Adversarial Image Perturbation for Privacy Protection A Game Theory Perspective Supplementary Materials

In the main paper, we have reviewed variants of AIPs according to the loss functions and the optimisation algorithms. Algorithms FGV, FGS, BI, and GA use the softmax-log loss − log f̂ . The DeepFool (DF) and our GAMAN variants use the difference of two scores (e.g. f ? − f). This section includes an auxiliary analysis for the effect of the loss type: softmax-log loss− log f̂ versus score loss −f . We denote the score loss analogues with the suffix -S (e.g. FGS-S). We also include FGMAN (Fast Gradient – Maximal Among Non-GT), the single iteration analogue of GAMAN, for completeness. See table 1 for a summary. The corresponding empirical performances are shown in table 2 and 4. Since single-iteration AIPs are significantly outperformed by the multi-iteration AIPs, we have focused on the latter in the main paper, and so do we here. In table 2, we observe that the choice of the loss function does not make much difference. Table 4 further supports this view against image processing techniques, although the softmaxlog loss does perform marginally better.