Yunming Zhang,Dengpan Ye,Caiyun Xie,Long Tang,Xin Liao,Ziyi Liu,Chuanxi Chen,Jiacheng Deng

DOI: https://doi.org/10.1109/tifs.2024.3383648

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Malicious applications of deep face swapping technology pose security threats such as misinformation dissemination and identity fraud. Some research propose the utilization of robust watermarking methods to track the copyright of facial images, facilitating post-forgery identity attribution. However, these methods cannot fundamentally prevent or eliminate the adverse impacts of face swapping. To address this issue, we present Dual Defense, an innovative framework based on robust adversarial watermarking. It simultaneously tracks image copyrights and disrupts the face swapping model by one-time embedding the robust adversarial watermark. Specifically, we propose an Original-domain Feature Emulation Attack (OFEA) method, which makes the traceable watermark adversarial through specially designed original domain adversarial loss. Additionally, we conduct a wavelet domain image structural information compensation loss, combined with a channel attention mechanism, to jointly balance watermark invisibility, adversariality, and traceability. Furthermore, we design a more comprehensive and rational evaluation method to thoroughly assess the effectiveness of adversarial attacks against face swapping models. Extensive experiments demonstrate that Dual Defense exhibits exceptional cross-task generality and dataset generalization. It maintains impressive adversariality and traceability in both original and robust settings, surpassing current forgery defense methods that possess only one of these capabilities.

computer science, theory & methods,engineering, electrical & electronic

Zhimao Lai,Zhuangxi Yao,Guanyu Lai,Chuntao Wang,Renhai Feng

DOI: https://doi.org/10.3390/electronics13244955

IF: 2.9

2024-12-17

Electronics

Abstract:The rapid advancement of Artificial Intelligence Generated Content (AIGC) has significantly accelerated the evolution of Deepfake technology, thereby introducing escalating social risks due to its potential misuse. In response to these adverse effects, researchers have developed defensive measures, including passive detection and proactive forensics. Although passive detection has achieved some success in identifying Deepfakes, it encounters challenges such as poor generalization and decreased accuracy, particularly when confronted with anti-forensic techniques and adversarial noise. As a result, proactive forensics, which offers a more resilient defense mechanism, has garnered considerable scholarly interest. However, existing proactive forensic methodologies often fall short in terms of visual quality, detection accuracy, and robustness. To address these deficiencies, we propose a novel proactive forensic approach that utilizes pseudo-Zernike moment robust watermarking. This method is specifically designed to enhance the detection and analysis of face swapping by transforming facial data into a binary bit stream and embedding this information within the non-facial regions of video frames. Our approach facilitates the detection of Deepfakes while preserving the visual integrity of the video content. Comprehensive experimental evaluations have demonstrated the robustness of this method against standard signal processing operations and its superior performance in detecting Deepfake manipulations.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shulin Lan,Kanlin Liu,Yazhou Zhao,Chen Yang,Yingchao Wang,Xingshan Yao,Liehuang Zhu

2024-11-22

Abstract:Current passive deepfake face-swapping detection methods encounter significance bottlenecks in model generalization capabilities. Meanwhile, proactive detection methods often use fixed watermarks which lack a close relationship with the content they protect and are vulnerable to security risks. Dynamic watermarks based on facial features offer a promising solution, as these features provide unique identifiers. Therefore, this paper proposes a Facial Feature-based Proactive deepfake detection method (FaceProtect), which utilizes changes in facial characteristics during deepfake manipulation as a novel detection mechanism. We introduce a GAN-based One-way Dynamic Watermark Generating Mechanism (GODWGM) that uses 128-dimensional facial feature vectors as inputs. This method creates irreversible mappings from facial features to watermarks, enhancing protection against various reverse inference attacks. Additionally, we propose a Watermark-based Verification Strategy (WVS) that combines steganography with GODWGM, allowing simultaneous transmission of the benchmark watermark representing facial features within the image. Experimental results demonstrate that our proposed method maintains exceptional detection performance and exhibits high practicality on images altered by various deepfake techniques.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning,Image and Video Processing

