The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from unauthorized FR systems utilizing adversarial attacks to generate encrypted face images to protect users from being identified by FR systems. However, existing methods suffer from poor visual quality or low attack success rates, which limit their usability in practice. In this paper, we propose Attribute Guided Encryption with Facial Texture Masking (AGE-FTM) that performs a dual manifold adversarial attack on FR systems to achieve both good visual quality and high black box attack success rates. In particular, AGE-FTM utilizes a high fidelity generative adversarial network (GAN) to generate natural on-manifold adversarial samples by modifying facial attributes, and performs the facial texture masking attack to generate imperceptible off-manifold adversarial samples. Extensive experiments on the CelebA-HQ dataset demonstrate that our proposed method produces more natural-looking encrypted images than state-of-the-art methods while achieving competitive attack performance. We further evaluate the effectiveness of AGE-FTM in the real world using a commercial FR API and validate its usefulness in practice through an user study.

翻译：日益普及的面部识别（FR）系统引发了严重的个人隐私担忧，尤其对于数十亿在社交媒体上公开分享照片的用户而言。已有多种尝试利用对抗攻击生成加密人脸图像以保护个人免受未经授权的FR系统识别，但现有方法存在视觉质量差或攻击成功率低的问题，限制了其实用性。本文提出基于面部纹理掩码的属性引导加密（AGE-FTM）方法，通过双流流形对抗攻击在FR系统中同时实现高视觉质量与高黑盒攻击成功率。具体而言，AGE-FTM采用高保真生成对抗网络（GAN）通过修改面部属性生成自然的流形内对抗样本，并执行面部纹理掩码攻击以生成不可察觉的流形外对抗样本。在CelebA-HQ数据集上的大量实验表明，所提方法在取得竞争性攻击性能的同时，比现有最优方法生成更自然的加密图像。我们进一步利用商业FR API评估了AGE-FTM在真实场景中的有效性，并通过用户研究验证其实用价值。