Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Transferable Adversarial Facial Images for Privacy Protection

Minghui Li, Jiangxiong Wang, Hao Zhang, Ziqi Zhou, Shengshan Hu, Xiaobing Pei

TL;DR

The paper addresses privacy protection against deep face recognition by generating natural, transferable adversarial faces without guidance references. It proposes GIFT, which performs Global Adversarial Latent Search in the F latent space, coupled with a key landmark regularization to preserve identity while optimizing an adversarial objective across a diverse ensemble of FR models. Experiments on CelebA-HQ and LADN demonstrate substantial transferability gains against both deep FR models and commercial APIs, while maintaining high visual quality, outperforming state-of-the-art baselines. The work highlights the importance of global latent optimization and semantic regularization for robust black-box privacy protection and provides practical guidance on latent-space choices for real-world deployment.

Abstract

The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.

Transferable Adversarial Facial Images for Privacy Protection

TL;DR

The paper addresses privacy protection against deep face recognition by generating natural, transferable adversarial faces without guidance references. It proposes GIFT, which performs Global Adversarial Latent Search in the F latent space, coupled with a key landmark regularization to preserve identity while optimizing an adversarial objective across a diverse ensemble of FR models. Experiments on CelebA-HQ and LADN demonstrate substantial transferability gains against both deep FR models and commercial APIs, while maintaining high visual quality, outperforming state-of-the-art baselines. The work highlights the importance of global latent optimization and semantic regularization for robust black-box privacy protection and provides practical guidance on latent-space choices for real-world deployment.

Abstract

The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.
Paper Structure (15 sections, 5 equations, 12 figures, 4 tables, 1 algorithm)

This paper contains 15 sections, 5 equations, 12 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work and Background
  3. Facial Privacy Protection
  4. GAN Inversion
  5. Methodology
  6. Problem definition
  7. Challenges and limitations
  8. Our key insights
  9. Transferable Adversarial Facial Images
  10. Experiments
  11. Experiments Setup
  12. Comparison Study
  13. Visualization and Analysis
  14. Ablation Study
  15. Conclusion

Figures (12)

  • Figure 1: Illustration of facial privacy protection
  • Figure 2: Evaluation of GALS and LALS on different FR models. We conduct training on a single model and subsequently test it on the remaining three. Results are presented for three different false acceptance rates (i.e., $0.1$, $0.01$, $0.001$).
  • Figure 3: Protection success rates of different latent spaces on four FR models in the black-box setting. Specifically, we perform training on a single model and subsequently test it on the remaining three. We set the false match rate of 0.01 for each model.
  • Figure 4: FID comparison in three latent spaces
  • Figure 5: The framework of GIFT
  • ...and 7 more figures