Bofei Guo,Haoxuan Tai,Guibo Luo,Yuesheng Zhu

DOI: https://doi.org/10.1109/iceiec61773.2024.10561738

2024-01-01

Abstract:The rise of Deepfake technology presents a significant challenge to the integrity of information. Most existing Deepfake detection methods rely on visual artifacts to distinguish between the authentic and manipulated content, but they are unable to cope with unseen tampering method and easily affected by post-processing. Although recent investigations have tried to proactively protect facial images using deep watermarking techniques, more deceptive Deepfakes often incorporate both visual and audio modalities. To address this issue, we propose a novel proactive Deepfake detection framework for both audio and visual modalities by utilizing a unified encoder-decoder architecture to embed audio-visual watermarks. Also, an audiovisual feature encoder is developed to align the audio and visual information. The multi-modal watermarking is designed to embed a watermark as the detection clue in each modality respectively and conduct verification of both modalities together to detect Deepfaked multimedia. By adding a distortion layer between embedding and extracting during training, the embedded watermark is able to be robust against common post-processing operations (e.g., JPEG compression) while remaining sensitive to Deepfake manipulations (e.g., SimSwap) in the water-mark verification. Our experimental results on VidTIMIT have demonstrated that the proposed watermarking framework can effectively detect various advanced Deepfake manipulations and achieve good robustness to different kinds of common distortions compared with passive uni-modal and multi-modal Deepfake detection methods.

Run Wang,Ziheng Huang,Zhikai Chen,Li Liu,Jing Chen,Lina Wang

DOI: https://doi.org/10.24963/ijcai.2022/107

2022-01-01

Abstract:DeepFake is becoming a real risk to society and brings potential threats to both individual privacy and political security due to the DeepFaked multimedia are realistic and convincing. However, the popular DeepFake passive detection is an ex-post forensics countermeasure and failed in blocking the disinformation spreading in advance. To address this limitation, researchers study the proactive defense techniques by adding adversarial noises into the source data to disrupt the DeepFake manipulation. However, the existing studies on proactive DeepFake defense via injecting adversarial noises are not robust, which could be easily bypassed by employing simple image reconstruction revealed in a recent study MagDR. In this paper, we investigate the vulnerability of the existing forgery techniques and propose a novel anti-forgery technique that helps users protect the shared facial images from attackers who are capable of applying the popular forgery techniques. Our proposed method generates perceptual-aware perturbations in an incessant manner which is vastly different from the prior studies by adding adversarial noises that is sparse. Experimental results reveal that our perceptual-aware perturbations are robust to diverse image transformations, especially the competitive evasion technique, MagDR via image reconstruction. Our findings potentially open up a new research direction towards thorough understanding and investigation of perceptual-aware adversarial attack for protecting facial images against DeepFakes in a proactive and robust manner. Code is available at https://github.com/AbstractTeen/AntiForgery.

Hao Huang,Yongtao Wang,Zhaoyu Chen,Yuze Zhang,Yuheng Li,Zhi Tang,Wei Chu,Jingdong Chen,Weisi Lin,Kai-Kuang Ma

DOI: https://doi.org/10.1609/aaai.v36i1.19982

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Malicious applications of deepfakes (i.e., technologies generating target facial attributes or entire faces from facial images) have posed a huge threat to individuals' reputation and security. To mitigate these threats, recent studies have proposed adversarial watermarks to combat deepfake models, leading them to generate distorted outputs. Despite achieving impressive results, these adversarial watermarks have low image-level and model-level transferability, meaning that they can protect only one facial image from one specific deepfake model. To address these issues, we propose a novel solution that can generate a Cross-Model Universal Adversarial Watermark (CMUA-Watermark), protecting a large number of facial images from multiple deepfake models. Specifically, we begin by proposing a cross-model universal attack pipeline that attacks multiple deepfake models iteratively. Then, we design a two-level perturbation fusion strategy to alleviate the conflict between the adversarial watermarks generated by different facial images and models. Moreover, we address the key problem in cross-model optimization with a heuristic approach to automatically find the suitable attack step sizes for different models, further weakening the model-level conflict. Finally, we introduce a more reasonable and comprehensive evaluation method to fully test the proposed method and compare it with existing ones. Extensive experimental results demonstrate that the proposed CMUA-Watermark can effectively distort the fake facial images generated by multiple deepfake models while achieving a better performance than existing methods. Our code is available at https://github.com/VDIGPKU/CMUA-Watermark.

