CN116150778A - Method, device, electronic device and storage medium for generating face-encrypted image - Google Patents

Abstract

The disclosure provides a method, a device, an electronic device and a storage medium for generating a face encryption image, wherein the method comprises the following steps: respectively inputting the face image to be encrypted into a plurality of face recognition models, and acquiring attack gradient information generated by each face recognition model aiming at the face image to be encrypted; based on a multi-objective optimization algorithm, calculating equilibrium gradient information corresponding to a plurality of attack gradient information generated by a plurality of face recognition models; the equalization gradient information is used for meeting a plurality of optimization targets, the plurality of optimization targets are in one-to-one correspondence with a plurality of face recognition models, and each optimization target is used for maximizing the precision loss of the corresponding face recognition model; generating disturbance information corresponding to the face image to be encrypted according to the balanced gradient information; and superposing the disturbance information on the face image to be encrypted to obtain the face encrypted image. By the method, malicious recognition of a plurality of human recognition models can be better prevented, and the safety of the face encryption image is improved.

Description

Method, device, electronic device and storage medium for generating face-encrypted image

technical field

The present disclosure relates to the technical field of image processing, and in particular to a method, device, electronic equipment, and storage medium for generating a face-encrypted image.

Background technique

With the vigorous development of social media and the Internet, a large amount of personal privacy data (such as photos) is publicly shared. In particular, face images are widely used in various key applications in real life, such as face access control, face payment, face recognition door locks, etc.

At the same time, with the increasing popularity of deep neural networks, deep learning technology has greatly improved the ability of face recognition systems to process personal data, and further increased the application and attention to face images. However, as a by-product of the development of face image applications, it also increases the potential risk of personal privacy information leakage. For example, photos shared on social media (such as Twitter, Facebook, LinkedIn, etc.) may be scrambled and identified by unauthorized third parties without permission. Or, use deep face recognition technology to perform malicious and illegal detection on face images shared on the Internet.

Therefore, it is urgent to provide users with an effective method to protect their private information from excessive face information leakage and illegal face recognition behaviors by unauthorized systems.

Contents of the invention

The present disclosure provides a method, device, electronic device and storage medium for generating an encrypted face image, which are used to prevent malicious recognition of the face image by an unauthorized system.

In a first aspect, the present disclosure provides a method for generating a face encrypted image, comprising the following steps:

Input the face image to be encrypted into a plurality of face recognition models respectively, and obtain the attack gradient information generated by each face recognition model for the face image to be encrypted;

Based on a multi-objective optimization algorithm, calculate balanced gradient information corresponding to multiple attack gradient information generated by the multiple face recognition models; wherein, the balanced gradient information is used to meet multiple optimization objectives, and the multiple optimization objectives One-to-one correspondence with the plurality of face recognition models, and each optimization target is used to maximize the accuracy loss of the corresponding face recognition model;

generating perturbation information corresponding to the face image to be encrypted according to the equalized gradient information;

The perturbation information is superimposed on the face image to be encrypted to obtain an encrypted face image.

In a second aspect, the present disclosure provides a device for generating an encrypted face image, including:

The input module is suitable for inputting the face image to be encrypted into a plurality of face recognition models respectively, and obtaining the attack gradient information generated by each face recognition model for the face image to be encrypted;

The calculation module is adapted to calculate balanced gradient information corresponding to multiple attack gradient information generated by the multiple face recognition models based on a multi-objective optimization algorithm; wherein, the balanced gradient information is used to meet multiple optimization objectives, so The multiple optimization targets correspond to the multiple face recognition models one-to-one, and each optimization target is used to maximize the accuracy loss of the corresponding face recognition model;

A generation module, adapted to generate disturbance information corresponding to the face image to be encrypted according to the equalization gradient information;

The encryption module is adapted to superimpose the perturbation information on the face image to be encrypted to obtain an encrypted face image.

In a third aspect, the present disclosure provides an electronic device, which includes: at least one processor; and a memory communicated with the at least one processor; wherein, the memory stores information that can be processed by the at least one processor. One or more computer programs executed by the at least one processor, and one or more of the computer programs are executed by the at least one processor, so that the at least one processor can perform the above method.

In a fourth aspect, the present disclosure provides a computer-readable storage medium on which a computer program is stored, wherein the computer program implements the above method when executed by a processor/processing core.

In the embodiment provided by the present disclosure, the face images to be encrypted can be respectively input into multiple face recognition models, and the attack gradient information generated by each face recognition model for the face images to be encrypted can be obtained, and based on the multi-objective optimization algorithm, Calculating balanced gradient information corresponding to a plurality of attack gradient information generated by multiple face recognition models, so as to generate disturbance information for obtaining a face encrypted image according to the balanced gradient information. Since the balanced gradient information used to generate the disturbance information in this embodiment is obtained by equalizing the multiple attack gradient information generated by multiple face recognition models for the face image to be encrypted according to the multi-objective optimization algorithm, the balanced Gradient information can better prevent malicious recognition of multiple face recognition models and improve the security of face encrypted images.

It should be understood that what is described in this section is not intended to identify key or important features of the embodiments of the present disclosure, nor is it intended to limit the scope of the present disclosure. Other features of the present disclosure will be readily understood through the following description.

Description of drawings

The accompanying drawings are used to provide a further understanding of the present disclosure, and constitute a part of the specification, and are used together with the embodiments of the present disclosure to explain the present disclosure, and do not constitute a limitation to the present disclosure. The above and other features and advantages will become more apparent to those skilled in the art by describing detailed example embodiments with reference to the accompanying drawings, in which:

FIG. 1 is a flow chart of a method for generating a face encryption image provided by an embodiment of the present disclosure;

FIG. 2 is a flow chart of a method for generating a face encrypted image provided by another embodiment of the present disclosure;

Fig. 3 shows a schematic flow diagram of an iterative-based face encryption technology in a related art;

FIG. 4 shows a schematic diagram of an application scenario of a face encryption technology based on balanced awareness against attacks provided by a specific example;

FIG. 5 is a block diagram of a device for generating a face encrypted image provided by an embodiment of the present disclosure;

Fig. 6 is a block diagram of an electronic device provided by an embodiment of the present disclosure.

Detailed ways

In order for those skilled in the art to better understand the technical solution of the present disclosure, the exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and they should be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

In the case of no conflict, various embodiments of the present disclosure and various features in the embodiments can be combined with each other.

