PuFace: Defending against Facial Cloaking Attacks for Facial Recognition Models

• URL: http://arxiv.org/abs/2406.02253v1
• Date: Tue, 4 Jun 2024 12:19:09 GMT
• Title: PuFace: Defending against Facial Cloaking Attacks for Facial Recognition Models
• Authors: Jing Wen,
• Abstract summary: Recently proposed facial cloaking attacks add invisible perturbation (cloaks) to facial images to protect users from being recognized by unauthorized facial recognition models. This paper introduces PuFace, an image purification system leveraging the generalization ability of neural networks to diminish the impact of cloaks. Our empirical experiment shows PuFace can effectively defend against two state-of-the-art facial cloaking attacks and reduces the attack success rate from 69.84% to 7.61% on average.
• Score: 1.455585466338228
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: The recently proposed facial cloaking attacks add invisible perturbation (cloaks) to facial images to protect users from being recognized by unauthorized facial recognition models. However, we show that the "cloaks" are not robust enough and can be removed from images. This paper introduces PuFace, an image purification system leveraging the generalization ability of neural networks to diminish the impact of cloaks by pushing the cloaked images towards the manifold of natural (uncloaked) images before the training process of facial recognition models. Specifically, we devise a purifier that takes all the training images including both cloaked and natural images as input and generates the purified facial images close to the manifold where natural images lie. To meet the defense goal, we propose to train the purifier on particularly amplified cloaked images with a loss function that combines image loss and feature loss. Our empirical experiment shows PuFace can effectively defend against two state-of-the-art facial cloaking attacks and reduces the attack success rate from 69.84\% to 7.61\% on average without degrading the normal accuracy for various facial recognition models. Moreover, PuFace is a model-agnostic defense mechanism that can be applied to any facial recognition model without modifying the model structure.

Related papers

• ID-Guard: A Universal Framework for Combating Facial Manipulation via Breaking Identification [60.73617868629575]
  misuse of deep learning-based facial manipulation poses a potential threat to civil rights. To prevent this fraud at its source, proactive defense technology was proposed to disrupt the manipulation process. We propose a novel universal framework for combating facial manipulation, called ID-Guard.
  arXiv  Detail & Related papers  (2024-09-20T09:30:08Z)
• Privacy-Preserving Face Recognition Using Trainable Feature Subtraction [40.47645421424354]
  Face recognition has led to increasing privacy concerns. This paper explores face image protection against viewing and recovery attacks. We distill our methodologies into a novel privacy-preserving face recognition method, MinusFace.
  arXiv  Detail & Related papers  (2024-03-19T05:27:52Z)
• Privacy-preserving Adversarial Facial Features [31.885215405010687]
  We propose an adversarial features-based face privacy protection approach to generate privacy-preserving adversarial features. We show that AdvFace outperforms the state-of-the-art face privacy-preserving methods in defending against reconstruction attacks.
  arXiv  Detail & Related papers  (2023-05-08T08:52:08Z)
• Information-containing Adversarial Perturbation for Combating Facial Manipulation Systems [19.259372985094235]
  Malicious applications of deep learning systems pose a serious threat to individuals' privacy and reputation. We propose a novel two-tier protection method named Information-containing Adversarial Perturbation (IAP) We use an encoder to map a facial image and its identity message to a cross-model adversarial example which can disrupt multiple facial manipulation systems.
  arXiv  Detail & Related papers  (2023-03-21T06:48:14Z)
• OPOM: Customized Invisible Cloak towards Face Privacy Protection [58.07786010689529]
  We investigate the face privacy protection from a technology standpoint based on a new type of customized cloak. We propose a new method, named one person one mask (OPOM), to generate person-specific (class-wise) universal masks. The effectiveness of the proposed method is evaluated on both common and celebrity datasets.
  arXiv  Detail & Related papers  (2022-05-24T11:29:37Z)
• Restricted Black-box Adversarial Attack Against DeepFake Face Swapping [70.82017781235535]
  We introduce a practical adversarial attack that does not require any queries to the facial image forgery model. Our method is built on a substitute model persuing for face reconstruction and then transfers adversarial examples from the substitute model directly to inaccessible black-box DeepFake models.
  arXiv  Detail & Related papers  (2022-04-26T14:36:06Z)
• End2End Occluded Face Recognition by Masking Corrupted Features [82.27588990277192]
  State-of-the-art general face recognition models do not generalize well to occluded face images. This paper presents a novel face recognition method that is robust to occlusions based on a single end-to-end deep neural network. Our approach, named FROM (Face Recognition with Occlusion Masks), learns to discover the corrupted features from the deep convolutional neural networks, and clean them by the dynamically learned masks.
  arXiv  Detail & Related papers  (2021-08-21T09:08:41Z)
• FaceGuard: A Self-Supervised Defense Against Adversarial Face Images [59.656264895721215]
  We propose a new self-supervised adversarial defense framework, namely FaceGuard, that can automatically detect, localize, and purify a wide variety of adversarial faces. During training, FaceGuard automatically synthesizes challenging and diverse adversarial attacks, enabling a classifier to learn to distinguish them from real faces. Experimental results on LFW dataset show that FaceGuard can achieve 99.81% detection accuracy on six unseen adversarial attack types.
  arXiv  Detail & Related papers  (2020-11-28T21:18:46Z)
• Towards Face Encryption by Generating Adversarial Identity Masks [53.82211571716117]
  We propose a targeted identity-protection iterative method (TIP-IM) to generate adversarial identity masks. TIP-IM provides 95%+ protection success rate against various state-of-the-art face recognition models.
  arXiv  Detail & Related papers  (2020-03-15T12:45:10Z)
• Fawkes: Protecting Privacy against Unauthorized Deep Learning Models [34.04323550970413]
  Fawkes is a system that helps individuals inoculate their images against unauthorized facial recognition models. We experimentally demonstrate that Fawkes provides 95+% protection against user recognition. We achieve 100% success in experiments against today's state-of-the-art facial recognition services.
  arXiv  Detail & Related papers  (2020-02-19T18:00:22Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.