While online social networking is a popular way for people to share information, it carries the risk of unintentionally disclosing personal information. One way to reduce this risk is to anonymize personal information in messages before they are posted. Furthermore, if personal information is somehow disclosed, the person who disclosed it should be identifiable. Several methods developed for anonymizing personal information in natural language text simply remove sensitive phrases, making the anonymized text message unnatural. Other methods change the message by using synonymization or structural alteration to create fingerprints for detecting disclosure, but they do not support the creation of a sufficient number of fingerprints for friends of an online social network user. We have developed a system for anonymizing personal information in text messages that generalizes sensitive phrases. It also creates a sufficient number of fingerprints of a message by using synonyms so that, if personal information is revealed online, the person who revealed it can be identified. A distribution metric is used to ensure that the degree of anonymization is appropriate for each group of friends. A threshold is used to improve the naturalness of the fingerprinted messages so that they do not catch the attention of attackers. Evaluation using about 55,000 personal tweets in English demonstrated that our system creates sufficiently natural fingerprinted messages for friends and groups of friends. The practicality of the system was demonstrated by creating a web application for controlling messages posted on Facebook.

Digital watermarks on pictures must have the ability to survive various image processing operations while not causing degradation of picture quality. Random geometric distortion is one of the most difficult kinds of image processing for a watermark to survive, and this problem has become a central issue in watermarking research. Previous methods for dealing with random geometric distortion have been based on searches, special watermark patterns, learning, or additional data such as original pictures. Their use, however, is accompanied by large computational overhead or by operational inconvenience. This paper therefore proposes a method based on embedding watermark patterns in two of the three color planes constituting a color picture so that these two planes have a specific covariance. The detection of the embedded information is based on the covariance between these two planes. Random geometric distortion distorts all the constituent color planes of a picture in the same way and thus does not affect the covariance between any two. The covariance-based detection is therefore immune to the distortion. The paper clarifies that detection error would occur whenever the inherent covariance (the covariance in the original picture) overrides the covariance made by watermarking. The two constituent planes having the minimum inherent covariance are therefore selected and their inherent covariance is reduced by shifting one of them and using a noise-reduction preprocess. Experimental evaluations using StirMark confirmed that 64 bits embedded in 256256-pixel pictures can be correctly detected without using searches, special patterns, learning, or additional data.

With the spread of high-performance sensors and social network services (SNS) and the remarkable advances in machine learning technologies, fake media such as fake videos, spoofed voices, and fake reviews that are generated using high-quality learning data and are very close to the real thing are causing serious social problems. We launched a research project, the Media Clone (MC) project, to protect receivers of replicas of real media called media clones (MCs) skillfully fabricated by means of media processing technologies. Our aim is to achieve a communication system that can defend against MC attacks and help ensure safe and reliable communication. This paper describes the results of research in two of the five themes in the MC project: 1) verification of the capability of generating various types of media clones such as audio, visual, and text derived from fake information and 2) realization of a protection shield for media clones' attacks by recognizing them.

Digital watermarks on pictures are more useful when they are better able to survive image processing operations and when they cause less degradation of picture quality. Random geometric distortion is one of the most difficult kinds of image processing for watermarks to survive because of the difficulty of synchronizing the expected watermark patterns to the watermarks embedded in pictures. This paper proposes three methods to improve a previous method that is not affected by this difficulty but that is insufficient in maintaining picture quality and treating other problems in surviving image processing. The first method determines the watermark strength in L*u*v* space, where human-perceived degradation of picture quality can be measured in terms of Euclidian distance, but embeds and detects watermarks in YUV space, where the detection is more reliable. The second method, based on the knowledge of image quantization, uses the messiness of color planes to hide watermarks. The third method reduces detection noises by preprocessing the watermarked image with orientation-sensitive image filtering, which is especially effective in picture portions where pixel values change drastically. Subjective evaluations have shown that these methods improved the picture quality of the previous method by 0.5 point of the mean evaluation score at the representative example case. On the other hand, the watermark strength of the previous method could be increased by 30% through 60% while keeping the same picture quality. Robustness to image processing has been evaluated for random geometric distortion, JPEG compression, Gaussian noise addition, and median filtering and it was clarified that these methods reduced the detection error ratio to 1/10 through 1/4. These methods can be applied not only to the previous method but also to other types of pixel-domain watermarking such as the Patchwork watermarking method and, with modification, to frequency-domain watermarking.

Deep neural networks (DNNs) have achieved excellent performance on several tasks and have been widely applied in both academia and industry. However, DNNs are vulnerable to adversarial machine learning attacks in which noise is added to the input to change the networks' output. Consequently, DNN-based mission-critical applications such as those used in self-driving vehicles have reduced reliability and could cause severe accidents and damage. Moreover, adversarial examples could be used to poison DNN training data, resulting in corruptions of trained models. Besides the need for detecting adversarial examples, correcting them is important for restoring data and system functionality to normal. We have developed methods for detecting and correcting adversarial images that use multiple image processing operations with multiple parameter values. For detection, we devised a statistical-based method that outperforms the feature squeezing method. For correction, we devised a method that uses for the first time two levels of correction. The first level is label correction, with the focus on restoring the adversarial images' original predicted labels (for use in the current task). The second level is image correction, with the focus on both the correctness and quality of the corrected images (for use in the current and other tasks). Our experiments demonstrated that the correction method could correct nearly 90% of the adversarial images created by classical adversarial attacks and affected only about 2% of the normal images.

Fake media has been spreading due to remarkable advances in media processing and machine leaning technologies, causing serious problems in society. We are conducting a research project called Media Clone aimed at developing methods for protecting people from fake but skillfully fabricated replicas of real media called media clones. Such media can be created from fake information about a specific person. Our goal is to develop a trusted communication system that can defend against attacks of media clones. This paper describes some research results of the Media Clone project, in particular, various methods for protecting personal information against generating fake information. We focus on 1) fake information generation in the physical world, 2) anonymization and abstraction in the cyber world, and 3) modeling of media clone attacks.

Advances in fingerprint authentication technology have led to it being used in a growing range of personal devices such as PCs and smartphones. However, they have also made it possible to capture fingerprints remotely with a digital camera, putting the target person at risk of illegal log-ins and identity theft. This article shows how fingerprint captured in this manner can be authenticated and how people can protect their fingerprints against surreptitious photography. First we show that photographed fingerprints have enough information to spoof fingerprint authentication systems by demonstrating with “fake fingers” made from such photographs. Then we present a method that defeats the use of surreptitious photography without preventing the use of legitimate fingerprint authentication devices. Finally, we demonstrate that an implementation of the proposed method called “BiometricJammer,” a wearable device put on a fingertip, can effectively prevent the illegal acquisition of fingerprints by surreptitious photography while still enabling contact-based fingerprint sensors to respond normally.