As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

The terminology used herein is for describing particular embodiments only and is not intended to limit the present disclosure. As used herein, the singular forms "a" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that when the terms "comprising" and/or "consisting of" are used in this specification, the stated features, integers, steps, operations, elements and/or components are specified to be present but not excluded to be present or Add one or more other features, integers, steps, operations, elements, components and/or groups thereof. Words such as "connected" or "connected" are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect.

Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having meanings consistent with their meanings in the context of the relevant art and the present disclosure, and will not be interpreted as having idealized or excessive formal meanings, Unless expressly so limited herein.

The method for generating a face encrypted image according to an embodiment of the present disclosure may be performed by an electronic device such as a terminal device or a server, and the terminal device may be a vehicle-mounted device, a user equipment (User Equipment, UE), a mobile device, a user terminal, a terminal, a cell phone , cordless phones, personal digital assistants (Personal Digital Assistant, PDA), handheld devices, computing devices, vehicle-mounted devices, wearable devices, etc.; the server can be an independent physical server, or a server cluster composed of multiple physical servers Or a distributed system, or a cloud server that provides cloud computing services. Specifically, the method may be realized by calling a computer program stored in a memory by a processor.

In related technologies, image encryption processing is usually performed in a fuzzy-based manner. For example, traditional obfuscation techniques, such as blurring, pixelation, darkening, and occlusion, etc., enable images to avoid malicious identification by performing obfuscation processing on images. However, the encryption effect of the above method is not ideal enough. For this reason, this application proposes a method of calculating balanced gradient information based on a multi-objective optimization algorithm. With the help of a multi-objective optimization algorithm, the recognition characteristics of multiple face recognition models are fully considered, and the security of the finally generated face encryption image is further considered. more secure.

FIG. 1 is a flow chart of a method for generating a face encrypted image provided by an embodiment of the present disclosure. Referring to Figure 1, the method includes:

Step S110: Input the face image to be encrypted into multiple face recognition models respectively, and acquire attack gradient information generated by each face recognition model for the face image to be encrypted.

Among them, multiple face recognition models are used to realize the function of face recognition operation, but the model types and/or model parameters of each model are different from each other. In this embodiment, in order to improve the security of the face encryption image, the same face image to be encrypted is input into multiple face recognition models, and each face recognition model is obtained for the face image to be encrypted. Generated attack gradient information.

Wherein, the attack gradient information generated by each face recognition model for the face image to be encrypted is obtained in the following manner: input the face image to be encrypted into the face recognition model, and obtain the The image recognition result generated by the face image is backpropagated to the face recognition model through the backpropagation method, and the face recognition model calculates the attack gradient corresponding to the face image to be encrypted based on the image recognition result information. Wherein, the attack gradient information is used to represent how the face image information to be encrypted should be changed so that the changed image information is significantly different from the original image information, so that the changed image information cannot be accurately identified. In short, the attack gradient information is obtained according to the image recognition result of the face image to be encrypted by the face recognition model. Since there is usually a difference between the image recognition result and the real result of the face image, by analyzing the characteristics of the difference, it can be determined what changes should be performed on the face image so that the face image after the change is significantly different from the face image before the change. face images. The attack gradient information is used to represent what changes should be performed on the face image.

Since different face recognition models have different model types and model parameters, the image recognition results obtained by each face recognition model for the same face image to be encrypted are also different. Correspondingly, each face recognition The attack gradient information produced by the models also varies. Wherein, the attack gradient information may be represented in various forms such as vector form or matrix form, and this embodiment does not limit the specific form of the attack gradient information.

Step S120: Based on the multi-objective optimization algorithm, calculate balanced gradient information corresponding to multiple attack gradient information generated by multiple face recognition models; wherein, the balanced gradient information is used to meet multiple optimization objectives, and multiple optimization objectives are related to multiple people. The face recognition models are in one-to-one correspondence, and each optimization objective is used to maximize the accuracy loss of the corresponding face recognition model.

The balanced gradient information is the gradient information obtained after multi-objective optimization processing is performed on multiple attack gradient information generated by multiple face recognition models, and is used to represent the result of equalization for multiple attack gradients. In this embodiment, multiple face recognition models are used as multiple optimization targets, and each optimization target is used to maximize the loss of accuracy of the face recognition model corresponding to the optimization target. In other words, this embodiment formulates corresponding optimization goals for each face recognition model, and through the optimization goals corresponding to the face recognition model, the face recognition model can recognize the encrypted face obtained by equalizing the gradient information. The loss of accuracy is greatest when it comes to images.

Since this embodiment formulates corresponding optimization goals according to each face recognition model, and thus calculates the balanced gradient information based on the multi-objective optimization algorithm, the finally obtained balanced gradient information can realize the defense function for multiple face recognition models at the same time . In short, this embodiment fully considers the differences between multiple face recognition models, so that multiple face recognition models are studied as a single individual to ensure that the final balanced gradient information can take into account the differences between the various face recognition models. difference, so that the face encryption image finally obtained based on the balanced gradient information can resist the malicious attack of each face recognition model.

Step S130: Generate perturbation information corresponding to the face image to be encrypted according to the equalization gradient information.

Specifically, a preset calculation is performed on the face image to be encrypted and the equalization gradient information, and disturbance information corresponding to the face image to be encrypted is obtained according to the calculation result. Since the attack gradient information corresponding to each face recognition model is used to represent how the face image information to be encrypted should be changed so that the changed image information cannot be accurately recognized by the face recognition model, therefore, the equalization gradient information is used In order to represent how the face image information to be encrypted should be changed, the changed image information cannot be accurately recognized by any face recognition model among the plurality of face recognition models.

It can be seen that since the balanced gradient information obtained by the multi-objective optimization algorithm can comprehensively consider the characteristics of each face recognition model, the disturbance information obtained based on the balanced gradient information has a strong anti-attack ability.

Step S140: Superimpose the perturbation information on the face image to be encrypted to obtain an encrypted face image.

Specifically, the disturbance information is superimposed on the face image to be encrypted, and the face image superimposed with the disturbance information is used as the final encrypted face image. The encrypted face image can resist the attacks of multiple face recognition models.