Xiaoshuai Wu,Xin Liao,Bo Ou,Yuling Liu,Zheng Qin

2024-04-27

Abstract:AI-generated content has accelerated the topic of media synthesis, particularly Deepfake, which can manipulate our portraits for positive or malicious purposes. Before releasing these threatening face images, one promising forensics solution is the injection of robust watermarks to track their own provenance. However, we argue that current watermarking models, originally devised for genuine images, may harm the deployed Deepfake detectors when directly applied to forged images, since the watermarks are prone to overlap with the forgery signals used for detection. To bridge this gap, we thus propose AdvMark, on behalf of proactive forensics, to exploit the adversarial vulnerability of passive detectors for good. Specifically, AdvMark serves as a plug-and-play procedure for fine-tuning any robust watermarking into adversarial watermarking, to enhance the forensic detectability of watermarked images; meanwhile, the watermarks can still be extracted for provenance tracking. Extensive experiments demonstrate the effectiveness of the proposed AdvMark, leveraging robust watermarking to fool Deepfake detectors, which can help improve the accuracy of downstream Deepfake detection without tuning the in-the-wild detectors. We believe this work will shed some light on the harmless proactive forensics against Deepfake.

Computer Vision and Pattern Recognition,Image and Video Processing

Aakash Varma Nadimpalli,Ajita Rattani

2024-10-03

Abstract:With the significant advances in deep generative models for image and video synthesis, Deepfakes and manipulated media have raised severe societal concerns. Conventional machine learning classifiers for deepfake detection often fail to cope with evolving deepfake generation technology and are susceptible to adversarial attacks. Alternatively, invisible image watermarking is being researched as a proactive defense technique that allows media authentication by verifying an invisible secret message embedded in the image pixels. A handful of invisible image watermarking techniques introduced for media authentication have proven vulnerable to basic image processing operations and watermark removal attacks. In response, we have proposed a semi-fragile image watermarking technique that embeds an invisible secret message into real images for media authentication. Our proposed watermarking framework is designed to be fragile to facial manipulations or tampering while being robust to benign image-processing operations and watermark removal attacks. This is facilitated through a unique architecture of our proposed technique consisting of critic and adversarial networks that enforce high image quality and resiliency to watermark removal efforts, respectively, along with the backbone encoder-decoder and the discriminator networks. Thorough experimental investigations on SOTA facial Deepfake datasets demonstrate that our proposed model can embed a $64$-bit secret as an imperceptible image watermark that can be recovered with a high-bit recovery accuracy when benign image processing operations are applied while being non-recoverable when unseen Deepfake manipulations are applied. In addition, our proposed watermarking technique demonstrates high resilience to several white-box and black-box watermark removal attacks. Thus, obtaining state-of-the-art performance.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning,Multimedia

Jingzhi Li,Changjiang Luo,Hua Zhang,Yang Cao,Xin Liao,Xiaochun Cao

DOI: https://doi.org/10.1007/s11263-024-02259-5

IF: 13.369

2024-01-01

International Journal of Computer Vision

Abstract:Deepfake techniques pose a significant threat to personal privacy and social security. To mitigate these risks, various defensive techniques have been introduced, including passive methods through fake detection and proactive methods through adding invisible perturbations. Recent proactive methods mainly focus on face manipulation but perform poorly against face swapping, as face swapping involves the more complex process of identity information transfer. To address this issue, we develop a novel privacy-preserving framework, named Anti-Fake Vaccine, to protect the facial images against the malicious face swapping. This new proactive technique dynamically fuses visual corruption and content misdirection, significantly enhancing protection performance. Specifically, we first formulate constraints from two distinct perspectives: visual quality and identity semantics. The visual perceptual constraint targets image quality degradation in the visual space, while the identity similarity constraint induces erroneous alterations in the semantic space. We then introduce a multi-objective optimization solution to effectively balance the allocation of adversarial perturbations generated according to these constraints. To further improving performance, we develop an additive perturbation strategy to discover the shared adversarial perturbations across diverse face swapping models. Extensive experiments on the CelebA-HQ and FFHQ datasets demonstrate that our method exhibits superior generalization capabilities across diverse face swapping models, including commercial ones.

