Personalized Face Privacy Protection From a Single Image

Fatih Ilhan; Ling Liu; Margaret Loper; Selim Tekin; Sihao Hu; Tiansheng Huang; Yichang Xu; Zachary Yahn

arxiv: 2605.19032 · v1 · pith:YC6P5XGXnew · submitted 2026-05-18 · 💻 cs.CV

Personalized Face Privacy Protection From a Single Image

Zachary Yahn , Fatih Ilhan , Tiansheng Huang , Selim Tekin , Sihao Hu , Yichang Xu , Margaret Loper , Ling Liu This is my paper

Pith reviewed 2026-05-20 10:56 UTC · model grok-4.3

classification 💻 cs.CV

keywords face privacyadversarial perturbationfacial recognition protectionsingle-image synthesisidentity embedding shiftuniversal maskprivacy cloakingsynthetic face generation

0 comments

The pith

FaceCloak generates a personalized privacy mask from one face image that shifts identity embeddings and defeats facial recognition across models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents FaceCloak as a system that produces defensive, identity-specific face privacy masks from only a single user photo. It first creates a small set of high-variety synthetic face images, then applies iterative perturbations focused on identity-leaking regions to move the embedding toward a distant anchor identity. The result is a lightweight pixel-wise mask that applies to any real photo of the person while preserving visual quality. Experiments across three face datasets and ten recognition models show it outperforms 29 prior methods.

Core claim

FaceCloak uses a three-stage personalized face perturbation learning process: generating synthetic face images from one input, learning cloaking via iterative perturbation on that small set to shift embeddings away from the true identity, and outputting a universal pixel-wise mask that protects any image of the user.

What carries the argument

Iterative perturbation generation over synthetic images that shifts a user's identity embedding toward a distant anchor identity while avoiding a similar one.

Load-bearing premise

The small set of synthetic faces created from one real image is diverse enough for the learned perturbations to generalize to unseen real photos and unseen recognition models.

What would settle it

Apply the produced mask to a fresh collection of real photos of the same people taken in varied lighting and poses, then measure recognition accuracy on ten previously unused models; if accuracy stays high, the claim fails.

Figures

Figures reproduced from arXiv: 2605.19032 by Fatih Ilhan, Ling Liu, Margaret Loper, Selim Tekin, Sihao Hu, Tiansheng Huang, Yichang Xu, Zachary Yahn.

**Figure 1.** Figure 1: Overview of FACECLOAK with three progressive stages for face privacy protection: synthetic facial image generation, defensive face cloak optimization, and face-based identity protection. A user only needs to supply a single face image of themselves and will receive an identity-specific face privacy mask that can be rapidly added to any of their face images prior to online release. embeddings to generate pr… view at source ↗

**Figure 2.** Figure 2: Visual examples of High-Pass Mask, Region-Sticker, and Learnable [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Visual quality comparison with state of the art identity-specific [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗

**Figure 4.** Figure 4: Visual quality comparison with state of the art image-specific [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

**Figure 5.** Figure 5: Perceptual quality and protection success rate tradeoff for eight real [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Robustness of FACECLOAK perturbations under common image transformations. Performance calculated on Privacy-Commons images with an ArcFace surrogate model. evaluated on other models maintain their robustness under common image transformations. FACECLOAK’s robustness to post-processing varies by transfer model and transformation. For example, perturbations show greater relative resistance to blurring for Co… view at source ↗

read the original abstract

Photos of faces uploaded online are vulnerable to malicious actors who can scrape facial images from online sources and intrude on personal privacy via unauthorized use of facial recognition models. This paper presents FaceCloak, a novel personalized face privacy protection system, which can generate defensive identity-specific universal face privacy masks from a single image of a user, causing facial recognition to fail. FaceCloak introduces a three-stage personalized face perturbation learning methodology: (1) It generates a small set of high-variety synthetic face images of a person based on a single image of the person. (2) It learns face cloaking by adding more protection to key facial-identity leakage regions through iterative perturbation generation over the small set of synthetic images, effectively shifting a user's identity embedding towards a distant anchor identity and away from a similar one. (3) It generates a personalized identity-protective mask in the form of pixel-wise cloaking, which is light-weight and can be efficiently applied to any facial image of a user while maintaining good perceptual quality. Extensive experiments on three popular face datasets across ten recognition models show the effectiveness of FaceCloak compared to 29 other existing representative methods. Code is available at https://github.com/zacharyyahn/FaceCloak

