Transferable Adversarial Facial Images for Privacy Protection

TL;DR

This paper introduces a novel face privacy protection method that generates natural, highly transferable adversarial face images by shaping the entire face space, significantly improving privacy against face recognition systems while maintaining visual quality.

Contribution

The paper proposes a new approach that directly shapes the face space using global adversarial latent search and landmark regularization, enhancing transferability and naturalness of adversarial images in black-box scenarios.

Findings

Achieves 25% improvement in attacking deep face recognition models.

Attains 10% better transferability on commercial face recognition APIs.

Maintains high visual quality of adversarial face images.

Abstract

The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.