三元组约束的类通用扰动人脸图像去识别方法

王慧娇; 熊卓; 管军霖; 蔡鼎; 王丽

doi:10.11834/jig.240018

图像分析和识别 | 浏览量 : 0 下载量: 1 CSCD: 0

PDF
导出
分享
收藏
专辑

三元组约束的类通用扰动人脸图像去识别方法
Face image de-identification with class universal perturbations based on triplet constraints
2024年29卷第12期页码：3644-3656
纸质出版日期： 2024-12-16 ，
DOI： 10.11834/jig.240018
稿件说明：

移动端阅览

王慧娇，熊卓，管军霖，蔡鼎，王丽. 2024. 三元组约束的类通用扰动人脸图像去识别方法. 中国图象图形学报， 29(12):3644-3656

Wang Huijiao， Xiong Zhuo， Guan Junlin， Cai Ding， Wang Li. 2024. Face image de-identification with class universal perturbations based on triplet constraints. Journal of Image and Graphics， 29(12):3644-3656
王慧娇，熊卓，管军霖，蔡鼎，王丽. 2024. 三元组约束的类通用扰动人脸图像去识别方法. 中国图象图形学报， 29(12):3644-3656 DOI： 10.11834/jig.240018.

Wang Huijiao， Xiong Zhuo， Guan Junlin， Cai Ding， Wang Li. 2024. Face image de-identification with class universal perturbations based on triplet constraints. Journal of Image and Graphics， 29(12):3644-3656 DOI： 10.11834/jig.240018.

摘要

目的

人脸图像去识别是保护人脸隐私的一种手段，类通用扰动作为人脸图像去识别的一种方法，为每个用户生成专属扰动来抵御深度人脸识别系统的恶意分析行为。针对现有类通用扰动方法存在用户训练数据不足的问题以及进一步提升扰动保护效果的需要，提出基于三元组损失约束的类通用扰动生成方法，同时引入一种基于特征子空间方法扩充训练数据构建三元组所需的负样本。

方法

首先将深度神经网络提取的用户人脸图像特征作为正样本，然后对单个用户所有正样本进行仿射组合构建特征子空间，再结合凸优化方法训练样本远离特征子空间，生成负样本扩充训练数据。之后对原始图像叠加随机扰动，提取特征得到待训样本。利用三元组函数约束扰动训练过程，使待训样本远离正样本的同时靠近负样本，并以余弦距离作为指标计算损失值。对训练生成的扰动施加一个缩放变换，得到用户的类通用扰动。

结果

针对具有不同损失函数（ArcFace、SFace和CosFace）和网络架构（SENet、MobileNet和IResNet）的6个人脸识别模型在2个数据集上进行实验，与相关的4种方法进行比较均取得了最优效果。在Privacy-Commons和Privacy-Celebrities数据集上，相比已知最优的方法，扰动训练效率平均提升了66.5%，保护成功率平均提升了5.76%。

结论

本文提出的三元组约束扰动生成方法，在兼顾扰动生成效率的同时，既缓解了训练样本不足的问题，又使类通用扰动综合了梯度攻击信息和特征攻击信息，提升了人脸隐私保护效果。

Abstract

Objective

With the development of face recognition technology， face images have been used as identity verification in many fields. As important biometric features， face images usually involve personal identity information. When illegally obtained and used by attackers， these images may cause serious losses and harm to individuals. Protecting face privacy and security has always been an urgent problem. The de-identification of face image is conducted in this paper， and the convenient and efficient use of class universal perturbation for face privacy protection is studied. The class universal perturbation method generates exclusive perturbation information for each user， and then the exclusive perturbation is superimposed on the face image for de-identification， thus resisting the behavior of deep face recognizer maliciously analyzing user information. In view of the limited face images provided by users， using class universal perturbation to de-identify users often faces the problem of insufficient samples. In addition， extracting face image features can be difficult due to variations in shooting angles， which increase the difficulty of learning user features through class universal perturbation. At the same time， class universal perturbation faces a complex protection scenario. Class universal perturbation is generated from a local proxy model and needs to be able to resist different face recognition models. These face recognition models use different datasets， loss functions， and network architectures， thus increasing the difficulty of generating class universal perturbation with transferability. In view of the insufficient user training data and the need to further improve the protection effect of perturbation in the field of the class universal perturbation， a generation method of class universal perturbation constrained by the triplet loss function is proposed in this paper， called face image de-identification with class universal perturbations based on triplet constraints （TC-CUAP）. The negative samples are constructed based on the feature subspace to augment the training data and to obtain samples in triplets.