In the embodiment provided by the present disclosure, the face images to be encrypted can be respectively input into multiple face recognition models, and the attack gradient information generated by each face recognition model for the face images to be encrypted can be obtained, and based on the multi-objective optimization algorithm, Calculating balanced gradient information corresponding to a plurality of attack gradient information generated by multiple face recognition models, so as to generate disturbance information for obtaining a face encrypted image according to the balanced gradient information. Since the balanced gradient information used to generate the disturbance information in this embodiment is obtained by equalizing the multiple attack gradient information generated by multiple face recognition models for the face image to be encrypted according to the multi-objective optimization algorithm, the balanced Gradient information can better prevent malicious recognition of multiple human recognition models and improve the security of face encrypted images.

Fig. 2 is a flow chart of a method for generating a face encrypted image provided by another embodiment of the present disclosure. Referring to Figure 2, the method includes:

Step S210: Obtain the face image to be encrypted, and perform preprocessing on the face image to be encrypted.

Specifically, preprocessing is performed on the face image to be encrypted, so that the features of the preprocessed face image are more prominent, so as to improve the security of the finally obtained encrypted face image. Wherein, the preprocessing includes at least one of the following: format conversion processing, size adjustment processing, and feature region extraction processing. Among them, the format conversion process is used to perform format conversion on the face image to be encrypted; the size adjustment process is used to perform cropping and other processing on the face image to change the size of the face image; the feature region extraction process is used to extract the face image The face area contained in to remove the background area.

The present invention does not limit the specific implementation of the preprocessing, as long as the purpose of enhancing the facial features in the image can be achieved.

Step S220: Input the preprocessed face image into multiple face recognition models respectively, and acquire attack gradient information generated by each face recognition model for the face image to be encrypted.

Among them, multiple face recognition models are used to realize the function of face recognition, but the model types and/or model parameters of each model are different. In this embodiment, in order to improve the security of the encrypted face image, multiple face recognition models with different model types are selected in advance, so as to ensure that the finally obtained encrypted face image can resist the attacks of multiple types of models. Correspondingly, the same face image to be encrypted is input into multiple face recognition models, and the attack gradient information generated by each face recognition model for the face image to be encrypted is obtained.

Wherein, the attack gradient information generated by each face recognition model for the face image to be encrypted is obtained in the following manner: input the face image to be encrypted into the face recognition model, and obtain the The image recognition result generated by the face image is backpropagated to the face recognition model through the backpropagation method, and the face recognition model calculates the attack gradient corresponding to the face image to be encrypted based on the image recognition result information. Wherein, the attack gradient information is used to represent how the face image information to be encrypted should be changed so that the changed image information is significantly different from the original image information, so that the changed image information cannot be accurately identified. In short, the attack gradient information is obtained according to the image recognition result of the face image to be encrypted by the face recognition model. Since there is usually a difference between the image recognition result and the real result of the face image, by analyzing the characteristics of the difference, it can be determined what changes should be performed on the face image so that the face image after the change is significantly different from the face image before the change. face images. The attack gradient information is used to represent what changes should be performed on the face image.

Since different face recognition models have different model types and model parameters, the image recognition results obtained by each face recognition model for the same face image to be encrypted are also different. Correspondingly, each face recognition The attack gradient information produced by the models also varies. In this embodiment, the attack gradient information is specifically an attack gradient vector.

Step S230: Based on the multi-objective optimization algorithm, for each face recognition model, generate an accuracy loss function corresponding to the face recognition model; the candidate gradient information that can make the accuracy loss value of each face recognition model consistent and the largest Determined as the equalization gradient information.

The balanced gradient information is the gradient information obtained after multi-objective optimization processing is performed on multiple attack gradient information generated by multiple face recognition models, and is used to represent the result of equalization for multiple attack gradients. In this embodiment, multiple face recognition models are used as multiple optimization targets, and each optimization target is used to maximize the loss of accuracy of the face recognition model corresponding to the optimization target. In other words, this embodiment formulates corresponding optimization goals for each face recognition model, and through the optimization goals corresponding to the face recognition model, the face recognition model can recognize the encrypted face obtained by equalizing the gradient information. The loss of accuracy is greatest when it comes to images.

First, based on the multi-objective optimization algorithm, for each face recognition model, an accuracy loss function corresponding to the face recognition model is generated. Wherein, the accuracy loss function corresponding to each face recognition model is used to characterize the correlation between the accuracy loss value of the face recognition model, candidate gradient information, and attack gradient information generated by the corresponding face recognition model. For example, assuming that there are k face recognition models, the precision loss function corresponding to the i-th face recognition model is y _i =f*g*g _i . Among them, i is not less than 1 and i is not greater than k, f is a preset constant or variable, g is candidate gradient information, g _i is the attack gradient vector generated by the i-th face recognition model, and y _i is the i-th face recognition After the model is subjected to the adversarial attack of the face encryption image obtained from the candidate gradient information g, the decrease of the model recognition accuracy. Then, the candidate gradient information that can make the precision loss value of each face recognition model consistent and the largest is determined as the balanced gradient information. It can be seen that, in this embodiment, the core of the multi-objective optimization algorithm is that it is necessary to determine the optimal value of the candidate gradient information g, so that the accuracy loss function y of each face recognition model calculated from the candidate gradient information g The function value of _i is the same and the largest. In other words, if the final generated face encryption image is subjected to adversarial attacks on each face recognition model, the accuracy of each face recognition model is reduced by the same amount and the amount of decline is the largest, then the face encryption image is considered to have the strongest adversarial ability . Therefore, in this scenario, it is only necessary to find the largest g value that can make the values of y ₁ , y ₂ , y _{3 .} . . y _k equal.

Wherein, since the attack gradient information generated by each face recognition model for the face image to be encrypted is an attack gradient vector in this embodiment, the candidate gradient information is a candidate gradient vector for generating disturbance information. Specifically, the inventor found in the process of implementing the present invention that the candidate gradient information that can make the precision loss value of each face recognition model consistent and the largest meets the following conditions: the candidate gradient vector and the attack gradient vector generated by each face recognition model The vector angles between are equal and the angle value of the vector angle is the smallest. The specific reason is that, through formula derivation, it can be seen that y _i is positively correlated with the cosine value between g and g _i , and the specific derivation process will be described in the following specific examples. In order to make the cosine values equal and maximum, it is necessary to make the vector angle between the candidate gradient vector and the attack gradient vector generated by each face recognition model equal and the angle value of the vector angle be the smallest.

In order to facilitate the calculation of the above equalized gradient information, firstly, a candidate gradient information set is generated; wherein, the vector angles between each candidate gradient vector contained in the candidate gradient information set and the attack gradient vector generated by each face recognition model are equal. With the help of the candidate gradient information set, the value range of the candidate gradient vectors can be narrowed, thereby reducing the amount of subsequent calculations. Then, calculate the angle value of the vector angle between each candidate gradient vector in the candidate gradient information set and the attack gradient vector generated by each face recognition model; finally, select the candidate gradient vector with the smallest angle value as the balanced gradient information .

