DiffAM: Diffusion-based Adversarial Makeup Transfer for Facial Privacy Protection

TL;DR

DiffAM uses diffusion models to create high-quality, adversarially protected face images with natural makeup, enhancing privacy against face recognition systems while maintaining visual quality and transferability.

Contribution

The paper introduces DiffAM, a novel diffusion-based method for face privacy protection that combines makeup removal and transfer with adversarial techniques for improved effectiveness.

Findings

Achieves 12.98% higher attack success rate under black-box settings.

Generates high-quality, natural-looking protected face images.

Outperforms existing methods in visual quality and transferability.

Abstract

With the rapid development of face recognition (FR) systems, the privacy of face images on social media is facing severe challenges due to the abuse of unauthorized FR systems. Some studies utilize adversarial attack techniques to defend against malicious FR systems by generating adversarial examples. However, the generated adversarial examples, i.e., the protected face images, tend to suffer from subpar visual quality and low transferability. In this paper, we propose a novel face protection approach, dubbed DiffAM, which leverages the powerful generative ability of diffusion models to generate high-quality protected face images with adversarial makeup transferred from reference images. To be specific, we first introduce a makeup removal module to generate non-makeup images utilizing a fine-tuned diffusion model with guidance of textual prompts in CLIP space. As the inverse process of makeup transfer, makeup removal can make it easier to establish the deterministic relationship between makeup domain and non-makeup domain regardless of elaborate text prompts. Then, with this relationship, a CLIP-based makeup loss along with an ensemble attack strategy is introduced to jointly guide the direction of adversarial makeup domain, achieving the generation of protected face images with natural-looking makeup and high black-box transferability. Extensive experiments demonstrate that DiffAM achieves higher visual quality and attack success rates with a gain of 12.98% under black-box setting compared with the state of the arts. The code will be available at https://github.com/HansSunY/DiffAM.