KAN See Your Face
Dong Han, Yong Li, Joachim Denzler
TL;DR
This paper introduces a novel attack method using Kolmogorov-Arnold Networks to reconstruct face images from embeddings, revealing privacy vulnerabilities in face recognition and privacy-preserving systems.
Contribution
It is the first to exploit KAN for embedding-to-face attacks, demonstrating effective face reconstruction from embeddings in state-of-the-art systems.
Findings
FEM-KAN accurately reconstructs face images from embeddings.
The attack works effectively against various FR and PPFR models.
Reconstructed faces are of realistic quality, exposing privacy risks.
Abstract
With the advancement of face reconstruction (FR) systems, privacy-preserving face recognition (PPFR) has gained popularity for its secure face recognition, enhanced facial privacy protection, and robustness to various attacks. Besides, specific models and algorithms are proposed for face embedding protection by mapping embeddings to a secure space. However, there is a lack of studies on investigating and evaluating the possibility of extracting face images from embeddings of those systems, especially for PPFR. In this work, we introduce the first approach to exploit Kolmogorov-Arnold Network (KAN) for conducting embedding-to-face attacks against state-of-the-art (SOTA) FR and PPFR systems. Face embedding mapping (FEM) models are proposed to learn the distribution mapping relation between the embeddings from the initial domain and target domain. In comparison with Multi-Layer Perceptrons…
Peer Reviews
Decision·ICLR 2025 Conference Withdrawn Submission
- Authors proposed effective face embedding mapping (FEM) models to project the embeddings from the initial domain and target domain. - The proposed method is used to attack various privacy-preserving face recognition (PPFR) and typical face reconstruction (FR) models. - Authors explored the application of their method on various types of face embedding, including complete, partial and protected ones.
- The paper lacks comparison with previous face reconstruction methods in the literature. Authors mentioned different face reconstruction methods from the literature in introduction and related work sections, but there is no experiment to compare the performance (in terms of ASR) with previous methods. Specially, the experiments include different scenarios (for FR and PPFR), which are interesting, but the performance of the proposed method is not compared with previous face reconstruction method
The paper is the first approach to use KAN for embedding-to-face task.
1. The intention of the paper is not clear. Essentially, this article describes a generative task that creates facial images based on the features of facial recognition. Such work cannot be regarded as an attack on facial recognition systems. The authors have not explored issues related to the sources of data for attackers and victims, nor have they discussed the perturbation constraints involved in image attacks. 2. The three embedding-based losses mentioned by the authors in the loss design es
1, By using Kolmogorov-Arnold Networks (KAN) within the Face Embedding Mapping (FEM) model, it introduces a creative method for embedding-to-embedding mapping that distinguishes it from previous face reconstruction techniques. 2. The authors conduct extensive experiments across a broad range of models, rigorously validating FEM’s robustness with both quantitative and qualitative metrics.
This paper has several notable weaknesses that impact its contribution, novelty, rigor, and thoroughness. 1. The paper does indeed show a lack of novelty in certain technical aspects. While effectively applied, techniques like KAN, IPA-FaceID, and loss functions are previously established methods that do not advance the foundational technology or introduce significant innovation. 2. The theoretical justification for using KAN as the face embedding mapping model is superficial. The paper does
(1)The paper leverages an advanced pre-trained diffusion model to execute a face recognition embedding-to-image restoration attack, which proves to be an effective approach. (2)The paper employs a straightforward conversion network to adapt a pre-trained generative model for compatibility with multiple recognition models, which appears to be a simple yet effective strategy.
(1) While the final experimental outcomes in the paper affirm the method's effectiveness, I have reservations about some of the experimental setups used. Specifically, the paper focuses on the restoration attack of face recognition embeddings, yet employs the PPFR method in its experiments, which is primarily designed to protect the original face image. This setup may not adequately demonstrate the method's effectiveness as described in the paper. Ideally, the method should be tested for its att
N/A
I think this paper are not prepared to be submitted since it has some deadly flaws: - The literature review in this paper is insufficient. There are already many attack methods (refer to [1-4]) for reconstructing faces from face embeddings, but this paper has no comparsion, and even claims that > To the best of our knowledge, we are the first to exploit the potential of KAN for face embedding mapping and face reconstruction. - The paper fails to introduce novel insights or methodologies in the f
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFace recognition and analysis · Biometric Identification and Security · Adversarial Robustness in Machine Learning