基於潛在擴散模型的個人化對抗擾動用於臉部隱私保護

陳毅明; I-Ming Cheng

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/99164

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	吳家麟	zh_TW
dc.contributor.advisor	Ja-Ling Wu	en
dc.contributor.author	陳毅明	zh_TW
dc.contributor.author	I-Ming Cheng	en
dc.date.accessioned	2025-08-21T16:38:20Z	-
dc.date.available	2025-08-22	-
dc.date.copyright	2025-08-21	-
dc.date.issued	2025	-
dc.date.submitted	2025-08-05	-
dc.identifier.citation	[1] A. Bhattad, M. J. Chong, K. Liang, B. Li, and D. A. Forsyth. Unrestricted adversarial examples via semantic manipulation. arXiv preprint arXiv:1904.06347, 2019. [2] J. Chen, H. Chen, K. Chen, Y. Zhang, Z. Zou, and Z. Shi. Diffusion models for imperceptible and transferable adversarial attack. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024. [3] S. Chen, Y. Liu, X. Gao, and Z. Han. Mobilefacenets: Efficient cnns for accurate real-time face verification on mobile devices. In Chinese conference on biometric recognition, pages 428–438. Springer, 2018. [4] X. Chen, X. Gao, J. Zhao, K. Ye, and C.-Z. Xu. Advdiffuser: Natural adversarial example synthesis with diffusion models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4562–4572, 2023. [5] Z. Chen, B. Li, S. Wu, K. Jiang, S. Ding, and W. Zhang. Content-based unrestricted adversarial attack. Advances in Neural Information Processing Systems, 36:51719–51733, 2023. [6] V. Cherepanova, M. Goldblum, H. Foley, S. Duan, J. Dickerson, G. Taylor, and T. Goldstein. Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition. arXiv preprint arXiv:2101.07922, 2021. [7] X. Dai, K. Liang, and B. Xiao. Advdiff: Generating unrestricted adversarial examples using diffusion models. In European Conference on Computer Vision, pages 93–109. Springer, 2024. [8] J. Deng, J. Guo, N. Xue, and S. Zafeiriou. Arcface: Additive angular margin loss for deep face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4690–4699, 2019. [9] Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 9185–9193, 2018. [10] G. K. Dziugaite, Z. Ghahramani, and D. M. Roy. A study of the effect of jpg compression on adversarial images. arXiv preprint arXiv:1608.00853, 2016. [11] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio. Generative adversarial networks. Communications of the ACM, 63(11):139–144, 2020. [12] I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014. [13] A. Hertz, R. Mokady, J. Tenenbaum, K. Aberman, Y. Pritch, and D. Cohen-Or. Prompt-to-prompt image editing with cross attention control. arXiv preprint arXiv:2208.01626, 2022. [14] J. Ho, A. Jain, and P. Abbeel. Denoising diffusion probabilistic models. Advances in neural information processing systems, 33:6840–6851, 2020. [15] J. Ho and T. Salimans. Classifier-free diffusion guidance. arXiv preprint arXiv:2207.12598, 2022. [16] H. Hosseini and R. Poovendran. Semantic adversarial examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pages 1614–1619, 2018. [17] J. Hu, L. Shen, and G. Sun. Squeeze-and-excitation networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 7132–7141, 2018. [18] S. Hu, X. Liu, Y. Zhang, M. Li, L. Y. Zhang, H. Jin, and L. Wu. Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 15014–15023, 2022. [19] M. Kang, D. Song, and B. Li. Diffattack: Evasion attacks against diffusion-based adversarial purification. Advances in Neural Information Processing Systems, 36:73919–73942, 2023. [20] T. Karras, T. Aila, S. Laine, and J. Lehtinen. Progressive growing of gans for improved quality, stability, and variation. arXiv preprint arXiv:1710.10196, 2017. [21] S. Komkov and A. Petiushko. Advhat: Real-world adversarial attack on arcface face id system. In 2020 25th international conference on pattern recognition (ICPR), pages 819–826. IEEE, 2021. [22] A. Kurakin, I. J. Goodfellow, and S. Bengio. Adversarial examples in the physical world. In Artificial intelligence safety and security, pages 99–112. Chapman and Hall/CRC, 2018. [23] A. Liu, X. Liu, J. Fan, Y. Ma, A. Zhang, H. Xie, and D. Tao. Perceptual-sensitive gan for generating adversarial patches. In Proceedings of the AAAI conference on artificial intelligence, volume 33, pages 1028–1035, 2019. [24] D. Liu, X. Wang, C. Peng, N. Wang, R. Hu, and X. Gao. Adv-diffusion: imperceptible adversarial face identity attack via latent diffusion model. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 38, pages 3585–3593, 2024. [25] J. Liu, C. P. Lau, and R. Chellappa. Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection. arXiv preprint arXiv:2305.13625, 2023. [26] J. Liu, C. Wei, Y. Guo, H. Yu, A. Yuille, S. Feizi, C. P. Lau, and R. Chellappa. Instruct2attack: Language-guided semantic adversarial attacks. arXiv preprint arXiv:2311.15551, 2023. [27] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017. [28] R. Mokady, A. Hertz, K. Aberman, Y. Pritch, and D. Cohen-Or. Null-text inversion for editing real images using guided diffusion models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 6038–6047, 2023. [29] S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. Universal adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1765–1773, 2017. [30] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 2574–2582, 2016. [31] M. Naseer, S. Khan, M. Hayat, F. S. Khan, and F. Porikli. On generating transferable targeted perturbations. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7708–7717, 2021. [32] A. Nickabadi, M. S. Fard, N. M. Farid, and N. Mohammadbagheri. A comprehensive survey on semantic facial attribute editing using generative adversarial networks. arXiv preprint arXiv:2205.10587, 2022. [33] W. Nie, B. Guo, Y. Huang, C. Xiao, A. Vahdat, and A. Anandkumar. Diffusion models for adversarial purification. arXiv preprint arXiv:2205.07460, 2022. [34] Z. Pan, R. Gherardi, X. Xie, and S. Huang. Effective real image editing with accelerated iterative diffusion inversion. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 15912–15921, 2023. [35] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami. The limitations of deep learning in adversarial settings. In 2016 IEEE European symposium on security and privacy (EuroS&P), pages 372–387. IEEE, 2016. [36] L. Pinheiro Cinelli, M. Ara´ujo Marins, E. A. Barros da Silva, and S. Lima Netto. Variational autoencoder. In Variational methods for machine learning with applications to deep networks, pages 111–149. Springer, 2021. [37] K. Preechakul, N. Chatthee, S. Wizadwongsa, and S. Suwajanakorn. Diffusion autoencoders: Toward a meaningful and decodable representation. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 10619–10629, 2022. [38] H. Qiu, C. Xiao, L. Yang, X. Yan, H. Lee, and B. Li. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XIV 16, pages 19–37. Springer, 2020. [39] R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer. High-resolution image synthesis with latent diffusion models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 10684–10695, 2022. [40] F. Schroff, D. Kalenichenko, and J. Philbin. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 815–823, 2015. [41] R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and D. Batra. Grad-cam: Visual explanations from deep networks via gradient-based localization. In Proceedings of the IEEE international conference on computer vision, pages 618–626, 2017. [42] A. Shafahi, M. Najibi, Z. Xu, J. Dickerson, L. S. Davis, and T. Goldstein. Universal adversarial training. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 34, pages 5636–5643, 2020. [43] F. Shamshad, M. Naseer, and K. Nandakumar. Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 20595–20605, 2023. [44] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 acm sigsac conference on computer and communications security, pages 1528–1540, 2016. [45] J. Song, C. Meng, and S. Ermon. Denoising diffusion implicit models. arXiv preprint arXiv:2010.02502, 2020. [46] Y. Song, J. Sohl-Dickstein, D. P. Kingma, A. Kumar, S. Ermon, and B. Poole. Score-based generative modeling through stochastic differential equations. arXiv preprint arXiv:2011.13456, 2020. [47] Y. Sun, L. Yu, H. Xie, J. Li, and Y. Zhang. Diffam: Diffusion-based adversarial makeup transfer for facial privacy protection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 24584–24594, 2024. [48] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013. [49] Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli. Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing, 13(4):600–612, 2004. [50] Z. Wang, H. Yang, Y. Feng, P. Sun, H. Guo, Z. Zhang, and K. Ren. Towards transferable targeted adversarial examples. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 20534–20543, 2023. [51] C. Xiao, B. Li, J.-Y. Zhu, W. He, M. Liu, and D. Song. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610, 2018. [52] W. Xu, D. Evans, and Y. Qi. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155, 2017. [53] H. Xue, A. Araujo, B. Hu, and Y. Chen. Diffusion-based adversarial sample generation for improved stealthiness and controllability. Advances in Neural Information Processing Systems, 36:2894–2921, 2023. [54] X. Yang, Y. Dong, T. Pang, H. Su, J. Zhu, Y. Chen, and H. Xue. Towards face encryption by generating adversarial identity masks. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), pages 3897–3907, October 2021. [55] X. Yang, F. Wei, H. Zhang, and J. Zhu. Design and interpretation of universal adversarial patches in face detection. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XVII 16, pages 174–191. Springer, 2020. [56] B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, and C. Liu. Adv-makeup: A new imperceptible and transferable attack on face recognition. arXiv preprint arXiv:2105.03162, 2021. [57] R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang. The unreasonable effectiveness of deep features as a perceptual metric. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 586–595, 2018. [58] Z. Zhao, D. Dua, and S. Singh. Generating natural adversarial examples. arXiv preprint arXiv:1710.11342, 2017. [59] A. Zolfi, S. Avidan, Y. Elovici, and A. Shabtai. Adversarial mask: Real-world universal adversarial attack on face recognition models. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 304–320. Springer, 2022.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/99164	-
dc.description.abstract	基於深度神經網路的臉部辨識系統雖具備高度準確性，卻帶來嚴重的隱私風險，允許未經授權的識別與追蹤。對抗樣本能透過誤導模型分類來保護使用者隱私，但在實際應用中，必須在視覺品質、攻擊成功率與生成速度之間取得平衡。擴散模型近年被證明能產生高品質、自然且具強大攻擊效能的對抗樣本，然而其內在的多步驟取樣過程導致生成時間過長，限制了實用性。為解決此問題，本文提出個人化對抗潛空間擾動方法，針對每位使用者在擴散模型的潛空間中訓練單一擾動，使其能快速生成對抗樣本，同時保有擴散模型特有的高視覺品質與攻擊效能。本文專注於黑箱目標冒充攻擊情境，目標是在無法存取模型內部的前提下，誘使臉部辨識系統將來源身份誤判為特定目標身份。我們設計了注意力語意損失以維護臉部語意特徵，並提出屬性注意力匹配損失以提升攻擊可轉移性。此外，本文也改良並應用記憶體高效梯度計算方法，以支援我們的多項損失設計並降低GPU記憶體使用量。實驗結果顯示，本方法能在維持高視覺真實度與實用生成速度的同時，達成優異的攻擊成功率。	zh_TW