Method

The Res-Net50 deep neural network is adopted to extract the features of user face images， which are used as positive samples for training. The feature subspace is then constructed using three affine combination methods （i.e.， affine hull， convex hull， and class center） of positive samples. The maximum distance between the samples and feature subspace is solved by the convex optimization method. The training samples are optimized along the direction away from the feature subspace， and the optimized samples are labeled as negative samples. Perturbations are randomly generated as initial values for class general perturbations before they are added to the original image. The features are then extracted from the perturbed images to obtain the training samples. The positive， negative， and training samples constitute the triplet required for training. The cosine distance is measured when training perturbations. The distance between the training samples and positive samples is maximized， while that between the training samples and negative samples is minimized. The training sample moves closer to the negative sample when the former is equidistant from the positive sample， thus allowing the perturbations to learn more adversarial information within a limited range. A scaling transformation is then applied to the generated perturbation. Those parts of the perturbation whose values are greater than 0 are set to the upper limit value of the perturbation threshold， while those parts whose values are less than 0 are set to the lower limit value. The class universal perturbation is ultimately obtained.

Result

The data required for the experiment are taken from the MegaFace challenge， MSCeleb-1M， and LFW datasets. The Privacy-Common public dataset， which represents ordinary users， and the Privacy-Celebrities celebrity dataset， which represents celebrity users， are then constructed， and test sets corresponding to these two datasets are built using data from the MegaFace challenge， MSCeleb-1M， and LFW datasets. Black box tests are conducted on the Privacy-Common and Privacy-Celebrities datasets for face recognition models with different loss functions and network architectures. Three of the black box models use different loss functions， namely， CosFace， ArcFace， and SFace， while the other three black box models use different network architectures， namely， SENet， MobileNet， and IResNet variants. The proposed TC-CUAP is then compared with generalizable data-free objective for crafting universal perturbations （GD-UAP）， generative adversarial perturbations （GAP）， universal adversarial perturbations （UAP）， and one person one mask （OPOM）. In the Privacy-Commons dataset， the highest Top-1 protection success rates of each method in the face of different face recognition models are 8.7% （GD-UAP）， 59.7% （GAP）， 64.2% （UAP）， 86.5% （OPOM）， and 90.6% （TC-CUAP）， while the highest Top-5 protection success rates are 3.5% （GD-UAP）， 46.7% （GAP）， 51.7% （UAP）， 80.1% （OPOM）， and 85.8% （TC-CUAP）. Compared with the well-known OPOM method， the TC-CUAP method improved its protection success rate by an average of 5.74%. In the Privacy-Celebrities data set， the highest Top-1 protection success rates of each method in the face of different face recognition models are 10.7% （GD-UAP）， 53.3% （GAP）， 59% （UAP）， 69.6% （OPOM）， and 75.9% （TC-CUAP）， while the highest Top-5 protection success rates are 4.2% （GD-UAP）， 42.7% （GAP）， 47.8% （UAP）， 60.6% （OPOM）， and 67.9% （TC-CUAP）. Compared with the well-known OPOM method， the TC-CUAP method improved its protection success rate by an average of 5.81%. The time spent to generate perturbations for 500 users is used as an indicator to measure the efficiency of each method. The time consumption of each method is 19.44 min （OPOM）， 10.41 min （UAP）， 6.52 min （TC-CUAP）， 4.51 min （GAP）， and 1.12 min （GD-UAP）. The above experimental results verify the superiority of the TC-CUAP method in face de-identification and its transferability on different models. The TC-CUAP method with perturbation scaling transformation achieves average Top-1 protection success rates of 80% and 64.6% on the Privacy-Commons and Privacy-Celebrities datasets， respectively， while the TC-CUAP method without perturbation scaling transformation achieves average Top-1 protection success rates of 78.1% and 62.5.1%. The TC-CUAP method with perturbation scaling transformation increased the protection success rate by about 2%， thus proving its effectiveness. In addition to using convex hull to model the user feature subspace and generate negative samples， these samples can also be constructed using feature iterative universal adversarial perturbations （FI-UAP）， FI-UAP incorporating intra-class interactions （FI-UAP+）， and Gauss random perturbation. On the Privacy-Commons and Privacy-Celebrities datasets， these methods obtain the highest Top-1 protection success rates of 85.6% （FI-UAP）， 86% （FI-UAP+）， 44.8% （Gauss）， and 90.6% （convex hull）. Using convex hull yields a 4.9% higher average protection success rate than using the suboptimal FI-UAP+ method， thereby verifying the rationality of the negative sample construction described in this paper.