Step S240: Generate perturbation information corresponding to the face image to be encrypted according to the equalization gradient information.

Specifically, a preset calculation is performed on the face image to be encrypted and the equalization gradient information, and disturbance information corresponding to the face image to be encrypted is obtained according to the calculation result. Since the attack gradient information corresponding to each face recognition model is used to represent how the face image information to be encrypted should be changed so that the changed image information cannot be accurately recognized by the face recognition model, therefore, the equalization gradient information is used In order to represent how the face image information to be encrypted should be changed, the changed image information cannot be accurately recognized by any face recognition model among the plurality of face recognition models. It can be seen that since the balanced gradient information obtained by the multi-objective optimization algorithm can comprehensively consider the characteristics of each face recognition model, the disturbance information obtained based on the balanced gradient information has a strong anti-attack ability.

Step S250: Superimpose the perturbation information on the face image to be encrypted to obtain a candidate encrypted image.

Specifically, the disturbance information is superimposed on the face image to be encrypted, and the face image superimposed with the disturbance information is used as a candidate encrypted image.

Step S260: Determine whether the candidate encrypted image meets the preset encryption condition.

Wherein, the preset encryption condition includes: the candidate encrypted image has undergone a preset number of iterative processing; or, the preset recognition model fails to recognize the candidate encrypted image.

For example, assuming that the preset encryption condition is that the candidate encrypted image has undergone N iterations of processing, then in this step, it is judged whether the number of iterations that the candidate encrypted image is currently in is N, and if not, it means that the candidate encrypted image does not meet the predetermined requirements. Set encryption conditions. For another example, assuming that the preset encryption condition is that the recognition result of the candidate encrypted image by the preset recognition model fails, the candidate encrypted image needs to be input into the preset recognition model, and the judgment is made according to the recognition result of the preset recognition model. Among them, the preset recognition model is used to realize the face recognition function. If the recognition result of the preset recognition model is failure, it means that the anti-attack capability of the candidate encrypted image meets the business requirements; otherwise, if the recognition result of the preset recognition model is If it succeeds, it means that the anti-attack capability of the candidate encrypted image does not meet the business requirements.

Step S270: If not, determine the candidate encrypted image as a new face image to be encrypted, repeat the above-mentioned input of the face image to be encrypted into multiple face recognition models, and obtain The step of attacking the gradient information generated by the face image and the subsequent steps until the obtained candidate encrypted image meets the preset encryption condition.

Step S280: If yes, use the candidate encrypted image meeting the preset encryption condition as the face encrypted image.

Among them, the face encrypted image is used to resist the attack of multiple attack models, and the model types of the multiple attack models are different. Since the balanced gradient vector in this embodiment fully considers the attack characteristics of each type of face recognition model during the generation process, the finally obtained face encrypted image can cope with attacks of various types of attack models.

To sum up, in the embodiments provided by the present disclosure, the face images to be encrypted can be respectively input into multiple face recognition models, and the attack gradient information generated by each face recognition model for the face images to be encrypted can be obtained, and based on multiple The target optimization algorithm calculates balanced gradient information corresponding to multiple attack gradient information generated by multiple face recognition models, so as to generate disturbance information for obtaining a face encrypted image according to the balanced gradient information. Since the balanced gradient information used to generate the disturbance information in this embodiment is obtained by equalizing the multiple attack gradient information generated by multiple face recognition models for the face image to be encrypted according to the multi-objective optimization algorithm, the balanced Gradient information can better prevent malicious recognition of multiple human recognition models and improve the security of face encrypted images. Moreover, through multiple iterative processing processes, the security of the finally obtained face encrypted image can be significantly improved.

In order to facilitate understanding, a specific example is taken as an example below to introduce the specific implementation details of the method for generating a face encryption image provided by this embodiment in detail:

In related technologies, by superimposing imperceptible adversarial perturbation on the original image, the perturbed image can avoid being recognized by the face system. Furthermore, adversarial perturbations often exhibit transferability across neural network models, where perturbed examples generated on one model can also mislead other models. Therefore, the image output by generating adversarial perturbation can be mistakenly identified as other specific identities by the unknown black-box face recognition model, thereby preventing the face image from being abused by illegal information and causing privacy security issues.

Migration-based face encryption technology uses the algorithm of white-box attack to find the required anti-perturbation, so that the anti-perturbation can be superimposed on the protected face image, and the face image can be protected according to the migration of the anti-sample. Protect from the risk of misuse of unknown facial recognition models. Although white-box attack algorithms exhibit good attack performance, they are prone to overfitting surrogate models and yield weak transferability in black-box attack settings.

In order to improve the transferability of adversarial examples, adversarial transferability can be compared to generalization, thereby introducing advanced gradient optimization techniques or input transformation techniques. On the one hand, for advanced gradient optimization techniques, first proposed by Dong et al. to augment adversarial attacks with momentum. Recently, Lin et al. introduced the Nesterov accelerated gradient method into gradient-based attacks to effectively look ahead and avoid overfitting. Wang et al. reduce the variance of the gradient at each iteration to stabilize the update direction. On the other hand, for input transformation techniques, Xie et al. proposed Differential Input Method (DIM), which utilizes random resizing and padding to create different input patterns to generate adversarial examples. Dong et al. propose a translation invariant method (TIM), which optimizes perturbations on a set of translation images. Lin et al. discovered the scale-variant property of deep learning models and proposed a scale-invariant method (SIM) that optimizes adversarial perturbations on scaled copies of input images. Wang et al. propose blending, which computes gradients on the input image and blends with a fraction of each plugin image to make more transferable adversaries. Optionally, by integrating these two types of migration-enhancing methods into a PGD-based migration black-box attack method, a widely used iterative-based face encryption technique is proposed by integrating the attack method.

Fig. 3 shows a schematic flow chart of an iterative-based face encryption technology in the related art. As shown in Figure 3, for any given face image X, in the first step, a random input transformation is performed on the face image X (such as random image size transformation, random padding of white edges, and random image scale transformation, etc.), to obtain the transformed face image X'. In the second step, the randomly transformed images are passed into multiple face recognition models, and the attack gradient is calculated. In the third step, advanced gradient method optimizations are performed on the attack gradient (e.g. augmenting adversarial attacks with momentum, or stabilizing update directions with variance of gradients). In the fourth step, it is judged whether it is necessary to stop the iteration of the adversarial perturbation graph.