dc.description.abstract	Deep neural network–based face recognition systems pose serious privacy risks by enabling unauthorized identification and tracking. Adversarial examples provide a promising defense by forcing misclassification, but practical deployment requires balancing visual quality, attack success, and generation speed. Diffusion models have recently emerged as powerful tools for generating high-quality, natural-looking adversarial examples with strong attack performance. However, their inherent iterative sampling process results in long generation times, limiting practical use. To address this limitation, we propose personalized adversarial latent perturbations, which train a single perturbation in the latent space of a diffusion model for each individual. This design enables rapid generation of adversarial examples while preserving the visual quality and strong attack performance characteristic of diffusion-based methods. Our approach targets the black-box targeted impersonation attack scenario, which aims to induce a facial recognition system to misclassify the source identity as a specific target without internal model access. We introduce attention semantic loss to maintain facial semantics and attribute attention matching loss to improve attack transferability. We also adapt a memory-efficient gradient computation method to support our complex loss functions while reducing GPU memory usage. Experimental results demonstrate that our method achieves strong attack success rates with high visual fidelity and practical generation times.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-08-21T16:38:20Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-08-21T16:38:20Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i Acknowledgements ii 摘要 iii Abstract iv Contents vi List of Figures ix List of Tables xi Chapter 1 Introduction 1 Chapter 2 Related Work 4 2.1 Adversarial Examples 4 2.2 Adversarial Attacks on Face Recognition 5 2.3 Generating Adversarial Examples with Diffusion Models 6 Chapter 3 Methodology 8 3.1 Problem Statement 8 3.2 Preliminaries 9 3.2.1 Diffusion Models and DDIM Sampling 9 3.2.2 Classifier-free Guidance 10 3.2.3 Diffusion Inversion 11 3.2.4 Latent Diffusion Models and Attention Mechanisms 12 3.3 System Overview 13 3.4 Identity Loss 14 3.5 Attention Semantic Loss 15 3.6 Attribute Attention Matching Loss 16 3.7 Combined Loss Function 18 3.8 Memory-Efficient Gradient Computation 19 3.9 Optimization of the Adversarial Perturbation 20 Chapter 4 Experiments 22 4.1 Experimental Settings 22 4.2 Comparisons 25 4.2.1 Black-box ASR 25 4.2.2 Visual Quality 27 4.2.3 Training and Generation Time 27 4.2.4 ASR under defense 28 4.3 Ablation Studies 29 4.3.1 Loss function effectiveness 29 4.3.2 Perceptual Regularization 30 4.3.3 Personalized Training 30 4.3.4 Memory-Efficient Gradient Computation 31 Chapter 5 Conclusion 32 5.1 Conclusion 32 5.2 Future Work 33 References 34 Appendix A — Memory-Efficient Gradient Computation Algorithm 42 Appendix B — Defense Details 46 Appendix C — More Visual Results 47	-
dc.language.iso	en	-
dc.subject	對抗擾動	zh_TW
dc.subject	對抗樣本	zh_TW
dc.subject	臉部辨識	zh_TW
dc.subject	潛空間擴散模型	zh_TW
dc.subject	交叉注意力圖	zh_TW
dc.subject	Adversarial Perturbation	en
dc.subject	Cross-Attention Maps	en
dc.subject	Face Recognition	en
dc.subject	Latent Diffusion Model	en
dc.subject	Adversarial Examples	en
dc.title	基於潛在擴散模型的個人化對抗擾動用於臉部隱私保護	zh_TW
dc.title	Personalized Adversarial Perturbations for Facial Privacy Protection Using Latent Diffusion Models	en
dc.type	Thesis	-
dc.date.schoolyear	113-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	陳文進;陳駿丞	zh_TW
dc.contributor.oralexamcommittee	Wen-Chin Chen;Jun-Cheng Chen	en
dc.subject.keyword	對抗擾動,對抗樣本,臉部辨識,潛空間擴散模型,交叉注意力圖,	zh_TW
dc.subject.keyword	Adversarial Perturbation,Adversarial Examples,Face Recognition,Latent Diffusion Model,Cross-Attention Maps,	en
dc.relation.page	49	-
dc.identifier.doi	10.6342/NTU202503151	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2025-08-08	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊工程學系	-
dc.date.embargo-lift	2025-08-22	-
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
ntu-113-2.pdf	55.37 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。