Conclusion

The proposed method uses positive， negative， and training samples as constraints to obtain the class universal perturbation for face image de-identification. The negative samples are constructed from the original training data， thus alleviating the problem of insufficient training samples. The class universal perturbation trained by these triple constraints provides the feature attack information. At the same time， the introduction of perturbation scaling increases the strength of class universal perturbation and improves the face image de-identification effect. The superiority of this method is further verified by comparing its face de-identification performance with that of GD-UAP， GAP， UAP， and OPOM.

关键词

类通用扰动三元组约束人脸图像去识别数据扩充人脸隐私保护

Keywords

class universal perturbationtriplet constraintface image de-identificationdata augmentationface privacy protection

references

Cao S H， Liu X H， Mao X Q and Zou Q. 2022. A review of human face forgery and forgery-detection technologies. Journal of Image and Graphics， 27（4）： 1023-1038

曹申豪，刘晓辉，毛秀青，邹勤. 2022. 人脸伪造及检测技术综述. 中国图象图形学报， 27（4）： 1023-1038 ［DOI： 10.11834/jig.200466http://dx.doi.org/10.11834/jig.200466］

Cao Y J， Jia L L， Chen Y X， Lin N and Li X X. 2018. Review of computer vision based on generative adversarial networks. Journal of Image and Graphics， 23（10）： 1433-1449

曹仰杰，贾丽丽，陈永霞，林楠，李学相. 2018. 生成式对抗网络及其计算机视觉应用研究综述. 中国图象图形学报， 23（10）： 1433-1449 ［DOI： 10.11834/jig.180103http://dx.doi.org/10.11834/jig.180103］

Deng J， Guo J， Xue N， Zafeiriou S. 2019. Arcface： additive angular margin loss for deep face recognition//Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Long Beach Convention & Entertainment Center USA： IEEE： 4690-4699 ［DOI： 10.1109/cvpr.2019.00482］.

Gross R， Sweeney L， Cohn J， De La Torre F and Baker S. 2009. Face de-identification//Senior A， ed. Protecting Privacy in Video Surveillance. London： Springer： 129-146 ［DOI： 10.1007/978-1-84882-301-3_8http://dx.doi.org/10.1007/978-1-84882-301-3_8］

Guo Y D， Zhang L， Hu Y X， He X D and Gao J F. 2016. MS-Celeb-1M： a dataset and benchmark for large-scale face recognition//Proceedings of the 14th European Conference on Computer Vision. Amsterdam， the Netherlands： Springer： 87-102 ［DOI： 10.1007/978-3-319-46487-9_6http://dx.doi.org/10.1007/978-3-319-46487-9_6］

Gupta T， Sinha A， Kumari N， Singh M and Krishnamurthy B. 2019. A method for computing class-wise universal adversarial perturbations ［EB/OL］. ［2024-01-05］. https://arxiv.org/pdf/1912.00466.pdfhttps://arxiv.org/pdf/1912.00466.pdf

He K M， Zhang X Y， Ren S Q and Sun J. 2016. Deep residual learning for image recognition//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas， USA： IEEE： 770-778 ［DOI： 10.1109/cvpr.2016.90http://dx.doi.org/10.1109/cvpr.2016.90］

Howard A G， Zhu M L， Chen B， Kalenichenko D， Wang W J， Weyand T， Andreetto M and Adam H. 2017. MobileNets： efficient convolutional neural networks for mobile vision applications ［EB/OL］. ［2024-01-05］. https://arxiv.org/pdf/1704.04861.pdfhttps://arxiv.org/pdf/1704.04861.pdf

Hu J， Shen L and Sun G. 2018. Squeeze-and-excitation networks//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 7132-7141 ［DOI： 10.1109/cvpr.2018.00745http://dx.doi.org/10.1109/cvpr.2018.00745］

Huang G B， Ramesh M， Berg T and Learned-Miller E. 2008. Labeled faces in the wild： a database for studying face recognition in unconstrained environments//Workshop on faces in ‘Real-Life’ Images： Detection， Alignment， and Recognition

Li T and Choi M S. 2021. DeepBlur： a simple and effective method for natural image obfuscation ［EB/OL］. ［2024-01-05］. https://arxiv.org/pdf/2104.02655.pdfhttps://arxiv.org/pdf/2104.02655.pdf

Li Z X， Yin B J， Yao T P， Guo J F， Ding S H， Chen S M and Liu C. 2023. Sibling-attack： rethinking transferable adversarial attacks against face ecognition//Proceedings of 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Vancouver， Canada： IEEE： 24626-24637 ［DOI： 10.1109/cvpr52729.2023.02359http://dx.doi.org/10.1109/cvpr52729.2023.02359］

Liu B， Ding M， Shaham S， Rahayu W， Farokhi F and Lin Z H. 2021. When machine learning meets privacy： a survey and outlook. ACM Computing Surveys （CSUR）， 54（2）： #31 ［DOI： 10.1145/3436755http://dx.doi.org/10.1145/3436755］

