⚠️ 以下所有内容总结都来自于 大语言模型的能力,如有错误,仅供参考,谨慎使用
🔴 请注意:千万不要用于严肃的学术场景,只能用于论文阅读前的初筛!
💗 如果您觉得我们的项目对您有帮助 ChatPaperFree ,还请您给我们一些鼓励!⭐️ HuggingFace免费体验
2024-12-26 更新
ErasableMask: A Robust and Erasable Privacy Protection Scheme against Black-box Face Recognition Models
Authors:Sipeng Shen, Yunming Zhang, Dengpan Ye, Xiuwen Shi, Long Tang, Haoran Duan, Jiacheng Deng, Ziyi Liu
While face recognition (FR) models have brought remarkable convenience in face verification and identification, they also pose substantial privacy risks to the public. Existing facial privacy protection schemes usually adopt adversarial examples to disrupt face verification of FR models. However, these schemes often suffer from weak transferability against black-box FR models and permanently damage the identifiable information that cannot fulfill the requirements of authorized operations such as forensics and authentication. To address these limitations, we propose ErasableMask, a robust and erasable privacy protection scheme against black-box FR models. Specifically, via rethinking the inherent relationship between surrogate FR models, ErasableMask introduces a novel meta-auxiliary attack, which boosts black-box transferability by learning more general features in a stable and balancing optimization strategy. It also offers a perturbation erasion mechanism that supports the erasion of semantic perturbations in protected face without degrading image quality. To further improve performance, ErasableMask employs a curriculum learning strategy to mitigate optimization conflicts between adversarial attack and perturbation erasion. Extensive experiments on the CelebA-HQ and FFHQ datasets demonstrate that ErasableMask achieves the state-of-the-art performance in transferability, achieving over 72% confidence on average in commercial FR systems. Moreover, ErasableMask also exhibits outstanding perturbation erasion performance, achieving over 90% erasion success rate.
人脸识别(FR)模型在面部验证和识别方面带来了极大的便利,但同时也给公众带来了重大的隐私风险。现有的面部隐私保护方案通常采用对抗性样例来破坏人脸识别模型的面部验证。然而,这些方案通常对黑盒人脸识别模型的迁移性较弱,并且会永久损坏身份信息,无法满足如法医学和身份验证等授权操作的要求。为了解决这些局限性,我们提出了ErasableMask,这是一种针对黑盒人脸识别模型的稳健且可擦除的隐私保护方案。具体来说,通过重新思考代理人脸识别模型之间的内在关系,ErasableMask引入了一种新的元辅助攻击,通过稳定且平衡的优化策略学习更通用的特征,从而提高黑盒迁移性。它还提供了一个扰动消除机制,可以在不降低图像质量的情况下,消除受保护面部中的语义扰动。为了进一步改善性能,ErasableMask采用了一种课程学习策略,以减轻对抗性攻击和扰动消除之间的优化冲突。在CelebA-HQ和FFHQ数据集上的大量实验表明,ErasableMask在迁移性方面达到了最新技术水平,在商用人脸识别系统上的平均置信度超过72%。此外,ErasableMask还具有出色的扰动消除性能,消除成功率超过90%。
论文及项目相关链接
摘要
人脸识别模型在为身份验证和识别带来便利的同时,也对公众隐私构成重大威胁。现有面部隐私保护方案通常采用对抗性示例来破坏人脸识别模型的验证过程,但这些方案往往对黑箱人脸识别模型的迁移能力较弱,并且会永久破坏身份信息,无法满足如法医学和身份验证等授权操作的要求。为解决这些问题,我们提出了ErasableMask,这是一种针对黑箱人脸识别模型的稳健且可擦除的隐私保护方案。具体来说,通过重新思考代理人脸识别模型之间的内在关系,ErasableMask引入了一种新的元辅助攻击,通过稳定且均衡的优化策略学习更通用的特征,从而提高黑箱迁移能力。它还提供了一个扰动擦除机制,可以在不降低图像质量的情况下擦除受保护面部上的语义扰动。为了进一步改善性能,ErasableMask采用课程学习策略来缓解对抗性攻击和扰动擦除之间的优化冲突。在CelebA-HQ和FFHQ数据集上的大量实验表明,ErasableMask在迁移能力方面达到了最先进的性能,在商用人脸识别系统上的平均置信度超过72%。此外,ErasableMask的扰动擦除性能也十分出色,擦除成功率超过90%。
关键见解
- 人脸识别模型在带来便利的同时存在隐私风险。
- 现有面部隐私保护方案对黑箱人脸识别模型的迁移能力较弱。
- ErasableMask通过引入元辅助攻击提高黑箱迁移能力。
- ErasableMask提供扰动擦除机制,可擦除面部语义扰动而不降低图像质量。
- ErasableMask采用课程学习策略来改善对抗性攻击和扰动擦除之间的优化冲突。
- ErasableMask在迁移能力和扰动擦除方面都达到了先进性能。
点此查看论文截图
