ML Security PapersPPEDCRF: Privacy-Preserving Enhanced Dynamic CRF for Location-Privacy Protection for Sequence Videos with Minimal Detection Degradation
Bo Ma 1, Jinsong Wu 2, Weiqi Yan 1, Catherine Shi 1, Minh Nguyen 1
Published on arXiv
2603.01593
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
PPEDCRF significantly reduces Top-k location-retrieval accuracy of background-based matching attackers while maintaining competitive mAP and segmentation metrics versus global noise, white-noise masking, and feature-based anonymization baselines.
PPEDCRF
Novel technique introduced
Dashcam videos collected by autonomous or assisted-driving systems are increasingly shared for safety auditing and model improvement. Even when explicit GPS metadata are removed, an attacker can still infer the recording location by matching background visual cues (e.g., buildings and road layouts) against large-scale street-view imagery. This paper studies location-privacy leakage under a background-based retrieval attacker, and proposes PPEDCRF, a privacy-preserving enhanced dynamic conditional random field framework that injects calibrated perturbations only into inferred location-sensitive background regions while preserving foreground detection utility. PPEDCRF consists of three components: (i) a dynamic CRF that enforces temporal consistency to discover and track location sensitive regions across frames, (ii) a normalized control penalty (NCP) that allocates perturbation strength according to a hierarchical sensitivity model, and (iii) a utility-preserving noise injection module that minimizes interference to object detection and segmentation. Experiments on public driving datasets demonstrate that PPEDCRF significantly reduces location-retrieval attack success (e.g., Top-k retrieval accuracy) while maintaining competitive detection performance (e.g., mAP and segmentation metrics) compared with common baselines such as global noise, white-noise masking, and feature-based anonymization. The source code is in https://github.com/mabo1215/PPEDCRF.git
Key Contributions
- Dynamic CRF that enforces temporal consistency to discover and track location-sensitive background regions across video frames
- Normalized Control Penalty (NCP) that allocates perturbation strength via a hierarchical sensitivity model to minimize detection degradation
- Utility-preserving noise injection module balancing location-privacy disruption against mAP and segmentation performance on ADAS pipelines
🛡️ Threat Analysis
PPEDCRF injects calibrated adversarial perturbations into image frames at inference time specifically to cause an ML-based image retrieval model (the location attacker) to fail at matching background features against a street-view database — a novel adversarial perturbation defense against a concrete ML inference-time attacker. The note in the spec explicitly confirms: 'adversarial perturbations to prevent location inference is ML01.'.