Yunming Zhang,Dengpan Ye,Caiyun Xie,Sipeng Shen,Ziyi Liu,Jiacheng Deng,Long Tang

2024-10-23

Abstract:The wide deployment of Face Recognition (FR) systems poses privacy risks. One countermeasure is adversarial attack, deceiving unauthorized malicious FR, but it also disrupts regular identity verification of trusted authorizers, exacerbating the potential threat of identity impersonation. To address this, we propose the first double identity protection scheme based on traceable adversarial watermarking, termed DIP-Watermark. DIP-Watermark employs a one-time watermark embedding to deceive unauthorized FR models and allows authorizers to perform identity verification by extracting the watermark. Specifically, we propose an information-guided adversarial attack against FR models. The encoder embeds an identity-specific watermark into the deep feature space of the carrier, guiding recognizable features of the image to deviate from the source identity. We further adopt a collaborative meta-optimization strategy compatible with sub-tasks, which regularizes the joint optimization direction of the encoder and decoder. This strategy enhances the representation of universal carrier features, mitigating multi-objective optimization conflicts in watermarking. Experiments confirm that DIP-Watermark achieves significant attack success rates and traceability accuracy on state-of-the-art FR models, exhibiting remarkable robustness that outperforms the existing privacy protection methods using adversarial attacks and deep watermarking, or simple combinations of the two. Our work potentially opens up new insights into proactive protection for FR privacy.

Cryptography and Security,Computer Vision and Pattern Recognition,Image and Video Processing

Weinan Guan,Wei Wang,Jing Dong,Bo Peng,Tieniu Tan

DOI: https://doi.org/10.48550/arXiv.2104.13665

2021-04-28

Abstract:Maliciously-manipulated images or videos - so-called deep fakes - especially face-swap images and videos have attracted more and more malicious attackers to discredit some key figures. Previous pixel-level artifacts based detection techniques always focus on some unclear patterns but ignore some available semantic clues. Therefore, these approaches show weak interpretability and robustness. In this paper, we propose a biometric information based method to fully exploit the appearance and shape feature for face-swap detection of key figures. The key aspect of our method is obtaining the inconsistency of 3D facial shape and facial appearance, and the inconsistency based clue offers natural interpretability for the proposed face-swap detection method. Experimental results show the superiority of our method in robustness on various laundering and cross-domain data, which validates the effectiveness of the proposed method.

Computer Vision and Pattern Recognition

Tianyi Wang,Mengxiao Huang,Harry Cheng,Xiao Zhang,Zhiqi Shen

DOI: https://doi.org/10.1145/3664647.3680869

2024-11-26

Abstract:Deepfake facial manipulation has garnered significant public attention due to its impacts on enhancing human experiences and posing privacy threats. Despite numerous passive algorithms that have been attempted to thwart malicious Deepfake attacks, they mostly struggle with the generalizability challenge when confronted with hyper-realistic synthetic facial images. To tackle the problem, this paper proposes a proactive Deepfake detection approach by introducing a novel training-free landmark perceptual watermark, LampMark for short. We first analyze the structure-sensitive characteristics of Deepfake manipulations and devise a secure and confidential transformation pipeline from the structural representations, i.e. facial landmarks, to binary landmark perceptual watermarks. Subsequently, we present an end-to-end watermarking framework that imperceptibly and robustly embeds and extracts watermarks concerning the images to be protected. Relying on promising watermark recovery accuracies, Deepfake detection is accomplished by assessing the consistency between the content-matched landmark perceptual watermark and the robustly recovered watermark of the suspect image. Experimental results demonstrate the superior performance of our approach in watermark recovery and Deepfake detection compared to state-of-the-art methods across in-dataset, cross-dataset, and cross-manipulation scenarios.

Computer Vision and Pattern Recognition

Hao-Xian Wang,Zhe-Ming Lu,Jeng-Shyang Pan,Sheng-He Sun

2005-01-01

Abstract:In this paper, a novel adaptive approach to spatial domain video watermarking is presented. It takes full advantage of both intra-frame and inter-frame information of video content to guarantee the perceptual invisibility and robustness of the watermark. An effective block classifier is delicately designed based on motion information and region complexity. Meanwhile, the idea of bitplane replacement is introduced in the embedding procedure. A major advantage of this technique is that the watermark can be extracted without referring to the original video while embedded adaptively in accordance with the human visual system and signal characteristics. The multi-frame based extraction strategy ensures that the watermark can be correctly recovered from a very short segment of video. Individual frames extracted from the video also contain watermark information. Experimental results show that the watermarked video appears visually indistinguishable from the original video, and the proposed watermarking technique is robust enough to common video attacks.