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

FaceCloak gives a workable single-photo pipeline for reusable privacy masks that beats many baselines on standard tests, but the synthetic-to-real generalization step rests on an assumption that needs direct checking.

read the letter

FaceCloak takes one photo and outputs a pixel-wise mask that can be added to any other image of the same person to push face recognition embeddings away from the true identity. It does this in three steps: generate a small batch of varied synthetic faces from the input, run iterative perturbations focused on identity-leaking regions to move the embedding toward a distant anchor, and convert the result into a lightweight mask that preserves visual quality.

Referee Report

2 major / 2 minor

Summary. The manuscript presents FaceCloak, a personalized face privacy protection system that generates identity-specific universal masks from a single user image via a three-stage pipeline: (1) synthesis of a small set of high-variety face images, (2) iterative perturbation learning that shifts the identity embedding toward a distant anchor and away from a similar one, and (3) production of a lightweight pixel-wise cloaking mask. The authors report that the resulting masks cause facial recognition to fail and outperform 29 prior methods across three face datasets and ten recognition models, with public code release.

Significance. If the generalization claim holds, the work would provide a practical single-image defense against unauthorized facial recognition scraping, which is a timely contribution to privacy research in computer vision. The broad experimental scope across datasets and models plus the public code release at https://github.com/zacharyyahn/FaceCloak are clear strengths that support reproducibility and further study.

major comments (2)

[Section 3.1] Section 3.1 (synthetic face image generation): the central claim that a mask learned on the small synthetic set will shift embeddings on any real unseen photo of the same identity rests on the untested assumption that the synthetics adequately cover real variations in pose, illumination, expression, and age. No quantitative comparison of identity-relevant statistics between the synthetic set and real test distributions is reported, which directly affects whether the iterative perturbation stage produces a generalizable mask.
[Section 4] Section 4 (experiments): while superiority over 29 methods is asserted, the results lack reported ablations that hold the single input image fixed and systematically vary real test conditions (pose, lighting, expression) to measure attack success rate drop, as well as statistical significance tests or variance across runs. These omissions make it difficult to confirm that the reported effectiveness is robust rather than sensitive to post-hoc choices in perturbation iteration count or strength.

minor comments (2)

[Abstract] Abstract: the phrase 'causing facial recognition to fail' would be more precise if accompanied by the primary quantitative metric (e.g., attack success rate or embedding cosine distance) used to demonstrate failure.
[Section 3.2] Notation: the definitions of the 'distant anchor identity' and 'similar one' in the perturbation objective could be introduced with explicit equations or pseudocode in the methods section for clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We have prepared point-by-point responses to the major comments and will incorporate revisions to strengthen the manuscript.

read point-by-point responses

Referee: [Section 3.1] Section 3.1 (synthetic face image generation): the central claim that a mask learned on the small synthetic set will shift embeddings on any real unseen photo of the same identity rests on the untested assumption that the synthetics adequately cover real variations in pose, illumination, expression, and age. No quantitative comparison of identity-relevant statistics between the synthetic set and real test distributions is reported, which directly affects whether the iterative perturbation stage produces a generalizable mask.

