基于多尺度频率分解与元学习的人脸识别有目标攻击算法  

作　　者：蔡骏 黄添强[1,2] 郑翱鲲 叶锋 徐超[1,2] CAI Jun;HUANG Tianqiang;ZHENG Aokun;YE Feng;XU Chao(College of Computer and Cyber Security,Fujian Normal University,Fuzhou 350117,China;Digital Fujian Institute of Big Data Security Technology,Fuzhou 350117,China)

机构地区：[1]福建师范大学计算机与网络空间安全学院,福建福州350117 [2]数字福建大数据安全技术研究所,福建福州350117

出　　处：《网络与信息安全学报》2025年第1期129-140,共12页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(62072106);福建省科技创新平台项目(2023-P-003);福建省自然科学基金(2022J01188);福建省教育厅中青年教师教育科研项目(JAT210051);福建省自然科学基金(福建省科技厅校企合作项目)(2022J01190)。

摘　　要：随着人脸识别技术的日益普及,人们对个人隐私泄露的担忧逐渐加剧。尽管近年来一些研究尝试通过生成对抗样本来保护照片隐私,防止未经授权的人脸识别系统识别,但这类方法常因攻击成功率低和可转移性弱而受限。针对这一问题,提出了一种基于多尺度频率分解与元学习的人脸识别有目标攻击算法。首先设计了一个多尺度频率分解模块。该模块将目标人脸图像精细划分为不同频率成分的频带,进而将频率信息与空间信息相融合,从而提取目标人脸图像的完整信息。随后构建了以循环生成对抗网络(cycle-consistent generative adversarial networks,CycleGAN)作为主体、妆容转移为核心的对抗攻击算法。该算法使用源人脸图像生成高质量的妆容,在这一过程中,新增的元学习攻击模块负责计算损失函数并更新参数。元学习攻击模块可以对妆容进行精细化处理,巧妙地将目标人脸的特征融入妆容中,以生成具有强大对抗性的妆容图像,从而实现对特定目标的有目标攻击。元学习攻击模块解决了以往针对白盒模型集成攻击时因过拟合而出现的泛化问题,使得生成的对抗样本具有更强的攻击性和泛化能力。通过对不同攻击策略的实验效果进行分析,该研究发现多尺度频率分解与元学习相结合的方法能大幅提高攻击人脸识别系统的成功率和鲁棒性。As the prevalence of facial recognition technology continued to grow,concerns about personal privacy breaches were also gradually intensifying.Despite recent studies attempting to safeguard photo privacy by generat‐ing adversarial examples to prevent unauthorized facial recognition systems from identifying individuals,these methods were often constrained by low attack success rates and weak transferability.To address this issue,a facial recognition targeted attack algorithm based on multiscale frequency decomposition and meta-learning was pro‐posed.This algorithm initially devised a multiscale frequency decomposition module that meticulously partitioned the target facial image into frequency bands comprising distinct components.This module integrated frequency in‐formation with spatial information,thereby enabling the extraction of comprehensive information from the target fa‐cial image.Subsequently,a cycle-consistent generative adversarial networks(CycleGAN)-based adversarial attack algorithm with makeup transfer as its core was constructed.This algorithm employed a source facial image to gen‐erate high-quality makeup.During this process,a meta-learning attack module was introduced to calculate the loss function and update parameters.The meta-learning attack module enabled precise makeup processing,by which the target face's features were embedded into the makeup to create adversarial makeup images.This enabled the tar‐geted attacks that were the focus of this study.The meta-learning attack module addressed the overfitting and gener‐alization issues present in previous white-box model ensemble attacks,thereby enhancing the efficacy and general‐ization ability of the generated adversarial examples.The results of experimental analysis of different attack strate‐gies demonstrate that the combination of multiscale frequency decomposition and meta-learning significantly en‐hances the success rate and robustness of attacks on facial recognition systems.

关 键 词：人脸识别有目标攻击算法 多尺度频率分解 循环生成对抗网络 元学习 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]