Home About us

To prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

Qubit 2024/08/27 13:40

The concern about the security of face data has a new solution!

Zhejiang University has teamed up with the Alibaba Security Department to launch a new face privacy protection solution, FaceObfuscator.

Even if criminals obtain face features from the database, they cannot use various reconstruction attacks to restore face data and steal face privacy.

A new type of reconstruction attack threatens face privacy

Face recognition is a biometric technology based on facial feature information, which is widely used in finance, security and people's livelihood.

Before using the face recognition system, you first need to enter the face information, which will be stored in the face database of the service provider in the form of face features for real-time face recognition and identity authentication.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ Mainstream face recognition architecture

However, the lack of network and data security mechanisms can easily lead to the leakage of face databases.

Although facial features can prevent direct privacy leakage to a certain extent, unfortunately, these facial features, which are not visible to the naked eye, may still be reconstructed through powerful AI technology.

Once these leaked facial information are maliciously used by criminals, people's information security will be greatly harmed.

The process of recovering the original face image from the features is known as a reconstruction attack.

By training a reconstruction network, the attacker uses a large number of face image-face feature pairs, and through continuous training and optimization, it learns the feature vector and the association rules of the corresponding face image, and finally the reconstruction network can accurately recover the original face from the feature vector.

Perhaps this isn't intuitive to say, let's take a look at the feature image before restoration:

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ Schematic diagram of facial features

After reconstructing and reconstructing such a completely obscure image, there is almost no difference from the original dataset except for a slight tonal difference.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ Reconstruct the schematic diagram of the attack process

Existing facial feature protection solutions include PPFR-FD (Removing Some High-Frequency Visual Information to Resist Refactoring Attacks) proposed by Ant Group in 2022 and DuetFace (Deleting Some Low-frequency Visual Information to Defend Against Refactoring Attacks) proposed by Tencent Youtu in 2022.

Although these methods can resist some traditional attacks, they cannot cope with this emerging reconstruction attack, and the user's facial features can be restored to a recognizable face image, and the user's privacy is seriously threatened.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ The face image effect restored by reconstructed attacks under different defense schemes

In order to solve this problem, Professor Ren Kui and Professor Wang Zhibo of the National Key Laboratory of Blockchain and Data Security of Zhejiang University jointly proposed a new method with the Ministry of Ali Security——

By filtering the frequency domain channel on the client, the redundant visual information in the face image is removed, and the randomness is used to interfere with the inverse mapping of face features to face images, so as to defend against reconstruction attacks from the root. On the server side, the inverse transformation is used to remove randomness and maintain the accuracy of face recognition.

The results have been published in the USENIX Security Symposium 2024, which is one of the four top international academic conferences in the field of security.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

It is necessary not only for accurate identification, but also for privacy and security

FaceObfuscator is a lightweight privacy-preserving face recognition system, which solves the privacy threat of face feature reconstruction faced by the current face recognition system.

FaceObfuscator first desensitizes the input face image to obtain obfuscated features, and then uses the obfuscated features instead of the face image throughout the face recognition process and the face database.

The obfuscation feature can not only be used for high-precision face recognition, but also effectively prevent attackers from recovering the original face information after leakage.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ Obfuscation feature generation process

Specifically, the process of obtaining obfuscation features in FaceObfuscator can be divided into two steps: the deletion of redundant face recognition information and the obfuscation of face privacy information.

The first step is the deletion of visual information from the face image. This step is to remove redundant visual information containing personal privacy while ensuring the accuracy of face recognition.

Because different frequency domain channels contain different visual information (the low-frequency channel has the overall visual information, and the high-frequency channel has the image detail information), the team first transformed the image into frequency-domain features through discrete cosine transformation to complete the segmentation of image visual information.

After experiments, the team found that each frequency domain channel, regardless of the high-frequency channel or the low-frequency channel, can be used for more accurate face recognition, which also means that there is a large amount of redundant information in the original face image.

These redundant letters do not help much to improve the accuracy of face recognition, but they provide attackers with rich reconstruction information.

Therefore, by analyzing the importance of frequency domain channels to face recognition tasks, the team will rank them in order of importance, and finally retain only the most critical frequency domain channels for face recognition as face features, so as to suppress visual information as much as possible while maintaining high accuracy of face recognition.

