CLIP2Protect: Protecting Facial Privacy Using Text-Guided Makeup via Adversarial Latent Search

The success of deep learning based face recognition systems has given rise to serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Existing methods for enhancing privacy fail to generate naturalistic images that can protect facial privacy without compromising user experience. We propose a novel two-step approach for facial privacy protection that relies on finding adversarial latent codes in the low-dimensional manifold of a pretrained generative model. The first step inverts the given face image into the latent space and finetunes the generative model to achieve an accurate reconstruction of the given image from its latent code. This step produces a good initialization, aiding the generation of high-quality faces that resemble the given identity. Subsequently, user-defined makeup text prompts and identity-preserving regularization are used to guide the search for adversarial codes in the latent space. Extensive experiments demonstrate that faces generated by our approach have stronger black-box transferability with an absolute gain of 12.06% over the state-of-the-art facial privacy protection approach under the face verification task. Finally, we demonstrate the effectiveness of the proposed approach for commercial face recognition systems. Our code is available at https://github.com/fahadshamshad/Clip2Protect.

[1]  Jingkuan Song,et al.  Natural Color Fool: Towards Boosting Black-box Unrestricted Attacks , 2022, NeurIPS.

[2]  J. Yang,et al.  ArcFace: Additive Angular Margin Loss for Deep Face Recognition , 2022, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[3]  Sangwoo Ji,et al.  Unrestricted Black-box Adversarial Attack Using GAN with Limited Queries , 2022, ECCV Workshops.

[4]  Tianqing Zhu,et al.  Fairness and privacy preservation for facial images: GAN-based methods , 2022, Comput. Secur..

[5]  Jian Liu,et al.  Privacy-Preserving Face Recognition in the Frequency Domain , 2022, AAAI.

[6]  Weihong Deng,et al.  OPOM: Customized Invisible Cloak Towards Face Privacy Protection , 2022, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[7]  Minghui Li,et al.  Protecting Facial Privacy: Generating Adversarial Identity Masks via Style-robust Makeup Transfer , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[8]  Amit H. Bermano,et al.  State‐of‐the‐Art in the Architecture, Methods and Applications of StyleGAN , 2022, Comput. Graph. Forum.

[9]  Wayne Xin Zhao,et al.  A Survey of Vision-Language Pre-Trained Models , 2022, IJCAI.

[10]  Hongyang R. Zhang,et al.  Towards Transferable Unrestricted Adversarial Examples with Minimum Changes , 2022, 2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML).

[11]  Prafulla Dhariwal,et al.  GLIDE: Towards Photorealistic Image Generation and Editing with Text-Guided Diffusion Models , 2021, ICML.

[12]  Sanka Rasnayaka,et al.  Does a Face Mask Protect my Privacy?: Deep Learning to Predict Protected Attributes from Masked Face Images , 2021, AI.

[13]  Dongdong Chen,et al.  CLIP-NeRF: Text-and-Image Driven Manipulation of Neural Radiance Fields , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[14]  Lu Yuan,et al.  HairCLIP: Design Your Hair by Text and Reference Image , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[15]  Ben Y. Zhao,et al.  SoK: Anti-Facial Recognition Technology , 2021, 2023 IEEE Symposium on Security and Privacy (SP).

[16]  J. Sack,et al.  Differentially private facial obfuscation via generative adversarial networks , 2021, Future Gener. Comput. Syst..

[17]  Jong-Chul Ye,et al.  CLIPstyler: Image Style Transfer with a Single Text Condition , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[18]  Noboru Babaguchi,et al.  Effective De-identification Generative Adversarial Network for Face Anonymization , 2021, ACM Multimedia.

[19]  Jong-Chul Ye,et al.  DiffusionCLIP: Text-Guided Diffusion Models for Robust Image Manipulation , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[20]  Yuval Elovici,et al.  Dodging Attack Using Carefully Crafted Natural Makeup , 2021, ArXiv.

[21]  Omid Poursaeed,et al.  Robustness and Generalization via Generative Adversarial Training , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[22]  L. B. Soros,et al.  CLIPDraw: Exploring Text-to-Drawing Synthesis through Language-Image Encoders , 2021, NeurIPS.

[23]  Daniel Cohen-Or,et al.  Pivotal Tuning for Latent-based Editing of Real Images , 2021, ACM Trans. Graph..

[24]  Jun Zhu,et al.  Improving Transferability of Adversarial Patches on Face Recognition with Generative Models , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Jilin Li,et al.  Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition , 2021, IJCAI.

[26]  Raymond N. J. Veldhuis,et al.  Gender Obfuscation through Face Morphing , 2021, 2021 IEEE International Workshop on Biometrics and Forensics (IWBF).

[27]  Chun-Shien Lu,et al.  Perceptual Indistinguishability-Net (PI-Net): Facial Image Obfuscation with Manipulable Semantics , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[28]  Tao Li,et al.  DeepBlur: A Simple and Effective Method for Natural Image Obfuscation , 2021, ArXiv.

[29]  Daniel Cohen-Or,et al.  StyleCLIP: Text-Driven Manipulation of StyleGAN Imagery , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[30]  Ilya Sutskever,et al.  Learning Transferable Visual Models From Natural Language Supervision , 2021, ICML.

[31]  Daniel Cohen-Or,et al.  Designing an encoder for StyleGAN image manipulation , 2021, ACM Trans. Graph..

[32]  Micah Goldblum,et al.  LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition , 2021, ICLR.

[33]  Chi-Man Pun,et al.  Personal Privacy Protection via Irrelevant Faces Tracking and Pixelation in Video Live Streaming , 2021, IEEE Transactions on Information Forensics and Security.