Authors: We agree that an explicit quantitative comparison of identity-relevant statistics would further support the generalization claim. The synthetic generation stage employs a high-variety synthesis approach specifically intended to introduce diversity in pose, illumination, expression, and related factors from the single input image. Generalization is evidenced by the mask's consistent performance when applied to real, unseen images drawn from standard face datasets that naturally contain such variations. In the revised manuscript we will add a quantitative analysis (e.g., embedding variance or distribution similarity metrics) comparing the synthetic set to the real test distributions. revision: yes
Referee: [Section 4] Section 4 (experiments): while superiority over 29 methods is asserted, the results lack reported ablations that hold the single input image fixed and systematically vary real test conditions (pose, lighting, expression) to measure attack success rate drop, as well as statistical significance tests or variance across runs. These omissions make it difficult to confirm that the reported effectiveness is robust rather than sensitive to post-hoc choices in perturbation iteration count or strength.

Authors: We acknowledge the value of additional targeted ablations and statistical reporting. Our existing evaluation already fixes the single input image per identity and tests across three datasets and ten models that collectively span diverse real-world conditions. To address the concern directly, the revised version will include new ablations that systematically vary pose, lighting, and expression on held-out real images while keeping the input fixed, together with standard deviations across runs and appropriate significance tests. The iteration count and perturbation strength were selected via internal validation; we will clarify this selection process and its robustness in the revision. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical pipeline validated on external benchmarks

full rationale

The paper describes a three-stage empirical methodology that generates synthetic faces from one input image, performs iterative perturbation to shift embeddings, and produces a pixel-wise mask. Effectiveness is demonstrated via experiments on three independent face datasets and ten recognition models, outperforming 29 baselines. No equations, fitted parameters, or self-citations are shown to reduce the claimed protection or generalization to a quantity defined by the result itself. The synthetic-to-real step is an assumption about representativeness rather than a definitional or fitted-input reduction, so the derivation chain remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the effectiveness of synthetic image generation for identity preservation and the transferability of embedding shifts learned on that set.

free parameters (1)

perturbation iteration count and strength
Controls how far the identity embedding is shifted during stage 2.

axioms (1)

domain assumption Synthetic faces generated from one real image retain sufficient identity signal for learning generalizable cloaking perturbations.
Invoked in stage 1 and 2 to justify using the synthetic set as proxy for real data.

pith-pipeline@v0.9.0 · 5772 in / 1238 out tokens · 43193 ms · 2026-05-20T10:56:16.802469+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

optimize δk over the set of synthetic user images Sk to achieve facial privacy protection

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

62 extracted references · 62 canonical work pages · 10 internal anchors

[1]

Facial recognition in the united states: Privacy concerns and legal developments,

AISOnline, “Facial recognition in the united states: Privacy concerns and legal developments,” 2021. [Online]. Available: https: //www.asisonline.org/security-management-magazine/monthly-issues/ security-technology/archive/2021/december/facial-recognition-in-the-us

work page 2021
[2]

Facial recognition and identity risk,

Equifax, “Facial recognition and identity risk,”

work page
[3]

Available: https://www.equifax.co.uk/resources/ identity-protection/facial-recognition-and-identity-risk.html

[Online]. Available: https://www.equifax.co.uk/resources/ identity-protection/facial-recognition-and-identity-risk.html

work page
[4]

The secret company that might end privacy as we know it,

T. N. Y . Times, “The secret company that might end privacy as we know it,” 2021. [Online]. Available: https://www.nytimes.com/2020/01/ 18/technology/clearview-privacy-facial-recognition.html

work page 2021
[5]

Pimeyes,

PimEyes, “Pimeyes,” 2025. [Online]. Available: https://pimeyes.com/en

work page 2025
[6]

Clearview ai,

C. AI, “Clearview ai,” 2025. [Online]. Available: https://www.clearview. ai/

work page 2025
[7]

Arcface: Additive angular margin loss for deep face recognition,

J. Deng, J. Guo, and S. Zafeiriou, “Arcface: Additive angular margin loss for deep face recognition,”CoRR, vol. abs/1801.07698, 2018. [Online]. Available: http://arxiv.org/abs/1801.07698

work page arXiv 2018
[8]

