DIP-Watermark: A Double Identity Protection Method Based on Robust Adversarial Watermark

TL;DR

DIP-Watermark introduces a novel double identity protection scheme using traceable adversarial watermarking to deceive unauthorized face recognition systems while enabling trusted verification, enhancing privacy protection against adversarial attacks.

Contribution

It is the first to combine adversarial attack and watermarking for double identity protection in face recognition, with a novel collaborative meta-optimization strategy for robust watermark embedding.

Findings

Achieves high attack success rates on state-of-the-art FR models.

Maintains high traceability accuracy for authorized identity verification.

Outperforms existing privacy protection methods in robustness and effectiveness.

Abstract

The wide deployment of Face Recognition (FR) systems poses privacy risks. One countermeasure is adversarial attack, deceiving unauthorized malicious FR, but it also disrupts regular identity verification of trusted authorizers, exacerbating the potential threat of identity impersonation. To address this, we propose the first double identity protection scheme based on traceable adversarial watermarking, termed DIP-Watermark. DIP-Watermark employs a one-time watermark embedding to deceive unauthorized FR models and allows authorizers to perform identity verification by extracting the watermark. Specifically, we propose an information-guided adversarial attack against FR models. The encoder embeds an identity-specific watermark into the deep feature space of the carrier, guiding recognizable features of the image to deviate from the source identity. We further adopt a collaborative meta-optimization strategy compatible with sub-tasks, which regularizes the joint optimization direction of the encoder and decoder. This strategy enhances the representation of universal carrier features, mitigating multi-objective optimization conflicts in watermarking. Experiments confirm that DIP-Watermark achieves significant attack success rates and traceability accuracy on state-of-the-art FR models, exhibiting remarkable robustness that outperforms the existing privacy protection methods using adversarial attacks and deep watermarking, or simple combinations of the two. Our work potentially opens up new insights into proactive protection for FR privacy.