However, the method shown in Figure 3 has at least the following defects: this method compares the anti-transferability to generalization, thus introducing a mature method for improving generalization. However, with the continuous development of technology in the direction of generalization, it has reached Saturation, resulting in a bottleneck in the improvement of mobility, which makes the iterative face encryption technology only a conceptual idea, which is difficult to be widely used in real life.

To this end, a new idea is urgently needed to further improve the resistance to migration, so that the iterative face encryption technology can be truly applied to real life. The inventor found in the process of realizing the present invention that: the above method neglects the in-depth research on multi-model integration attacks. For multi-model integration attacks, on the one hand, it is believed that it helps to find a better local maximum, which is easier to apply to other black-box models; on the other hand, it is believed that balanced attacks can help alleviate the problem of over-fitting proxy models . For example, in the related art shown in Fig. 3, the ensemble model of the attack is constructed by averaging the outputs of all the models. However, the above approach ignores an important point, that is, in each iteration, more balanced attack directions for multiple models can have better transferability. In this regard, this example proposes a face encryption method based on balanced awareness against attacks. In order to make the iterative-based face encryption technology widely used in real life, this example focuses on solving the bottleneck problem of improving the migration of related technologies. In the process of implementing the present invention, the inventors found that: one adversarial example maintains a balanced attack effect on multiple models, which is beneficial to the transferability of the adversarial example. According to the bias-variance decomposition theory of generalization error, if an adversarial example maintains the same attack capability for each proxy model (that is, the variance is zero), then it naturally has better transferability for an unknown black-box model.

Typically, the multi-model ensemble attack approach shown in Figure 3 simply averages and fuses the outputs of all models. However, simple unified fusion cannot achieve balanced treatment of multiple models. In addition, the inventors discovered for the first time that: compared with the two-by-two orthogonality between multiple classification models, there is a more complex relationship between multiple face recognition models. Table 1 and Table 2 respectively show the measure values of the cosine similarity of gradients between multiple classification models and multiple face recognition models.

Table 1

Table 1 shows the cosine similarity of gradients between pairs of 8 different classification models.

Table 2

Table 2 shows the cosine similarity of gradients between pairs of 8 different face recognition models. It can be seen that the table shows the cosine similarity of the gradient of the sampled photos on different models, where Table 1 is the visualization result of multiple classification models, and Table 2 is the visualization effect of multiple deep face recognition models. By comparing Table 1 and Table 2, it can be seen that compared with classification models, any two face recognition models have a more complex relationship. When the relationship between multiple face recognition models is more complicated, the The method of simply taking the average of the attack gradients of multiple models cannot effectively defend against the attacks of multiple complex models. Therefore, this example proposes an adversarial attack method based on balanced awareness.

This example mainly focuses on the calculation method of the equalization gradient information in the above-mentioned embodiment in detail:

Compared with previous studies, this example treats the multi-model integration attack problem as a multi-objective optimization problem. Therefore, the following will discuss the control of the sub-optimization problem on the balance attack from the perspective of multi-objective optimization, and give the sub-optimization problem. form. Specifically, this example defines the following optimization problem formulation:

st D(x,x _adv )≤ε

Among them, J _i (x _adv )∈R is a continuous function to evaluate the attack of the adversarial example against the model F _i , and the loss function Loss(F _i (x _adv ),x _targeter ) is usually selected. D(x,x _adv ) is a continuous function, which mainly measures the amount of disturbance in the sample. Usually, the L _p norm is selected, that is, ||x _adv -x|| _p , and ε is the maximum disturbance distance.

是最终的下降方向，/>

是目标函数J_i(x_adv)在x_n上计算的梯度，α是迭代步长。Then, the impact of the relationship between the gradient of each target and the final orientation on the target is discussed from the perspective of multiple targets. Assuming n iterations of adversarial examples at x _n ,

is the final descending direction, />

is the gradient of the objective function J _i (x _adv ) calculated on x _n , and α is the iteration step size.

表示第n次迭代过程中，第i个人脸识别模型针对待加密的人脸图像产生的攻击梯度信息；

Indicates the attack gradient information generated by the ith face recognition model for the face image to be encrypted during the nth iteration;

表示第n次迭代过程中，第k个人脸识别模型针对待加密的人脸图像产生的攻击梯度信息；

Indicates the attack gradient information generated by the kth face recognition model for the face image to be encrypted during the nth iteration;

表示第n次迭代过程中，基于多目标优化算法得到的与多个人脸识别模型产生

Indicates that in the nth iteration process, based on the multi-objective optimization algorithm and multiple face recognition models

The equalization gradient information corresponding to multiple attack gradient information.

Among them, when the step size α is small enough, the equivalent transformation based on the first-order linear approximation is as follows:

构建的扰动信息(即对抗样本)后的识别精度下降量。▽J_k(xn)表示第k个人脸识别模型所对应的精度损失函数，用于表征第k个人脸识别模型在受到由/>

构建的扰动信息(即对抗样本)后的识别精度下降量。Among them, ▽J ₁ (xn) represents the accuracy loss function corresponding to the first face recognition model, which is used to represent the

The amount of reduction in recognition accuracy after the constructed perturbation information (that is, adversarial examples). ▽J _k (xn) represents the accuracy loss function corresponding to the kth face recognition model, which is used to characterize the

The amount of reduction in recognition accuracy after the constructed perturbation information (that is, adversarial examples).

