The utilization of personal sensitive data in training face recognition (FR) models poses significant privacy concerns, as adversaries can employ model inversion attacks (MIA) to infer the original training data. Existing defense methods, such as data augmentation and differential privacy, have been employed to mitigate this issue. However, these methods often fail to strike an optimal balance between privacy and accuracy. To address this limitation, this paper introduces an adaptive hybrid masking algorithm against MIA. Specifically, face images are masked in the frequency domain using an adaptive MixUp strategy. Unlike the traditional MixUp algorithm, which is predominantly used for data augmentation, our modified approach incorporates frequency domain mixing. Previous studies have shown that increasing the number of images mixed in MixUp can enhance privacy preservation but at the expense of reduced face recognition accuracy. To overcome this trade-off, we develop an enhanced adaptive MixUp strategy based on reinforcement learning, which enables us to mix a larger number of images while maintaining satisfactory recognition accuracy. To optimize privacy protection, we propose maximizing the reward function (i.e., the loss function of the FR system) during the training of the strategy network. While the loss function of the FR network is minimized in the phase of training the FR network. The strategy network and the face recognition network can be viewed as antagonistic entities in the training process, ultimately reaching a more balanced trade-off. Experimental results demonstrate that our proposed hybrid masking scheme outperforms existing defense algorithms in terms of privacy preservation and recognition accuracy against MIA.

翻译：在人脸识别（FR）模型训练中使用个人敏感数据会引发严重的隐私问题，因为攻击者可通过模型逆向攻击（MIA）推断原始训练数据。现有防御方法（如数据增强和差分隐私）已被用于缓解此问题，但这些方法往往难以在隐私性与准确性之间实现最优平衡。为此，本文提出了一种针对MIA的自适应混合掩码算法。具体而言，人脸图像通过自适应混合（MixUp）策略在频域中被掩码处理。与主要用于数据增强的传统MixUp算法不同，本改进方法融入了频域混合技术。先前研究表明，增加MixUp算法中混合图像数量可增强隐私保护，但会降低人脸识别精度。为克服这一权衡，我们基于强化学习开发了一种增强型自适应MixUp策略，使其在保持可接受识别精度的同时能够混合更多图像。为优化隐私保护，我们在策略网络训练阶段提出最大化奖励函数（即FR系统的损失函数），而在FR网络训练阶段则最小化其损失函数。策略网络与人脸识别网络在训练过程中可视为对抗实体，最终达到更均衡的权衡状态。实验结果表明，本文提出的混合掩码方案在针对MIA的隐私保护与识别精度方面均优于现有防御算法。