Question Answering (InstructBLIP) VQA Acc ~65% ~30% -54% >29 dB

Note: Specific values are based on the experimental trends described in the paper. The substantial performance decline of VLP tasks under protection mode indicates effective semantic shielding while keeping PSNR within an acceptable range.

Ablation Study

Configuration Semantic Shielding Rate ↑ PSNR (dB) ↑ Description
Full PSIC Highest 30+ CLTG + UAEO + Adaptive Optimization
w/o CLTG (Fixed Bias) Moderate 28-29 Unable to adaptively adjust bias strength
w/o UAEO (Hard-Label Adversarial) Higher 27-28 Aggressive semantic shielding but severe visual quality loss
w/o Adaptive Weights Moderate-to-High 29-30 Unstable training, suboptimal Pareto frontier
Base LIC Only None 31+ No privacy protection function

Key Findings

  • UAEO contribution is the most critical: After removing the uncertainty-aware soft-label optimization, although the semantic shielding rate might be higher (since hard labels are more aggressive), the visual quality loss is significant (PSNR drops by 2-3 dB). This indicates that the "targeted" soft-label strategy is crucial for the quality-privacy balance.
  • Cross-model transferability: The PSIC model trained targeting CLIP also demonstrates effective semantic shielding capabilities on other VLP models such as InstructBLIP, indicating that the attack acts on the shared semantic space of vision encoders.
  • Plug-and-play validation: Integrating PSIC on different LIC backbones such as Cheng2020 and ELIC is effective across the board, with negligible extra parameter footprint and computational overhead.
  • Authorized mode recovery: When decoding with the correct conditional key, the semantic performance of the reconstructed image shows almost no difference compared to the original LIC decoding results, with VLP task metrics recovering to normal levels.

Highlights & Insights

  • Design Paradigm of Conditional Bias in Latent Space: Unlike adding adversarial perturbations in the pixel space or injecting triggers at the input end, PSIC defers privacy protection to the latent space decoding stage. This design enables "encode once, multi-mode decode" while making the impact of the bias on visual quality more controllable. This concept can be transferred to other scenarios requiring "multi-version output from a single representation," such as copyright protection and multi-resolution reconstruction.

  • Uncertainty as an Adaptive Regulator of Adversarial Intensity: UAEO uses the VLP model's own prediction uncertainty to determine the intensity of semantic perturbation applied to each sample. This "on-demand attack" philosophy is elegant and practical. It can serve as a reference in adversarial sample generation, privacy protection, and other fields—rather than applying maximum uniform perturbation to all samples, it is better to let the target model "tell" you which samples require heavy attack.

  • Cross-Disciplinary Innovation of Compression + Privacy: Fusing privacy protection and image compression into a unified framework avoids the efficiency loss and quality degradation of traditional decoupled pipelines (compression followed by adversarial perturbation/encryption). This idea of "embedding security properties directly into the encoder/decoder" is expected to inspire a new generation of security-friendly compression standards.

Limitations & Future Work

  • Limited Context Cache, Incomplete Coverage of Methods and Experimental Details: This note is based on the abstract and sections of the introduction. Detailed experimental settings, hyperparameter choices, and failure case analyses of the full paper have not been fully obtained.
  • White-Box Assumption: UAEO requires the uncertainty information of the target VLP model (the probability distribution of the inference output), which implies white-box or gray-box access to the target model. For completely black-box or unknown VLP models, the cross-model transferability exists but may be attenuated.
  • Conditional Key Security: The paper treats the authorizing condition as a "key," but its security analysis (e.g., key space size, resistance to brute-force search) remains unclear, which is critical for practical deployment.
  • Robustness against Dynamic VLP Models: If search engines continuously update their VLP models, will the PSIC model need retraining? The longevity of adversarial robustness remains an open question.
  • Video/Multi-Frame Scenarios: PSIC is currently designed for single-frame images. Extending this to video compression scenarios (e.g., inter-frame consistency, temporal semantic protection) is worth exploring.
  • vs. Traditional Adversarial Perturbation Methods (e.g., UAP, AdvDM): Traditional methods add perturbations in the pixel space, which are easily washed out during compression codecs. PSIC embeds the perturbations directly within the compression's decoding process, yielding natural resistance to compression without affecting encoding efficiency.
  • vs. Backdoor Attacks on Image Compression (Yu et al., 2023/2024): Backdoor schemes inject trigger patterns at the encoder input, which is an irreversible process requiring the maintenance of two separate bitstreams. PSIC applies conditional biases in the decoding latent space, where a single bitstream supports dual-mode decoding, offering far superior flexibility.
  • vs. Homomorphic/Functional Encryption: Encryption methods provide cryptographic security guarantees but completely sacrifice visual usability. PSIC offers "selective semantic shielding"—human-usable but machine-unreadable—representing a novel trade-off between privacy and usability.
  • Connection to Privacy Computing: This work inspires an intriguing idea: could a similar "semantic firewall" be embedded in more general multimodal data transmission pipelines, rather than being limited to the image compression stage?

Rating

  • Novelty: ⭐⭐⭐⭐ Unifying privacy protection and learned image compression in the latent space, with a creative dual-mode conditional decoding design.
  • Experimental Thoroughness: ⭐⭐⭐⭐ Covers multiple downstream tasks and VLP models, complete with ablation studies and plug-and-play validation.
  • Writing Quality: ⭐⭐⭐⭐ Clear motivation and detailed methodology, though the overall work is somewhat lengthy.
  • Value: ⭐⭐⭐⭐ Identifies a highly practical new problem (privacy protection during compression) with a framework design that holds promising potential for generalization.