Han Bao,Xuhong Zhang,Qinying Wang,Kangming Liang,Zonghui Wang,Shouling Ji,Wenzhi Chen

DOI: https://doi.org/10.24963/ijcai.2024/37

2024-01-01

Abstract:Deepfake model misuse poses major security concerns. Existing passive and active Deepfake detection methods both suffer from a lack of generalizability and robustness. In this study, we propose a pluggable and efficient active model watermarking framework for Deepfake detection. This approach facilitates the embedding of identification watermarks across a variety of Deepfake generation models, enabling easy extraction by authorities for detection purposes. Specifically, our method leverages the universal convolutional structure in generative model decoders. It employs convolutional kernel sparsification for adaptive watermark embedding positioning and introduces convolutional kernel normalization to seamlessly integrate watermark parameters with those of the generative model. For watermark extraction, we jointly train a watermark extractor based on a Deepfake detection model and use BCH encoding to identify watermark images effectively. Finally, we apply our approach to eight major types of Deepfake generation models. Experiments show our method successfully detects Deepfakes with an average accuracy exceeding 94% even in heavy lossy channels. This approach operates independently of the generation model's training without affecting the original model's performance. Furthermore, our model requires training a very limited number of parameters, and it is resilient against three major adaptive attacks. The source code can be found at https://github.com/GuaiZao/Pluggable-Watermarking

Yangming Zhou,Qichao Ying,Xiangyu Zhang,Zhenxing Qian,Sheng Li,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.2207.03409

2022-07-08

Abstract:Videos are prone to tampering attacks that alter the meaning and deceive the audience. Previous video forgery detection schemes find tiny clues to locate the tampered areas. However, attackers can successfully evade supervision by destroying such clues using video compression or blurring. This paper proposes a video watermarking network for tampering localization. We jointly train a 3D-UNet-based watermark embedding network and a decoder that predicts the tampering mask. The perturbation made by watermark embedding is close to imperceptible. Considering that there is no off-the-shelf differentiable video codec simulator, we propose to mimic video compression by ensembling simulation results of other typical attacks, e.g., JPEG compression and blurring, as an approximation. Experimental results demonstrate that our method generates watermarked videos with good imperceptibility and robustly and accurately locates tampered areas within the attacked version.

Computer Vision and Pattern Recognition

Tong Qiao,Bin Zhao,Ran Shi,Meng Han,Mahmoud Hassaballah,Florent Retraint,Xiangyang Luo

DOI: https://doi.org/10.1109/tifs.2024.3460387

2024-01-01

Abstract:The illegal use of facial forgery models, such as Generative Adversarial Networks (GAN) synthesized contents, has been on the rise, thereby posing great threats to personal reputation and national security. To mitigate these threats, recent studies have proposed the use of adversarial watermarks as countermeasures against GAN, effectively disrupting their outputs. However, the majority of these adversarial watermarks exhibit very limited defense ranges, providing defense against only a single GAN forgery model. Although some universal adversarial watermarks have demonstrated impressive results, they lack the defense scalability as a new-emerging forgery model appears. To address the tough issue, we propose a scalable approach even when the original forgery models are unknown. Specifically, a watermark expansion scheme, which mainly involves inheriting, defense and constraint steps, is introduced. On the one hand, the proposed method can effectively inherit the defense range of the prior well-trained adversarial watermark; on the other hand, it can defend against a new forgery model. Extensive experimental results validate the efficacy of the proposed method, exhibiting superior performance and reduced computational time compared to the state-of-the-arts.

Jiachen Yang,Guipeng Lan,Shuai Xiao,Yang Li,Jiabao Wen,Yong Zhu

DOI: https://doi.org/10.3390/s22134697

2022-06-22

Abstract:In the era of rapid development of the Internet of things, deep learning, and communication technologies, social media has become an indispensable element. However, while enjoying the convenience brought by technological innovation, people are also facing the negative impact brought by them. Taking the users' portraits of multimedia systems as examples, with the maturity of deep facial forgery technologies, personal portraits are facing malicious tampering and forgery, which pose a potential threat to personal privacy security and social impact. At present, the deep forgery detection methods are learning-based methods, which depend on the data to a certain extent. Enriching facial anti-spoofing datasets is an effective method to solve the above problem. Therefore, we propose an effective face swapping framework based on StyleGAN. We utilize the feature pyramid network to extract facial features and map them to the latent space of StyleGAN. In order to realize the transformation of identity, we explore the representation of identity information and propose an adaptive identity editing module. We design a simple and effective post-processing process to improve the authenticity of the images. Experiments show that our proposed method can effectively complete face swapping and provide high-quality data for deep forgery detection to ensure the security of multimedia systems.