Moosavi-Dezfooli S M， Fawzi A， Fawzi O and Frossard P. 2017. Universal adversarial perturbations//Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Honolulu， USA： IEEE： 86-94 ［DOI： 10.1109/CVPR.2017.17http://dx.doi.org/10.1109/CVPR.2017.17］

Moosavi-Dezfooli S M， Fawzi A and Frossard P. 2016. DeepFool： a simple and accurate method to fool deep neural networks//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas， USA： IEEE： 2574-2582 ［DOI： 10.1109/cvpr.2016.282http://dx.doi.org/10.1109/cvpr.2016.282］

Mopuri K R， Ganeshan A and Babu R V. 2019. Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence， 41（10）： 2452-2465 ［DOI： 10.1109/tpami.2018.2861800http://dx.doi.org/10.1109/tpami.2018.2861800］

Nech A and Kemelmacher-Shlizerman I. 2017. Level playing field for million scale face recognition//Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Honolulu， USA： IEEE： 3406-3415 ［DOI： 10.1109/cvpr.2017.363http://dx.doi.org/10.1109/cvpr.2017.363］

Newton E M， Sweeney L and Malin B. 2005. Preserving privacy by de-identifying face images. IEEE Transactions on Knowledge and Data Engineering， 17（2）： 232-243 ［DOI： 10.1109/tkde.2005.32http://dx.doi.org/10.1109/tkde.2005.32］

Nousi P， Papadopoulos S， Tefas A and Pitas I. 2020. Deep autoencoders for attribute preserving face de-identification. Signal Processing： Image Communication， 81： #115699 ［DOI： 10.1016/j.image.2019.115699http://dx.doi.org/10.1016/j.image.2019.115699］

Poursaeed O， Katsman I， Gao B C and Belongie S. 2018. Generative adversarial perturbations//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 4422-4431 ［DOI： 10.1109/cvpr.2018.00465http://dx.doi.org/10.1109/cvpr.2018.00465］

Shan S， Wenger E， Zhang J Y， Li H Y， Zheng H T and Zhao B Y. 2020. Fawkes： protecting privacy against unauthorized deep learning models ［EB/OL］. ［2024-01-05］. https://doi.org/10.48550/arXiv.2002.08327https://doi.org/10.48550/arXiv.2002.08327

Sun Q R， Tewari A， Xu W P， Fritz M， Theobalt C and Schiele B. 2018. A hybrid model for identity obfuscation by face replacement//Proceedings of the 15th European Conference on Computer Vision （ECCV）. Munich， Germany： Springer： 570-586 ［DOI： 10.1007/978-3-030-01246-5_34http://dx.doi.org/10.1007/978-3-030-01246-5_34］

Wang H， Wang Y T， Zhou Z， Ji X， Gong D H， Zhou J C， Li Z F and Liu W. 2018. CosFace： large margin cosine loss for deep face recognition//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 5265-5274 ［DOI： 10.1109/cvpr.2018.00552http://dx.doi.org/10.1109/cvpr.2018.00552］

Wang Y， Cao T Y， Yang J B， Zheng Y F， Fang Z and Deng X T. 2022. A perturbation constraint related weak perceptual adversarial example generation method. Journal of Image and Graphics， 27（7）： 2287-2299

王杨，曹铁勇，杨吉斌，郑云飞，方正，邓小桐. 2022. 结合扰动约束的低感知性对抗样本生成方法. 中国图象图形学报， 27（7）： 2287-2299［DOI： 10.11834/jig.200681http://dx.doi.org/10.11834/jig.200681］

Yi D， Lei Z， Liao S C and Li S Z. 2014. Learning face representation from scratch ［EB/OL］. ［2024-01-05］. https://arxiv.org/pdf/1411.7923.pdfhttps://arxiv.org/pdf/1411.7923.pdf

Zhong Y Y and Deng W H. 2023. OPOM： customized invisible cloak towards face privacy protection. IEEE Transactions on Pattern Analysis and Machine Intelligence， 45（3）： 3590-3603 ［DOI： 10.1109/tpami.2022.3175602http://dx.doi.org/10.1109/tpami.2022.3175602］

Zhong Y Y， Deng W H， Hu J N， Zhao D Y， Li X and Wen D C. 2021. SFace： sigmoid-constrained hypersphere loss for robust face recognition. IEEE Transactions on Image Processing， 30： 2587-2598 ［DOI： 10.1109/tip.2020.3048632http://dx.doi.org/10.1109/tip.2020.3048632］

文章被引用时，请邮件提醒。

提交

卷积神经网络的人脸隐私保护识别