Transferable Adversarial Facial Images for Privacy Protection
Abstract: The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection.Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25\% improvement in deep FR models and 10\% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.
Primary Subject Area: [Generation] Social Aspects of Generative AI
Relevance To Conference: In this paper, focusing on protecting facial privacy against malicious FR systems, we propose GIFT, a guidance-independent generative framework to construct highly transferable adversarial facial images while maintain good visual effect. Specifically, we leverage Global Adversarial Latent Search to construct natural and highly transferable adversarial face images without extra guidance information. Moreover, we introduce a key landmark regularization method to preserve the visual identity. We further reveal the limitations of W+ latent space and the intriguing properties of the other two prevalent latent spaces W and F under the facial privacy protection scenario. Extensive experiments on both face verification and identification tasks demonstrate the superiority of GIFT against various deep FR models and commercial FR APIs.
Submission Number: 3499
Loading