FACE-AUDITOR: data auditing in facial recognition systems
Article No.: 403, Pages 7195 - 7212
Abstract
Few-shot-based facial recognition systems have gained increasing attention due to their scalability and ability to work with a few face images during the model deployment phase. However, the power of facial recognition systems enables entities with moderate resources to canvas the Internet and build well-performed facial recognition models without people's awareness and consent. To prevent the face images from being misused, one straightforward approach is to modify the raw face images before sharing them, which inevitably destroys the semantic information, increases the difficulty of retroactivity, and is still prone to adaptive attacks. Therefore, an auditing method that does not interfere with the facial recognition model's utility and cannot be quickly bypassed is urgently needed.
In this paper, we formulate the auditing process as a user-level membership inference problem and propose a complete toolkit FACE-AUDITOR that can carefully choose the probing set to query the few-shot-based facial recognition model and determine whether any of a user's face images is used in training the model. We further propose to use the similarity scores between the original face images as reference information to improve the auditing performance. Extensive experiments on multiple real-world face image datasets show that FACE-AUDITOR can achieve auditing accuracy of up to 99%. Finally, we show that FACE-AUDITOR is robust in the presence of several perturbation mechanisms to the training images or the target models.
References
[1]
https://gdpr-info.eu/.
[2]
https://equalais.media.mit.edu/.
[3]
https://oag.ca.gov/privacy/ccpa.
[4]
https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.
[5]
Martin Abadi, Andy Chu, Ian Goodfellow, Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep Learning with Differential Privacy. In CCS, pages 308-318, 2016.
[6]
Kendra Albert, Jonathon Penney, Bruce Schneier, and Ram Shankar Siva Kumar. Politics of Adversarial Machine Learning. CoRR abs/2002.05648, 2020.
[7]
Ankan Bansal, Anirudh Nanduri, Carlos Domingo Castillo, Rajeev Ranjan, and Rama Chellappa. UMDFaces: An Annotated Face Dataset for Training Deep Networks. In IJCB, pages 464-473, 2017.
[8]
Qiong Cao, Li Shen, Weidi Xie, Omkar M. Parkhi, and Andrew Zisserman. VGGFace2: A Dataset for Recognising Faces across Pose and Age. In FG, pages 67-74, 2018.
[9]
Varun Chandrasekaran, Chuhan Gao, Brian Tang, Kassem Fawaz, Somesh Jha, and Suman Banerjee. Face-Off: Adversarial Face Obfuscation. Privacy Enhancing Technologies Symposium, 2021.
[10]
Min Chen, Zhikun Zhang, Tianhao Wang, Michael Backes, Mathias Humbert, and Yang Zhang. When Machine Unlearning Jeopardizes Privacy. In CCS, pages 896-911, 2021.
[11]
Min Chen, Zhikun Zhang, Tianhao Wang, Michael Backes, and Yang Zhang. FACE-AUDITOR: Data Auditing in Facial Recognition Systems. CoRR abs/2304.02782, 2023.
[12]
Wei-Yu Chen, Yen-Cheng Liu, Zsolt Kira, Yu-Chiang Frank Wang, and Jia-Bin Huang. A Closer Look at Few-shot Classification. In ICLR, 2019.
[13]
Linkang Du, Zhikun Zhang, Shaojie Bai, Changchang Liu, Shouling Ji, Peng Cheng, and Jiming Chen. AHEAD: Adaptive Hierarchical Decomposition for Range Query under Local Differential Privacy. In CCS, pages 1266-1288, 2021.
[14]
Yuntao Du, Yujia Hu, Zhikun Zhang, Ziquan Fang, Lu Chen, Baihua Zheng, and Yunjun Gao. LDPTrace: Locally Differentially Private Trajectory Synthesis. In VLDB, 2023.
[15]
Ivan Evtimov, Pascal Sturmfels, and Tadayoshi Kohno. FoggySight: A Scheme for Facial Lookup Privacy. Privacy Enhancing Technologies Symposium, 2021.
[16]
Masoud Faraki, Xiang Yu, Yi-Hsuan Tsai, Yumin Suh, and Manmohan Chandraker. Cross-Domain Similarity Learning for Face Recognition in Unseen Domains. In CVPR, pages 15292-15301, 2021.
[17]
Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. In CCS, pages 1322-1333, 2015.