[34]  Tao Mei,et al.  The Elements of End-to-end Deep Face Recognition: A Survey of Recent Advances , 2020, ACM Comput. Surv..

[35]  Xiaowen Huang,et al.  Adversarial Privacy-preserving Filter , 2020, ACM Multimedia.

[36]  Jun Zhu,et al.  Towards Face Encryption by Generating Adversarial Identity Masks , 2020, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[37]  Ben Y. Zhao,et al.  Fawkes: Protecting Privacy against Unauthorized Deep Learning Models , 2020, USENIX Security Symposium.

[38]  Tero Karras,et al.  Analyzing and Improving the Image Quality of StyleGAN , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[39]  M. Larson,et al.  Towards Large Yet Imperceptible Adversarial Image Perturbations With Perceptual Color Distance , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[40]  Chen-Kuo Chiang,et al.  Generating Adversarial Examples By Makeup Attacks on Face Recognition , 2019, 2019 IEEE International Conference on Image Processing (ICIP).

[41]  Aleksandr Petiushko,et al.  AdvHat: Real-World Adversarial Attack on ArcFace Face ID System , 2019, 2020 25th International Conference on Pattern Recognition (ICPR).

[42]  Kosuke Yoshida,et al.  Adversarial Image Translation: Unrestricted Adversarial Examples in Face Recognition Systems , 2019, SafeAI@AAAI.

[43]  Chi-Keung Tang,et al.  LADN: Local Adversarial Disentangling Network for Facial Makeup and De-Makeup , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[44]  Tao Li,et al.  AnonymousNet: Natural Face De-Identification With Measurable Privacy , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[45]  Min Jin Chong,et al.  Unrestricted Adversarial Examples via Semantic Manipulation , 2019, ICLR.

[46]  Jun Zhu,et al.  Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[47]  Hongyuan Wang,et al.  Face Detection and Encryption for Privacy Preserving in Surveillance Video , 2018, PRCV.

[48]  Nasser M. Nasrabadi,et al.  Fast Geometrically-Perturbed Adversarial Faces , 2018, 2019 IEEE Winter Conference on Applications of Computer Vision (WACV).

[49]  Swami Sankaranarayanan,et al.  Face recognition accuracy of forensic examiners, superrecognizers, and face recognition algorithms , 2018, Proceedings of the National Academy of Sciences.

[50]  Yang Song,et al.  Constructing Unrestricted Adversarial Examples with Generative Models , 2018, NeurIPS.

[51]  Yang Liu,et al.  MobileFaceNets: Efficient CNNs for Accurate Real-time Face Verification on Mobile Devices , 2018, CCBR.

[52]  Mei Wang,et al.  Deep Face Recognition: A Survey , 2018, Neurocomputing.

[53]  Stefanos Zafeiriou,et al.  ArcFace: Additive Angular Margin Loss for Deep Face Recognition , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[54]  Carlos D. Castillo,et al.  Deep Learning for Understanding Faces: Machines May Be Just as Good, or Better, than Humans , 2018, IEEE Signal Processing Magazine.

[55]  Mingyan Liu,et al.  Spatially Transformed Adversarial Examples , 2018, ICLR.

[56]  Lujo Bauer,et al.  A General Framework for Adversarial Examples with Objectives , 2017, ACM Trans. Priv. Secur..

[57]  Luc Van Gool,et al.  Natural and Effective Obfuscation by Head Inpainting , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[58]  Jaakko Lehtinen,et al.  Progressive Growing of GANs for Improved Quality, Stability, and Variation , 2017, ICLR.

[59]  Jun Zhu,et al.  Boosting Adversarial Attacks with Momentum , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[60]  Enhua Wu,et al.  Squeeze-and-Excitation Networks , 2017, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[61]  Sepp Hochreiter,et al.  GANs Trained by a Two Time-Scale Update Rule Converge to a Local Nash Equilibrium , 2017, NIPS.

[62]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[63]  Ya Wang,et al.  Face recognition in real-world surveillance videos with deep learning method , 2017, 2017 2nd International Conference on Image, Vision and Computing (ICIVC).

[64]  Seong Joon Oh,et al.  Adversarial Image Perturbation for Privacy Protection A Game Theory Perspective , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[65]  Alexei A. Efros,et al.  Image-to-Image Translation with Conditional Adversarial Networks , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[66]  Seong Joon Oh,et al.  Faceless Person Recognition: Privacy Implications in Social Media , 2016, ECCV.

[67]  Wojciech Zaremba,et al.  Improved Techniques for Training GANs , 2016, NIPS.

[68]  Yu Qiao,et al.  Joint Face Detection and Alignment Using Multitask Cascaded Convolutional Networks , 2016, IEEE Signal Processing Letters.

[69]  James Philbin,et al.  FaceNet: A unified embedding for face recognition and clustering , 2015, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[70]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[71]  Marwan Mattar,et al.  Labeled Faces in the Wild: A Database forStudying Face Recognition in Unconstrained Environments , 2008 .

[72]  Mor Naaman,et al.  Over-exposed?: privacy patterns and considerations in online and mobile photo sharing , 2007, CHI.

[73]  Eero P. Simoncelli,et al.  Image quality assessment: from error visibility to structural similarity , 2004, IEEE Transactions on Image Processing.

[74]  Noboru Babaguchi,et al.  Unnoticeable synthetic face replacement for image privacy protection , 2021, Neurocomputing.

[75]  Peer,et al.  Privacy–Enhancing Face Biometrics: A Comprehensive Survey , 2021, IEEE Transactions on Information Forensics and Security.

[76]  Andrew Zisserman,et al.  Deep Face Recognition , 2015, BMVC.