Face recognition technology has entered the large-scale application, personal data privacy concerns have also been more and more concern for privacy protection, research and avoid face recognition system are starting to appear.
Among these, there tamper input image recognition system, it does not recognize the existence of the human face of the figure, such as the University of Toronto "Adversarial Attacks on Face Detectors using Neural Net based Constrained Optimization".
There are also special glasses designed CMU, after wearing, even after the acquisition of monitoring equipment, the image still does not recognize the presence of a human face, or will be recognized as another person; and this method is not really exaggerated decoration, not so easy to cause suspicion. (Thesis "Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition")
Hide the identity of the "face transplant"
Recently it appeared a new paper, from the Norwegian University of Science and Technology "DeepPrivacy: A Generative Adversarial Network for Face Anonymization" ( arxiv.org/abs/1909.04538 ), from the new, more challenging angle to deceive face recognition system: without changing the original data distribution of the anonymous face of more layman's terms is the output of the model is a realistic human face, gestures and backgrounds and the same picture, but completely unable to identify the original face identity, that is, "to change a face."
The authors propose a model DeepPrivacy is a condition of formula against the network (conditional GAN), is able to generate the original background and sparse action marked generating realistic anonymous (other identities) face. Generator architecture is a U-net, finally generated image with a size of 128x128 image size gradually expanding manner.
为了避免向这个模型泄露个人信息,按照作者们的设计,这个模型的输入就直接是经过随机噪声遮挡的人脸,模型完全观察不到任何原有面部信息。不过,为了保证生成的质量以及动作的一致性,作者们仍然需要两组简单的图像标注结果:圈出了面部位置的边界框,以及(与 Mask R-CNN 中相同的)标出了耳朵、眼睛、鼻子、肩膀一共 7 个关键点的稀疏姿态估计值。
根据作者们的测试,经过他们的模型匿名化的人脸仍然保持了接近于原图的人脸可识别性,普通的人脸识别模型对于匿名化后的图像,识别出人脸的平均准确率只相对下降了 0.7%。而人脸含有的身份信息自然是 100% 不重合的。
不同人脸匿名方式的对比,从左到右依次为:原图,DeepPrivacy 模型的遮挡后的输入,马赛克,高斯模糊,DeepPrivacy 模型输出
在论文中作者们也做了一项带有一定前瞻性的工作,那就是整理发布了一个新的多姿态人脸数据集 Flickr Diverse Faces。数据集共含有 147 万张人脸,并按照他们的这个模型输入所需,标出了含有面部位置的边界框以及 7 个关键点。这个数据集的独特之处在于它的多样性,它涵盖了许多不同的面部姿态、部分遮挡、复杂背景、以及不同的人。
Flickr Diverse Faces 数据集中一些人脸样本
相关研究比较
另一些人脸匿名化结果 —— 左图大家本来可能熟悉,现在就难认出来了
这篇论文的模型中的生成器设计参考了《Progressive Growing of GANs for Improved Quality, Stability, and Variation》( arxiv.org/abs/1710.10196 )论文,从低分辨率的图像开始,逐级地提高分辨率、增加细节,最终可以同时兼顾图像中的内容高度协调、高稳定性、高多样性。这种方法是 GANs 首次可以生成 1024x1024 尺寸的高清图像。作者们还一并讨论了一些改进 GANs 训练过程的技巧。郑州不孕不育医院:http://www.zzchyy110.com/
可能有人已经想到了,DeepPrivacy 所做的「生成匿名逼真人脸」的任务,其实就和图像补全(Image Inpainting)高度相似,都是让模型为图像中的指定区域填充全新的内容。不过图像补全任务中要补全的内容就不仅仅是人脸了,包含了各种日常物体和场景。也有图像补全的研究人员尝试过补全人脸的效果,他们在高清晰度、数据丰富、姿态单一的 Celeb-A 数据集上进行尝试,结果模型并不能生成逼真的、身份不同且随机的人脸。
另外,雷锋网 AI 科技评论认为值得一提的是来自英伟达的《A Style-Based Generator Architecture for Generative Adversarial Networks》( arxiv.org/abs/1812.04948 ),它是 CVPR 2019 的 最佳论文之一,也是目前为止生成高清晰度、高多样性的人脸效果最好的方法。毋庸置疑,这种方法生成的人脸比 DeepPrivacy 更逼真,而且也同样可以生成随机的新身份,不过就没办法控制同样的姿态和背景了。
一些讨论
The authors argue that large companies may be able to escape the constraints the EU's "General Data Protection Regulation" (GDPR) by this method. GDPR required, the use of personal privacy when data must obtain the consent of the parties on a regular basis; but when an individual can not be located according to data identification, companies do not need to agree to use these data. Such people face the anonymous method can become "unable to identify an individual, thereby bypassing GDPR limit" helper.
However, at the height of occlusion, unusual angles, complex background, the model will still generate some false results (distorted face look a little scary). The authors also explain the larger model size by controlled trials, marked seven key action points will help to generate higher quality images. http://www.go007.com/dalian/yiyuanzhensuo/1c90387b279ed764.htm
On Reddit and Twitter discussions, it was suggested, is not enough to merely change the face completely hidden identities, some people (such as Barack Obama) alone hairline have the opportunity to recognize them, plus dress, people scene, around then the possibility of being able to recognize a well-known figure greatly increased; it was made into a random identity, might as well have used DeepFake put all face the same Zhangsheng Cheng into a virtual human face, the same can not be reached through facial determine the identity of the identification results. (In addition netizens also Tucao why a name DeepPrivacy such a bad street)