However, some of the visual information in the remaining frequency domain channels is highly coupled with the identity information, which is still enough for the attacker to restore certain private information, and the facial features need to be further obfuscated.

And so comes the second step.

After analysis, the research team found that the key to further defense against reconfiguration attacks is to interfere with the gradient descent process of the reconstructed network to prevent it from fitting the inverse mapping from face features to face images.

Therefore, on the client side, FaceObfuscator randomly transforms each face feature from two dimensions: direction and scale, and introduces randomness to resist reconstruction attacks.

Among them, the randomness of the direction is achieved by randomly flipping the sign bits of the elements in the face feature, and the randomness of the scale is achieved by exponentially transforming the numerical values of the elements in the face feature.

When the face features are random, the loss function used by the attacker will be difficult to converge, which will interfere with the gradient descent process of the reconstructed network and effectively resist various reconfiguration attacks.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ Schematic diagram of random transformation of face feature direction and scale

At the same time, the research team found through experiments that the randomness of the direction of face features has little impact on the accuracy of face recognition and will not affect normal face recognition.

Therefore, on the server side, it is only necessary to consider the randomness of the removal scale dimension to ensure face recognition.

Specifically, the server restores different confused features of the same identity to the same face feature by performing the inverse transformation of the exponential transformation, logarithmic transformation, so as to remove the randomness of the scale and ensure the accuracy of face recognition.

Finally, FaceObfuscator generates a reconstruction-resistant face feature that is used to protect the transmission and storage of face data.

This kind of protection scheme, which is not encryption better than encryption, has excellent defense effect while keeping the computing and storage overhead low.

Effectively defend against refactoring attacks

As shown in the figure below, the team tested FaceObfuscator's privacy protection capabilities in six public face datasets (LFW, CFP-FF, CFP-FP, AgeDB-30, CALFW, and CPLFW).

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ The face image effect restored by reconstructed attacks under different defense schemes

In the experiment, the attacker uses a deep learning network (DNN)-based method to learn the mapping of features to face images, and then directly recovers face images from the leaked face features.

This is also the most mainstream and effective attack method at present.

It can be seen that compared with other solutions, the face features of FaceObfuscator cannot be reconstructed into face images, effectively protecting face privacy.

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△COS and SRRA indicators of different defense schemes

COS is the cosine similarity, which is calculated by obtaining the identity vectors of the reconstructed image and the original image in the 512-dimensional face feature space through another independent face recognition system, and calculating the cosine similarity between the two.

The lower the COS, the better the defense.

SRRA is the success rate of replay attacks, which specifically refers to the probability of using a reconstructed image of a face recognition system to deceive the same face recognition system for successful identity authentication.

As a result, the cosine similarity between the reconstructed image and the original image is greatly reduced, which effectively protects the privacy of the face.

The success rate of replay attacks greatly reduces the SRRA value (from 90% to 0.1% of the magnitude), effectively preventing the leakage of faces from breaking through the face recognition system.

At the same time, the team also conducted quantitative experiments on face recognition accuracy, storage overhead, and computing overhead.

As a result, the face recognition accuracy of the scheme is basically the same as that of the baseline (Arcface), and it has the lowest storage overhead and better time overhead, as shown in the following table:

Qubits, to prevent hackers from reconstructing faces, a new solution for face privacy protection of Zhejiang University & Ali

△ The performance of different solutions in terms of face recognition utility

Note: ● Represents good defense against attack; ◐ Indicates poor protection against attacks; ○ Indicates that it is unable to defend against attacks; Yellow squares indicate defects, such as a loss of more than 3% accuracy compared to the baseline (Arcface) or poor protection; Red squares indicate critical defects, such as a loss of more than 5% accuracy compared to the baseline (Arcface) or no protection.

Summary and outlook

To sum up, it can be seen that FaceObfuscator has the following three advantages:

This solution can be widely used in the main demand scenarios of face recognition such as monitoring and recognition, face payment, access control and attendance, serving many key industries such as security, finance, and education, helping to solve the difficult pain points in face privacy and security, and realizing the efficient and usability of face recognition.

This article is from Xinzhi self-media and does not represent the views and positions of Business Xinzhi.If there is any suspicion of infringement, please contact the administrator of the Business News Platform.Contact: system@shangyexinzhi.com