构建的扰动信息的安全性，需要使▽J₁(xn)、▽J₂(xn)…▽J_k(xn)相等且最大，从而实现均衡攻击。根据上述公式可知，为了使候选梯度信息的最佳数值/>

能够使根据由候选梯度信息g计算得到的每个人脸识别模型的精度损失函数的函数值尽量相同且最大，需要使/>

与/>

的余弦值最大，为此，本示例将这一思想转化为解决以下优化问题:In order to enhance by

The security of the constructed disturbance information needs to make ▽J ₁ (xn), ▽J ₂ (xn)...▽J _k (xn) equal and maximum, so as to achieve a balanced attack. According to the above formula, in order to make the optimal value of the candidate gradient information />

To make the function value of the accuracy loss function of each face recognition model calculated from the candidate gradient information g the same as possible and the largest, it is necessary to use />

with />

The cosine of , for which this example translates this idea into solving the following optimization problem:

argmin _g ||g|| ₂

st{g|argmin _g ||Gg-e|| ₂ ,e=(1,…,1) ^T },

为雅可比矩阵，k为模型个数，N为图像维数。然而在实际中，由于图像空间维度特别大导致上述优化问题求解存在严重的耗时问题。为了解决耗时问题，本示例结合多个人脸识别模型之间的关系矩阵等价简化了上述模型，定义如下：in

is the Jacobian matrix, k is the number of models, and N is the image dimension. However, in practice, due to the extremely large dimension of the image space, there is a serious time-consuming problem in solving the above optimization problem. In order to solve the time-consuming problem, this example simplifies the above model by combining the relationship matrix between multiple face recognition models, which is defined as follows:

argmin _w ||Aw-e|| ₂

e=(1,...,1) ^T

为模型之间的关系，A是根据多模型图转换得到的关系矩阵，最终下降方向/>

等于/>

其中/>

是上述优化问题的解。对于该子优化问题的求解思路为：/>

其中A^*是A的Moore-Penrose广义逆矩阵。in,

is the relationship between the models, A is the relationship matrix converted from the multi-model graph, and the final direction of descent />

equal to />

where />

is the solution to the above optimization problem. The solution to this sub-optimization problem is: />

where A ^* is the Moore-Penrose generalized inverse matrix of A.

Theoretically, the equilibrium-awareness-based attack method proposed in this example can be used with various gradient-based iterative attack strategies currently in use. FIG. 4 is a schematic diagram of an application scenario of a face encryption technology based on balanced awareness against attacks provided in this example. As shown in Figure 4, the main components of this application scenario include: a face image acquisition device and a face encryption device, wherein the face encryption device communicates with the application server through a network connection. Among them, the image acquisition device can collect both static images and dynamic videos. Correspondingly, the face encryption device can encrypt both static images and dynamic videos.

Specifically, the image acquisition device collects the user image to be processed in pixel format, performs preprocessing such as format conversion, user face area recognition, and face cropping on the user image according to a preset method, and obtains a user face image of a fixed size ; Then use the method based on balanced awareness against attack to generate the adversarial perturbation (that is, perturbation information) of the processed face image, and superimpose the adversarial perturbation with the original image to obtain an adversarial example, that is, a face encrypted image; finally, the The face encrypted image is uploaded to the required actual application server.

In an optional implementation, the image acquisition device acquires the user video to be processed in a pixel format, and performs preprocessing such as format conversion, user face area recognition, and face cropping on frame-by-frame images of the user video in a preset manner. , to obtain a fixed-size user face picture set; then use the balanced consciousness adversarial attack method to generate the adversarial perturbation of the processed face picture, and superimpose the adversarial perturbation on the original image to obtain an adversarial example, that is, a face-encrypted video; Finally, upload the frame-by-frame face-encrypted video to the required actual application server.

Based on the above application scenarios, the specific process of the face encryption method based on balanced awareness against attack in this example is described in detail. The method specifically includes the following steps:

Step 1, acquiring the image of the user to be processed; wherein, the image of the user includes the face image of the user to be processed.

Further, the image of the user to be processed may be the whole body image of the user, the upper body image of the user to be processed, or the head image of the user to be processed, which is not specifically limited in this specification.

Step 2: Perform preprocessing on the user's face image to be processed according to a preset method to obtain a processed user's face target image.

Step 3: Perform iterative attack processing on the face image according to the user's face image to be processed and the balanced consciousness-based adversarial attack algorithm, and obtain the transferable adversarial disturbance of the user image to be processed.

In summary, by generating the adversarial perturbation image of the user’s face image to be processed in pixel format based on the balanced consciousness adversarial attack algorithm, the user’s face to be processed with the adversarial perturbation added becomes an adversarial sample of the face recognition algorithm, which can This makes the face recognition algorithm of unknown applications misclassified, thereby protecting the user's private information. Therefore, even if the photo with the user's identity information is stolen by the attacker, the attacker cannot use the commonly used face recognition algorithm to identify the user's face information, thereby effectively ensuring the security of the user's private information and avoiding user privacy. Information leakage and illegal misuse of face recognition technology.

In short, this example based on balanced consciousness adversarial attack method improves adversarial migration from a new perspective, breaking the bottleneck of the existing iterative face encryption technology. Among them, the disturbance information generated by the balanced consciousness confrontation attack method has strong mobility, which can cause misclassification effects in widely unknown face recognition models, but it is difficult for the human eye to see the changes in the picture. Compared with the existing iterative-based face encryption technology, the adversarial perturbation generated by the balanced awareness adversarial attack method has better transferability. In the face of more complex real-world application environments, the unknown face recognition model has the effect of misrecognition. In this way, a better privacy protection effect can be achieved, and risks such as user property and the like caused by leakage of the user's private information are avoided.

In a word, in a related technology, after obtaining multiple attack gradient information generated by multiple face recognition models, the multiple attack gradient information is directly averaged to obtain the average gradient information, and then the average gradient information is used to generate disturbance information. In the calculation method of averaging multiple attack gradient information, multiple face recognition models are considered as a whole, and only the attack capability of the overall model composed of multiple face recognition models is considered. The essential defects of this method are: The characteristics of multiple face recognition models are not considered. In the case of large differences between multiple face recognition models, if the attack characteristics of each face recognition model are not considered, it is impossible to accurately respond to the attack of each model. . However, in this embodiment, the multi-model integration attack problem is converted into a multi-objective optimization problem. Each optimization problem is used to maximize the decrease in the recognition accuracy of the corresponding face recognition model. Through the multi-objective optimization problem, it is possible to comprehensively consider the The attack characteristics of each face recognition model, so as to accurately respond to the attack of each model.

It can be understood that the above-mentioned method embodiments mentioned in this disclosure can all be combined with each other to form a combined embodiment without violating the principle and logic. Due to space limitations, this disclosure will not repeat them. Those skilled in the art can understand that, in the above method in the specific implementation manner, the specific execution order of each step should be determined according to its function and possible internal logic.

In addition, the present disclosure also provides a generating device for an encrypted face image, electronic equipment, and a computer-readable storage medium, all of which can be used to implement any method for generating an encrypted face image provided in the present disclosure, corresponding technical solutions, descriptions and Refer to the corresponding records in the method section, and details will not be repeated.

