DiffProtect: Generate Adversarial Examples with Diffusion Models for Facial Privacy Protection
This addresses privacy concerns for social media users by enhancing adversarial attacks on facial recognition systems, representing an incremental improvement over existing methods.
The paper tackles the problem of protecting facial privacy from unauthorized recognition systems by generating adversarial examples with diffusion models, achieving significant improvements in attack success rates (e.g., 24.5% and 25.1% absolute gains on CelebA-HQ and FFHQ datasets) while maintaining better visual quality.
The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from being identified by unauthorized FR systems utilizing adversarial attacks to generate encrypted face images. However, existing methods suffer from poor visual quality or low attack success rates, which limit their utility. Recently, diffusion models have achieved tremendous success in image generation. In this work, we ask: can diffusion models be used to generate adversarial examples to improve both visual quality and attack performance? We propose DiffProtect, which utilizes a diffusion autoencoder to generate semantically meaningful perturbations on FR systems. Extensive experiments demonstrate that DiffProtect produces more natural-looking encrypted images than state-of-the-art methods while achieving significantly higher attack success rates, e.g., 24.5% and 25.1% absolute improvements on the CelebA-HQ and FFHQ datasets.