计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (5): 384-391.doi: 10.11896/jsjkx.241100066

• 信息安全 • 上一篇    

基于“隐形面具”的可逆人脸隐私保护方法

郑旭1, 黄想杰1, 杨杨1,2   

  1. 1 安徽大学电子信息工程学院 合肥 230601
    2 合肥综合性国家科学中心人工智能研究院 合肥 230026
  • 收稿日期:2024-11-11 修回日期:2024-12-28 出版日期:2025-05-15 发布日期:2025-05-12
  • 通讯作者: 杨杨(sky_yang@ahu.edu.cn)
  • 作者简介:(19276326064@163.com)
  • 基金资助:
    国家自然科学基金(62272003);安徽省高等学校自然科学基金(KJ2021A0016)

Reversible Facial Privacy Protection Method Based on “Invisible Masks”

ZHENG Xu1, HUANG Xiangjie1, YANG Yang1,2   

  1. 1 School of Electronics and Information Engineering,Anhui University,Hefei 230601,China
    2 Institute of Artificial Intelligence,Hefei Comprehensive National Science Center,Hefei 230026,China
  • Received:2024-11-11 Revised:2024-12-28 Online:2025-05-15 Published:2025-05-12
  • About author:ZHENG Xu,born in 2000,postgraduate.His main research interest is information hiding.
    YANG Yang,born in 1980,professor,is a member of CCF(No.H3489M).Her main research interests include information hiding,quantum artificial intelligenceand image quality assessment.
  • Supported by:
    National Natural Science Foundation of China(62272003) and Natural Science Foundation of Anhui Provincial Colleges and Universities(KJ2021A0016).

PDF (PC)

54

摘要: 随着人工智能和计算机视觉技术的快速进步,人脸信息已经被广泛应用于智能安防、金融支付和社交媒体等多个领域。这些采集的人脸信息一旦被泄露或被不法分子非法售卖,就会造成严重后果。因此,如何防止采集的原始人脸数据库被恶意窃取从而进行非法训练和非法识别,是亟待解决的问题。对此,提出了一种基于“隐形面具”的可逆人脸隐私保护方法。该对抗人脸若被恶意窃取,可使未授权人脸系统错误识别,对于被授权用户,可以在摘除“隐形面具”后恢复原始人脸信息,保证授权人脸系统正确识别,从而达到保护人脸数据库的目的。实验结果表明,该方法生成的对抗人脸具有更高的视觉质量,与原始人脸的平均PSNR在无攻击层下可以达到55 dB,并且使未授权系统错误识别率达到99.6%。同时,该方法实现了可逆恢复人脸,恢复人脸具有更高的视觉质量,与原始人脸的平均PSNR达到61 dB,并且使授权系统正确识别率达到99.8%。实验证明了该方法可以有效地保护人脸数据库。

关键词: 深度学习, 隐形面具, 对抗样本, 人脸数据库保护, 视觉变换, 可逆人脸隐私保护

Abstract: With the rapid progress of artificial intelligence and computer vision technology,facial information has been widely used in smart security,financial payment,and social media,etc.Once the collected facial information is leaked or illegally sold by unscrupulous individuals,it will cause adverse consequences.Therefore,how to prevent the original facial database from being illegally accessed and trained by malicious parties,and how to prevent illegal recognition,is an urgent issue that needs to be solved.Therefore,a reversible facial privacy protection method based on “invisible mask” is proposed.If the adversarial facial image is illegally accessed,it will cause the unauthorized facial recognition system to incorrectly recognize,and for authorized users,the original facial information can be recovered by removing the “invisible mask”,ensuring that the authorized facial recognition system can correctly recognize,thus achieving the purpose of protecting the facial database.Experimental results show that the method generates adversarial facial images with higher visual quality,the average PSNR between the adversarial facial image and the original facial image without attack layer can reach 55 dB,and the false recognition rate of the unauthorized system can reach 99.6%.At the same time,the method realizes reversible recovery of facial images,the average PSNR of the recovered facial image is 61 dB,and the correct recognition rate of the authorized system can reach 99.8%.Therefore,the proposed method can effectively protect the facial database.

