⚠️ 以下所有内容总结都来自于 大语言模型的能力,如有错误,仅供参考,谨慎使用
🔴 请注意:千万不要用于严肃的学术场景,只能用于论文阅读前的初筛!
💗 如果您觉得我们的项目对您有帮助 ChatPaperFree ,还请您给我们一些鼓励!⭐️ HuggingFace免费体验
2024-12-25 更新
ErasableMask: A Robust and Erasable Privacy Protection Scheme against Black-box Face Recognition Models
Authors:Sipeng Shen, Yunming Zhang, Dengpan Ye, Xiuwen Shi, Long Tang, Haoran Duan, Ziyi Liu
While face recognition (FR) models have brought remarkable convenience in face verification and identification, they also pose substantial privacy risks to the public. Existing facial privacy protection schemes usually adopt adversarial examples to disrupt face verification of FR models. However, these schemes often suffer from weak transferability against black-box FR models and permanently damage the identifiable information that cannot fulfill the requirements of authorized operations such as forensics and authentication. To address these limitations, we propose ErasableMask, a robust and erasable privacy protection scheme against black-box FR models. Specifically, via rethinking the inherent relationship between surrogate FR models, ErasableMask introduces a novel meta-auxiliary attack, which boosts black-box transferability by learning more general features in a stable and balancing optimization strategy. It also offers a perturbation erasion mechanism that supports the erasion of semantic perturbations in protected face without degrading image quality. To further improve performance, ErasableMask employs a curriculum learning strategy to mitigate optimization conflicts between adversarial attack and perturbation erasion. Extensive experiments on the CelebA-HQ and FFHQ datasets demonstrate that ErasableMask achieves the state-of-the-art performance in transferability, achieving over 72% confidence on average in commercial FR systems. Moreover, ErasableMask also exhibits outstanding perturbation erasion performance, achieving over 90% erasion success rate.
人脸识别(FR)模型在面部验证和识别方面带来了极大的便利,但同时也给公众带来了重大的隐私风险。现有的面部隐私保护方案通常采用对抗性样例来破坏人脸识别模型的面部验证。然而,这些方案通常对黑盒人脸识别模型的迁移性较弱,并且会永久损坏身份信息,无法满足如法医学和身份验证等授权操作的要求。为了解决这些局限性,我们提出了ErasableMask,这是一种针对黑盒人脸识别模型的稳健且可擦除的隐私保护方案。具体来说,通过重新思考代理人脸识别模型之间的内在关系,ErasableMask引入了一种新的元辅助攻击,通过稳定且平衡的优化策略学习更通用的特征,从而提高黑盒迁移性。它还提供了一个扰动消除机制,可以在不降低图像质量的情况下,消除受保护面部中的语义扰动。为了进一步改善性能,ErasableMask采用了一种课程学习策略,以减轻对抗性攻击和扰动消除之间的优化冲突。在CelebA-HQ和FFHQ数据集上的大量实验表明,ErasableMask在迁移性方面达到了最新技术水平,在商用人脸识别系统上的平均置信度超过72%。此外,ErasableMask还具有出色的扰动消除性能,消除成功率超过90%。
论文及项目相关链接
Summary
人脸识别模型带来便利的同时也存在隐私风险。针对这一问题,研究者提出了一种名为ErasableMask的新颖隐私保护方案,旨在增强对黑箱人脸识别模型的转移攻击能力,同时支持语义扰动的擦除而不降低图像质量。该方案采用课程学习策略缓解对抗攻击和扰动擦除的优化冲突,实验表明其具有良好的迁移性能和擦除性能。
Key Takeaways
- 人脸识别模型在带来便利的同时存在隐私风险。
- ErasableMask是一种针对黑箱人脸识别模型的隐私保护方案。
- ErasableMask通过引入新型元辅助攻击增强了黑箱转移攻击能力。
- ErasableMask支持语义扰动的擦除,而不会降低图像质量。
- 该方案采用课程学习策略改善对抗攻击和扰动擦除的优化过程。
- 在CelebA-HQ和FFHQ数据集上的实验表明,ErasableMask具有出色的迁移性能和擦除性能。
点此查看论文截图