Ling-Yuan Hsu

DOI: https://doi.org/10.1016/j.jvcir.2024.104094

IF: 2.887

2024-02-25

Journal of Visual Communication and Image Representation

Abstract:This paper proposes a new adaptive blind watermarking technology for deepfake detection, which can embed deepfake detection information into the image and verify the image's authenticity without requiring additional information. The proposed scheme utilizes mixed modulation combined with partly sign-altered mean value to embed a set of coefficients that enhance robustness against attacks while maintaining high image quality. Additionally, blind adaptive deepfake detection technology with the tamper detection mean value is employed to detect relative positions adaptively, even when face images are slightly modified or deepfaked. To further improve the performance of the proposed scheme, a gray wolf optimizer is introduced to optimize parameters, and a denoising autoencoder is employed to facilitate the identification of extracted watermarks. This technology will adaptively embed watermark information while preserving the original face image, thereby maintaining the authenticity of the face in the image and verifying the owner of the image. The code is available at https://github.com/lyhsu01/AwDD .

computer science, information systems, software engineering

Dehui Wang,Jinfu Liu,Yingqian Zhang,Nian Zhang,Xingyuan Wang

DOI: https://doi.org/10.2174/2210298102666220411113929

2022-01-01

Current Chinese Science

Abstract:Background: Face recognition which belongs to biometric recognition has great application value. Nowadays, face recognition based on deep learning has been widely used in many fields such as internet payment, network login and authentication. However, the face recognition deep learning model are easily replaced and tampered with. Once the models are illegally attacked, it will infringe the intellectual property rights of the model owner and cause economic losses. To deal with these threats, we use watermarking technology to add identity into the face recognition deep learning model. When it is replaced or tampered with, we can prove that the model belongs to us by extracting the watermarks. Objective: In this study, our innovate framework is designed to add watermarks into the face recognition deep learning model as identity, which makes it have features of both trigger sets and data sets. The model will be robust enough to resist common machine learning attacks. With special watermarks, its ownership can be guaranteed. Method: We construct a special watermark trigger set and embed it into the model, which makes it trained without human intervention and annotation. To be flexible for a variety of applications, this scheme uses chaotic sequences to label a watermark trigger set, which guarantees the non-generalization of the watermark. The initial value and parameters used in the method are designed respectively as key to the model. We train 4 models with different number of trigger samples, which is used to study the effect of the number of trigger samples on the model accuracy. Results: We successfully propose a watermarking method for adding identity to the face recognition deep learning model. Watermark extraction rate of the proposed framework is 100%, which means our method can successfully prove ownership of the face recognition deep learning model. In destructive experiments, Models subject to fine-tuning attack still have high face recognition rates which are over 99.00%, and extraction rates of watermarks of each model is 100%. Under overwriting attack, the extraction rates of watermarks of models are less than 25%, models cannot maintain the original performance, which means that watermarks can provide protection until the model loses its ability. The experimental results indicate that the proposed scheme is robust against common machine learning attacks and it prevent the model from being replaced and tempering with. Conclusion: The robustness of the proposed method is capable of resisting machine learning attacks and fine-tuning attacks. It also provides good fidelity, safety, practicality, completeness and effectiveness. With the help of special watermarks, related departments can effectively manage face recognition deep learning models. Besides, it can facilitate the commercialization of intelligent models.

Yunming Zhang,Dengpan Ye,Sipeng Shen,Caiyun Xie,Ziyi Liu,Jiacheng Deng,Long Tang

2024-04-23

Abstract:The wide deployment of Face Recognition (FR) systems poses risks of privacy leakage. One countermeasure to address this issue is adversarial attacks, which deceive malicious FR searches but simultaneously interfere the normal identity verification of trusted authorizers. In this paper, we propose the first Double Privacy Guard (DPG) scheme based on traceable adversarial watermarking. DPG employs a one-time watermark embedding to deceive unauthorized FR models and allows authorizers to perform identity verification by extracting the watermark. Specifically, we propose an information-guided adversarial attack against FR models. The encoder embeds an identity-specific watermark into the deep feature space of the carrier, guiding recognizable features of the image to deviate from the source identity. We further adopt a collaborative meta-optimization strategy compatible with sub-tasks, which regularizes the joint optimization direction of the encoder and decoder. This strategy enhances the representation of universal carrier features, mitigating multi-objective optimization conflicts in watermarking. Experiments confirm that DPG achieves significant attack success rates and traceability accuracy on state-of-the-art FR models, exhibiting remarkable robustness that outperforms the existing privacy protection methods using adversarial attacks and deep watermarking, or simple combinations of the two. Our work potentially opens up new insights into proactive protection for FR privacy.

Cryptography and Security,Computer Vision and Pattern Recognition,Image and Video Processing