[18]
Hai Huang, Zhikun Zhang, Yun Shen, Michael Backes, Qi Li, and Yang Zhang. On the Privacy Risks of Cell-Based NAS Architectures. In CCS, pages 1427-1441, 2022.
[19]
Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. In CCS, pages 259-274, 2019.
[20]
Gregory Koch, Richard Zemel, and Ruslan Salakhutdinov. Siamese Neural Networks for One-Shot Image Recognition. In DL, 2015.
[21]
Stepan Komkov and Aleksandr Petiushko. AdvHat: Real-World Adversarial Attack on ArcFace Face ID System. In ICPR, pages 819-826, 2020.
[22]
Bogdan Kulynych, Rebekah Overdorf, Carmela Troncoso, and Seda F. Gùrses. POTs: Protective Optimization Technologies. In FAT, pages 177-188, 2020.
[23]
Guoyao Li, Shahbaz Rezaei, and Xin Liu. User-Level Membership Inference Attack against Metric Embedding Learning. In PAIR2Struct, 2022.
[24]
Jiacheng Li, Ninghui Li, and Bruno Ribeiro. Membership Inference Attacks and Defenses in Classification Models. In CODASPY, pages 5-16, 2021.
[25]
Tao Li and Lei Lin. AnonymousNet: Natural Face De-Identification With Measurable Privacy. In CVPRW, pages 56-65, 2019.
[26]
Weiyang Liu, Yandong Wen, Zhiding Yu, Ming Li, Bhiksha Raj, and Le Song. SphereFace: Deep Hypersphere Embedding for Face Recognition. In CVPR, pages 6738-6746, 2017.
[27]
Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, and Yang Zhang. ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. In USENIX Security, 2022.
[28]
Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. Deep Learning Face Attributes in the Wild. In ICCV, pages 3730-3738, 2015.
[29]
H. Brendan McMahan, Daniel Ramage, Kunal Talwar, and Li Zhang. Learning Differentially Private Recurrent Language Models. In ICLR, 2018.
[30]
Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. Exploiting Unintended Feature Leakage in Collaborative Learning. In S&P, pages 497-512, 2019.
[31]
Yuantian Miao, Minhui Xue, Chao Chen, Lei Pan, Jun Zhang, Benjamin Zi Hao Zhao, Dali Kaafar, and Yang Xiang. The Audio Auditor: User-Level Membership Inference in Internet of Things Voice Services. Privacy Enhancing Technologies Symposium, 2021.
[32]
Thiago Guimaraes Moraes, Eduarda Costa Almeida, and José Renato Laranjeira de Pereira. Smile, You are being Identified! Risks and Measures for the Use of Facial Recognition in (Semi-)public Spaces. AI Ethics, 2021.
[33]
Milad Nasr, Reza Shokri, and Amir Houmansadr. Machine Learning with Membership Privacy using Adversarial Regularization. In CCS, pages 634-646, 2018.
[34]
Rodrigo Frassetto Nogueira, Roberto de Alencar Lotufo, and Rubens Campos Machado. Fingerprint Liveness Detection Using Convolutional Neural Networks. IEEE Transactions on Information Forensics and Security, 2016.
[35]
Evani Radiya-Dixit, Sanghyun Hong, Nicholas Carlini, and Florian Tramér. Data Poisoning Won't Save You From Facial Recognition. In AdvML, 2022.
[36]
Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In NDSS, 2019.
[37]
Florian Schroff, Dmitry Kalenichenko, and James Philbin. FaceNet: A Unified Embedding for Face Recognition and Clustering. In CVPR, pages 815-823, 2015.
[38]
Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Y. Zhao. Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. In USENIX Security, pages 1589-1604, 2020.
[39]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. In CCS, pages 1528-1540, 2016.
[40]
Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In S&P, pages 3-18, 2017.
[41]
Jake Snell, Kevin Swersky, and Richard S. Zemel. Prototypical Networks for Few-shot Learning. In NIPS, pages 4077-4087, 2017.
[42]
Congzheng Song and Vitaly Shmatikov. Auditing Data Provenance in Text-Generation Models. In KDD, pages 196-206, 2019.
[43]
Flood Sung, Yongxin Yang, Li Zhang, Tao Xiang, Philip H. S. Torr, and Timothy M. Hospedales. Learning to Compare: Relation Network for Few-Shot Learning. In CVPR, pages 1199-1208, 2018.