CosFace: Large Margin Cosine Loss for Deep Face Recognition

H. Wang, Y . Wang, Z. Zhou, X. Ji, D. Gong, J. Zhou, Z. Li, and W. Liu, “Cosface: Large margin cosine loss for deep face recognition,”arXiv preprint arXiv:1801.09414, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018
[9]

MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications

A. G. Howard, M. Zhu, B. Chen, D. Kalenichenko, W. Wang, T. Weyand, M. Andreetto, and H. Adam, “Mobilenets: Efficient convo- lutional neural networks for mobile vision applications,”arXiv preprint arXiv:1704.04861, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[10]

Sface: Sigmoid-constrained hypersphere loss for robust face recognition,

Y . Zhong, W. Deng, J. Hu, D. Zhao, X. Li, and D. Wen, “Sface: Sigmoid-constrained hypersphere loss for robust face recognition,”IEEE Transactions on Image Processing, vol. 30, pp. 2587–2598, 2021

work page 2021
[11]

Fawkes: Protecting personal privacy against unauthorized deep learning models,

S. Shan, E. Wenger, J. Zhang, H. Li, H. Zheng, and B. Y . Zhao, “Fawkes: Protecting personal privacy against unauthorized deep learning models,” inProc. of USENIX Security, 2020

work page 2020
[12]

Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition,

V . Cherepanova, M. Goldblum, H. Foley, S. Duan, J. Dickerson, G. Taylor, and T. Goldstein, “Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition,”arXiv preprint arXiv:2101.07922, 2021

work page arXiv 2021
[13]

Sok: Anti- facial recognition technology,

E. Wenger, S. Shan, H. Zheng, and B. Y . Zhao, “Sok: Anti- facial recognition technology,”2023 IEEE Symposium on Security and Privacy (SP), pp. 864–881, 2021. [Online]. Available: https: //api.semanticscholar.org/CorpusID:245005742

work page 2023
[14]

Face-off: Adversarial face obfuscation,

V . Chandrasekaran, C. Gao, B. Tang, K. Fawaz, S. Jha, and S. Banerjee, “Face-off: Adversarial face obfuscation,”arXiv preprint arXiv:2003.08861, 2020

work page arXiv 2003
[15]

Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer,

S. Hu, X. Liu, Y . Zhang, M. Li, L. Y . Zhang, H. Jin, and L. Wu, “Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer,”2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 14 994–15 003,

work page 2022
[16]

Available: https://api.semanticscholar.org/CorpusID: 247291928

[Online]. Available: https://api.semanticscholar.org/CorpusID: 247291928

work page
[17]

Diffam: Diffusion- based adversarial makeup transfer for facial privacy protection,

Y . Sun, L. Yu, H. Xie, J. Li, and Y . Zhang, “Diffam: Diffusion- based adversarial makeup transfer for facial privacy protection,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), June 2024, pp. 24 584–24 594

work page 2024
[18]

Sd4privacy: Exploiting stable diffusion for protecting facial privacy,

J. An, W. Zhang, D. Wu, Z. Lin, J. Gu, and W. Wang, “Sd4privacy: Exploiting stable diffusion for protecting facial privacy,”2024 IEEE International Conference on Multimedia and Expo (ICME), pp. 1– 6, 2024. [Online]. Available: https://api.semanticscholar.org/CorpusID: 273021715

work page 2024
[19]

Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search,

F. Shamshad, M. Naseer, and K. Nandakumar, “Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 20 595–20 605. 9

work page 2023
[20]

Opom: Customized invisible cloak towards face privacy protection,

Y . Zhong and W. Deng, “Opom: Customized invisible cloak towards face privacy protection,”IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022

work page 2022
[21]

Foggysight: A scheme for facial lookup privacy,

I. Evtimov, P. Sturmfels, and T. Kohno, “Foggysight: A scheme for facial lookup privacy,”arXiv preprint arXiv:2012.08588, 2020

work page arXiv 2012
[22]

Towards face encryption by generating adversarial identity masks,

X. Yang, Y . Dong, T. Pang, H. