基於潛在擴散模型的個人化對抗擾動用於臉部隱私保護

Abstract

基於深度神經網路的臉部辨識系統雖具備高度準確性，卻帶來嚴重的隱私風險，允許未經授權的識別與追蹤。對抗樣本能透過誤導模型分類來保護使用者隱私，但在實際應用中，必須在視覺品質、攻擊成功率與生成速度之間取得平衡。擴散模型近年被證明能產生高品質、自然且具強大攻擊效能的對抗樣本，然而其內在的多步驟取樣過程導致生成時間過長，限制了實用性。 為解決此問題，本文提出個人化對抗潛空間擾動方法，針對每位使用者在擴散模型的潛空間中訓練單一擾動，使其能快速生成對抗樣本，同時保有擴散模型特有的高視覺品質與攻擊效能。本文專注於黑箱目標冒充攻擊情境，目標是在無法存取模型內部的前提下，誘使臉部辨識系統將來源身份誤判為特定目標身份。我們設計了注意力語意損失以維護臉部語意特徵，並提出屬性注意力匹配損失以提升攻擊可轉移性。此外，本文也改良並應用記憶體高效梯度計算方法，以支援我們的多項損失設計並降低GPU記憶體使用量。實驗結果顯示，本方法能在維持高視覺真實度與實用生成速度的同時，達成優異的攻擊成功率。

Deep neural network–based face recognition systems pose serious privacy risks by enabling unauthorized identification and tracking. Adversarial examples provide a promising defense by forcing misclassification, but practical deployment requires balancing visual quality, attack success, and generation speed. Diffusion models have recently emerged as powerful tools for generating high-quality, natural-looking adversarial examples with strong attack performance. However, their inherent iterative sampling process results in long generation times, limiting practical use. To address this limitation, we propose personalized adversarial latent perturbations, which train a single perturbation in the latent space of a diffusion model for each individual. This design enables rapid generation of adversarial examples while preserving the visual quality and strong attack performance characteristic of diffusion-based methods. Our approach targets the black-box targeted impersonation attack scenario, which aims to induce a facial recognition system to misclassify the source identity as a specific target without internal model access. We introduce attention semantic loss to maintain facial semantics and attribute attention matching loss to improve attack transferability. We also adapt a memory-efficient gradient computation method to support our complex loss functions while reducing GPU memory usage. Experimental results demonstrate that our method achieves strong attack success rates with high visual fidelity and practical generation times.