Key words: Deep learning, Invisible masks, Adversarial examples, Facial dataset protection, Visual transformation, Reversible facial privacy protection

中图分类号: 

  • TP311
[1]BORENSTEIN J,AYANNA H.Emerging challenges in AI and the need for AI ethics education[J].AI and Ethics,2021,1(1):61-65.
[2]MRIT M,NARAYANAN P.The de-identification camera[C]//Proceedings of the 2011 Third National Conference on Computer Vision and PatternRecognition.2011:192-195.
[3]ZHANG Y,LU Y,NAGAHARA H,et al.Anonymous camera for privacy protection[C]//Proceedings of the 22nd InternationalConference on Pattern Recognition.2014:4170-4175.
[4]LETOURNEL G,BUGEAU A,DOMENGER J P.Face de-identification with expressions preservation[C]//ProcEedings of the Internationak Conference on Image Processing.2015:4366-4370.
[5]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2015.
[6]YIN B,WANG W,YAO T,et al.Adv-Makeup:A New Imperceptible and Transferable Attack on Face Recognition[C]//International Joint Conference on Artificial Intelligence.2021:1252-1258.
[7]JIA X J,WEI X X,CAO X C,et al.Comdefend:An efficient image compressionmodel to defend adversarial examples[C]//Proceedingsof the IEEE/CVF Conference on Computer Vision andPattern Recognition.2019:6084-6092.
[8]ZHANG X P.Reversible data hiding with optimalvalue transfer[J].IEEE Transactions on Multimedia,2012,15(2):316-325.
[9]LIU J Y,HOU D D,ZHANG W M,et al.Reversible adversarial examples[J].arXiv:1811.00189,2018.
[10]CHEN K J,CHEN K J,ZENG X H,et al.Invertible image dataset protection[J].arXiv:2021,14420,2021.
[11]KE X,WU H Q,GUO W Z.StegFormer:Rebuilding the Glory of Autoencoder-Based Steganography[C]//Proceedings of theAAAI Conference on Artificial Intelligence.Vancouver,Canada,2024:2723-2731.
[12]ZHU J,RUSSELL K,JUSTIN J,et al.Hidden:Hiding datawith deep networks[C]//European Conference on Computer Vision.Munich,Germany,2018:657-672.
[13]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.In-triguing properties of neural networks[J].arXiv:1312.6199,2013.
[14]CARLININ,WAGNER D.Towards evaluating the robustnessof neural networks[J].IEEE Symposium on Security and Privacy.San Francisco.USA,2017:39-57.
[15]XIAO C,LI B,ZHU J,et al.Generating adversarial exampleswith adversarial networks[J].arXiv:1801.02610,2018.
[16]CHINOMI K,NITTA N,ITO Y.PriSurv:Privacy protected video surveillance system using adaptive visual abstraction[C]//Proceedings of the 14th International Conference on Advances in Multimedia Modeling.Berlin:Springer,2008:144-154.
[17]YOU Z,LI S,QIAN Z,et al.Reversible privacy-preserving recognition[C]//2021 IEEE International Conference on Multimedia and Expo(ICME).IEEE,2021:1-6.
[18]YANG Y,HUANG Y,SHI M,et al.Invertible Mask Network for Face Privacy Preservation[J].Information Sciences,2023,629:566-579.
[19]DEBAYAND,ZHANG J B,JAIN A.Advfaces:adversarial face synthesis[J]arXiv:1908.05008,2019.
[20]LIN Y,CAO Y,HU H.Swin transformer:Hierarchical vision transformer using shifted windows[C]//Proceedings ofthe IEEE/CVFInternational Conference on ComputerVision.Montreal,Canada,2021:10012-10022.
[21]CHU X,TIAN Z,ZHANG B,et al.Conditional positional encodings for vision transformers[J].arXiv:2102.10882,2021.
[22]SCHROFF F,KALENICHENKO D,PHILBIN J.Facenet:A- unified embedding for face recognition and clustering.[C]//2015 IEEE Conference on Computer Vision and Pattern Recognition.Santa Barbara,USA,2015:815-823.
[23]CHARBONNIE R,BLANC-FERAUD L,AUBERT G,et al.Two deterministic half-quadratic regularization algorithms for computed imaging[C]//Proceedings of 1st International Conference on Image Processing.1994:168-172.
[24]YI D,YANG M,WU Y M.CASIA-WebFace:A Web Face Database for Face Recognition[C]//IEEE Conference on ComputerVision and Pattern Recognition(CVPR).Columbus,USA,2014.
[25]HUANG G B,RAMESH M,LEARNED E.Labeled Faces inthe Wild:A Survey of Face Recognition in Unconstrained Environments[J].IEEE Transactions on Pattern Analysis and Machine Intelligence(PAMI),2008,12(30):2127-2140.
[26]WANG Z,BOVIK A,SHEIKH H R.Image quality asses-sment:From error visibility to structural similarity[J].IEEE Transactions on Image Processing.2004,13(4):600-612.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发