Fig. 5 is a block diagram of an apparatus for generating an encrypted face image provided by an embodiment of the present disclosure.

Referring to FIG. 5 , an embodiment of the present disclosure provides a generating device 50 of an encrypted face image, which includes:

The input module 51 is adapted to input the face images to be encrypted into a plurality of face recognition models respectively, and obtain attack gradient information generated by each face recognition model for the face images to be encrypted;

The calculation module 52 is adapted to calculate balanced gradient information corresponding to multiple attack gradient information generated by the multiple face recognition models based on a multi-objective optimization algorithm; wherein the balanced gradient information is used to meet multiple optimization objectives, The multiple optimization targets correspond to the multiple face recognition models one by one, and each optimization target is used to maximize the accuracy loss of the corresponding face recognition model;

The generation module 53 is adapted to generate disturbance information corresponding to the face image to be encrypted according to the equalization gradient information;

The encryption module 54 is adapted to superimpose the perturbation information on the face image to be encrypted to obtain an encrypted face image.

Optionally, the calculation module 52 is specifically adapted to:

Based on the multi-objective optimization algorithm, for each face recognition model, an accuracy loss function corresponding to each face recognition model is generated; wherein, the accuracy loss function corresponding to each face recognition model is used to characterize each face recognition model The association relationship between the accuracy loss value of the candidate gradient information and the attack gradient information generated by each face recognition model;

The candidate gradient information that makes the accuracy loss values of each face recognition model consistent and the largest is determined as the balanced gradient information.

Optionally, the attack gradient information generated by each face recognition model for the face image to be encrypted is an attack gradient vector, and the candidate gradient information is a candidate gradient vector used to generate the disturbance information.

Optionally, the accuracy loss value of each face recognition model is consistent and the maximum candidate gradient information satisfies the following condition: the vector angle between the candidate gradient vector and the attack gradient vector generated by each face recognition model is equal And the angle value of the angle between the vectors is the smallest;

And, the calculation module 52 is specifically adapted to:

Generate a candidate gradient information set; wherein, the vector angle between each candidate gradient vector contained in the candidate gradient information set and the attack gradient vector generated by each face recognition model is equal;

Calculate the angle value of the vector angle between each candidate gradient vector in the candidate gradient information set and the attack gradient vector generated by each face recognition model;

The candidate gradient vector with the smallest angle value is selected as the equalization gradient information.

Optionally, the input module 51 is specifically adapted to:

Carry out pre-processing for the face image to be encrypted, and input the pre-processed face image into a plurality of face recognition models respectively;

Wherein, the preprocessing includes at least one of the following: format conversion processing, size adjustment processing, and feature region extraction processing.

Optionally, the encryption module 54 is specifically adapted to:

superimposing the perturbation information on the face image to be encrypted to obtain a candidate encrypted image;

judging whether the candidate encrypted image meets a preset encryption condition;

If not, the candidate encrypted image is determined to be a new face image to be encrypted, and the described input of the face image to be encrypted into a plurality of face recognition models is repeated, and each face recognition model is obtained for the described face image to be encrypted. The steps of the attack gradient information generated by the face image and subsequent steps until the obtained candidate encryption image meets the preset encryption conditions;

If so, use the candidate encrypted image meeting the preset encryption condition as the face encrypted image.

Optionally, the preset encryption condition includes: the candidate encrypted image has undergone a preset number of iterative processing; or, the preset recognition model fails to recognize the candidate encrypted image.

Optionally, the model types of the plurality of face recognition models are different; and, the face encrypted image is used to resist attacks of a plurality of attack models, and the model types of the plurality of attack models are different.

In the embodiment provided by the present disclosure, the face images to be encrypted can be respectively input into multiple face recognition models, and the attack gradient information generated by each face recognition model for the face images to be encrypted can be obtained, and based on the multi-objective optimization algorithm, Calculating balanced gradient information corresponding to a plurality of attack gradient information generated by multiple face recognition models, so as to generate disturbance information for obtaining a face encrypted image according to the balanced gradient information. Since the balanced gradient information used to generate the disturbance information in this embodiment is obtained by equalizing the multiple attack gradient information generated by multiple face recognition models for the face image to be encrypted according to the multi-objective optimization algorithm, the balanced Gradient information can better prevent malicious recognition of multiple face recognition models and improve the security of face encrypted images.

Fig. 6 is a block diagram of an electronic device provided by an embodiment of the present disclosure.

Referring to FIG. 6 , an embodiment of the present disclosure provides an electronic device, which includes: at least one processor 501; at least one memory 502, and one or more I/O interfaces 503 connected between the processor 501 and the memory 502 Among them; wherein, the memory 502 stores one or more computer programs that can be executed by at least one processor 501, and the one or more computer programs are executed by at least one processor 501 to generate the above-mentioned face encryption image.

An embodiment of the present disclosure also provides a computer-readable storage medium on which a computer program is stored, wherein the computer program implements the above data migration method when executed by a processor/processing core. Computer readable storage media may be volatile or nonvolatile computer readable storage media.

An embodiment of the present disclosure also provides a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in a processor of an electronic device When running in the electronic device, the processor in the electronic device executes the above data migration method.

Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, the functional modules/units in the system, and the device can be implemented as software, firmware, hardware, and an appropriate combination thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components. Components cooperate to execute. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit . Such software may be distributed on computer readable storage media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).

As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable program instructions, data structures, program modules, or other data. volatile, removable and non-removable media. Computer storage media include, but are not limited to, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM), static random access memory (SRAM), flash memory or other memory technologies, portable Compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disk storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or any other device that can be used to store desired information and can be accessed by a computer any other medium. In addition, as is well known to those of ordinary skill in the art, communication media typically embodies computer-readable program instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery medium.

Computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or downloaded to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or a network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .

Computer program instructions for performing the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, state setting data, or Source or object code written in any combination, including object-oriented programming languages—such as Smalltalk, C++, etc., and conventional procedural programming languages—such as the “C” language or similar programming languages. Computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In cases involving a remote computer, the remote computer can be connected to the user computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as via the Internet using an Internet service provider). connect). In some embodiments, an electronic circuit, such as a programmable logic circuit, field programmable gate array (FPGA), or programmable logic array (PLA), can be customized by utilizing state information of computer-readable program instructions, which can Various aspects of the present disclosure are implemented by executing computer readable program instructions.

The computer program products described here can be specifically realized by means of hardware, software or a combination thereof. In an optional embodiment, the computer program product is embodied as a computer storage medium. In another optional embodiment, the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), etc. .

Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It should be understood that each block of the flowcharts and/or block diagrams, and combinations of blocks in the flowcharts and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine such that when executed by the processor of the computer or other programmable data processing apparatus , producing an apparatus for realizing the functions/actions specified in one or more blocks in the flowchart and/or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause computers, programmable data processing devices and/or other devices to work in a specific way, so that the computer-readable medium storing instructions includes An article of manufacture comprising instructions for implementing various aspects of the functions/acts specified in one or more blocks in flowcharts and/or block diagrams.

It is also possible to load computer-readable program instructions into a computer, other programmable data processing device, or other equipment, so that a series of operational steps are performed on the computer, other programmable data processing device, or other equipment to produce a computer-implemented process , so that instructions executed on computers, other programmable data processing devices, or other devices implement the functions/actions specified in one or more blocks in the flowcharts and/or block diagrams.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, a portion of a program segment, or an instruction that includes one or more Executable instructions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

Example embodiments have been disclosed herein, and while specific terms have been employed, they are used and should be construed in a generic descriptive sense only and not for purposes of limitation. In some instances, it will be apparent to those skilled in the art that features, characteristics and/or elements described in connection with a particular embodiment may be used alone, or may be described in combination with other embodiments, unless explicitly stated otherwise. Combinations of features and/or elements. Accordingly, it will be understood by those of ordinary skill in the art that various changes in form and details may be made without departing from the scope of the present disclosure as set forth in the appended claims.

Claims (11)

1. A generation method of a face encryption image, characterized in that, comprising: Input the face image to be encrypted into a plurality of face recognition models respectively, and obtain the attack gradient information generated by each face recognition model for the face image to be encrypted; Based on a multi-objective optimization algorithm, calculate balanced gradient information corresponding to multiple attack gradient information generated by the multiple face recognition models; wherein, the balanced gradient information is used to meet multiple optimization objectives, and the multiple optimization objectives One-to-one correspondence with the plurality of face recognition models, and each optimization target is used to maximize the accuracy loss of the corresponding face recognition model; generating perturbation information corresponding to the face image to be encrypted according to the equalized gradient information; The perturbation information is superimposed on the face image to be encrypted to obtain an encrypted face image. 2. The method according to claim 1, wherein the multi-objective optimization algorithm is used to calculate balanced gradient information corresponding to a plurality of attack gradient information produced by the plurality of face recognition models, comprising: Based on the multi-objective optimization algorithm, for each face recognition model, an accuracy loss function corresponding to each face recognition model is generated; wherein, the accuracy loss function corresponding to each face recognition model is used to characterize the corresponding person The relationship between the accuracy loss value of the face recognition model and the candidate gradient information and the attack gradient information generated by the corresponding face recognition model; The candidate gradient information that makes the accuracy loss values of each face recognition model consistent and the largest is determined as the balanced gradient information. 3. The method according to claim 2, wherein the attack gradient information produced by each of the face recognition models for the face image to be encrypted is an attack gradient vector, and the candidate gradient information is used for A candidate gradient vector of the perturbation information is generated. 4. method according to claim 3, is characterized in that, the described precision loss value that makes each face recognition model is consistent and maximum candidate gradient information satisfies the following condition: described candidate gradient vector and each face recognition model produce The vector angles between the attack gradient vectors are equal and the angle value of the vector angles is the smallest; And, the described will make the accuracy loss value of each face recognition model consistent and the maximum candidate gradient information is determined as the balanced gradient information, including: Generate a candidate gradient information set; wherein, the vector angle between each candidate gradient vector contained in the candidate gradient information set and the attack gradient vector generated by each face recognition model is equal; Calculate the angle value of the vector angle between each candidate gradient vector in the candidate gradient information set and the attack gradient vector generated by each face recognition model; The candidate gradient vector with the smallest angle value is selected as the equalized gradient information. 5. according to the arbitrary described method of claim 1-4, it is characterized in that, described inputting the face image to be encrypted respectively into a plurality of face recognition models, comprising: Carry out pre-processing for the face image to be encrypted, and input the pre-processed face image into a plurality of face recognition models respectively; Wherein, the preprocessing includes at least one of the following: format conversion processing, size adjustment processing, and feature region extraction processing. 6. The method according to any one of claims 1-4, wherein said superimposing said perturbation information on said face image to be encrypted to obtain an encrypted face image comprises: superimposing the perturbation information on the face image to be encrypted to obtain a candidate encrypted image; judging whether the candidate encrypted image meets a preset encryption condition; If not, then determine the candidate encrypted image as a new face image to be encrypted, repeat the process of inputting the face image to be encrypted into a plurality of face recognition models respectively, and obtain each face recognition model for the face image to be encrypted. Steps of attack gradient information generated from encrypted face images and subsequent steps; If yes, the candidate encrypted image meeting the preset encryption condition is used as the face encrypted image. 7. The method according to claim 6, wherein the preset encryption condition comprises: the candidate encrypted image has undergone a preset number of iterative processing procedures; or, a preset recognition model is used for the candidate encrypted image The recognition result of Failed. 8. The method according to claim 1, wherein the model types of the multiple face recognition models are different; and the encrypted image of the face is used to resist the attack of multiple attack models, and the The model types vary across multiple attack models. 9. A generating device for face encryption image, characterized in that, comprising: The input module is suitable for inputting the face image to be encrypted into a plurality of face recognition models respectively, and obtaining the attack gradient information generated by each face recognition model for the face image to be encrypted; The calculation module is adapted to calculate balanced gradient information corresponding to multiple attack gradient information generated by the multiple face recognition models based on a multi-objective optimization algorithm; wherein, the balanced gradient information is used to meet multiple optimization objectives, so The multiple optimization targets correspond to the multiple face recognition models one-to-one, and each optimization target is used to maximize the accuracy loss of the corresponding face recognition model; A generation module, adapted to generate disturbance information corresponding to the face image to be encrypted according to the equalization gradient information; The encryption module is adapted to superimpose the perturbation information on the face image to be encrypted to obtain an encrypted face image. 10. An electronic device, characterized in that it comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein, The memory stores one or more computer programs executable by the at least one processor, and the one or more computer programs are executed by the at least one processor to enable the at least one processor to perform The method according to any one of claims 1-8. 11. A computer-readable storage medium, on which a computer program is stored, wherein the computer program implements the method according to any one of claims 1-8 when executed by a processor.

Images