[44]
Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato, and Lior Wolf. DeepFace: Closing the Gap to Human-Level Performance in Face Verification. In CVPR, pages 1701-1708, 2014.
[45]
Mingtian Tan, Zhe Zhou, and Zhou Li. The Many-faced God: Attacking Face Verification System with Embedding and Image Recovery. In ACSAC, pages 17-30, 2021.
[46]
Simen Thys, Wiebe Van Ranst, and Toon Goedemé. Fooling Automated Surveillance Cameras: Adversarial Patches to Attack Person Detection. In CVPR, pages 49-55, 2019.
[47]
Haiming Wang, Zhikun Zhang, Tianhao Wang, Shibo He, Michael Backes, Jiming Chen, and Yang Zhang. PrivTrace: Differentially Private Trajectory Synthesis by Adaptive Markov Model. In USENIX Security, 2023.
[48]
Mei Wang and Weihong Deng. Deep Face Recognition: A Survey. Neurocomputing, 2021.
[49]
Tianhao Wang, Joann Qiongna Chen, Zhikun Zhang, Dong Su, Yueqiang Cheng, Zhou Li, Ninghui Li, and Somesh Jha. Continuous Release of Data Streams under both Centralized and Local Differential Privacy. In CCS, pages 1237-1253, 2021.
[50]
Yaqing Wang, Quanming Yao, James T. Kwok, and Lionel M. Ni. Generalizing from a Few Examples: A Survey on Few-shot Learning. ACM Computing Surveys, 2020.
[51]
Zhou Wang, Alan C. Bovik, Hamid R. Sheikh, and Eero P. Simoncelli. Image Quality Assessment: from Error Visibility to Structural Similarity. IEEE Transactions on Image Process, 2004.
[52]
Emily Wenger, Shawn Shan, Haitao Zheng, and Ben Y. Zhao. SoK: Anti-Facial Recognition Technology. In S&P, 2022.
[53]
Zuxuan Wu, Ser-Nam Lim, Larry S. Davis, and Tom Goldstein. Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors. In ECCV, pages 1-17, 2020.
[54]
Shuo Yang, Ping Luo, Chen Change Loy, and Xiaoou Tang. WIDER FACE: A Face Detection Benchmark. In CVPR, pages 5525-5533, 2016.
[55]
Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. In CSF, pages 268-282, 2018.
[56]
Dong Yi, Zhen Lei, Shengcai Liao, and Stan Z. Li. Learning Face Representation from Scratch. CoRR abs/1411.7923, 2014.
[57]
Quan Yuan, Zhikun Zhang, Linkang Du, Min Chen, Peng Cheng, and Mingyang Sun. PrivGraph: Differentially Private Graph Data Publication by Exploiting Community Information. In USENIX Security, 2023.
[58]
Richard Zhang, Phillip Isola, Alexei A. Efros, Eli Shechtman, and Oliver Wang. The Unreasonable Effectiveness of Deep Features as a Perceptual Metric. In CVPR, pages 586-595, 2018.
[59]
Zhikun Zhang, Tianhao Wang, Jean Honorio, Ninghui Li, Michael Backes, Shibo He, Jiming Chen, and Yang Zhang. PrivSyn: Differentially Private Data Synthesis. In USENIX Security, pages 929-946, 2021.
[60]
Zhikun Zhang, Tianhao Wang, Ninghui Li, Shibo He, and Jiming Chen. CALM: Consistent Adaptive Local Marginal for Marginal Release under Local Differential Privacy. In CCS, pages 212-229, 2018.
Recommendations
Age-Invariant Face Recognition
One of the challenges in automatic face recognition is to achieve temporal invariance. In other words, the goal is to come up with a representation and matching scheme that is robust to changes due to facial aging. Facial aging is a complex process that ...
Lighting-aware face frontalization for unconstrained face recognition
Provide both lighting-recovered and lighting-normalized frontalized images.Basic frontalization with a generic 3D face model by the alignment of only five landmarks.Lighting recovered and normalized image filling by the symmetry of quotient image.LRFF ...
Fully automatic face normalization and single sample face recognition in unconstrained environments
We present a fully automatic face normalization and recognition system.It normalizes the face images for both in-plane and out-of-plane pose variations.The performance of AAM fitting is improved using a novel initialization technique.HOG and Gabor ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 19 Feb 2025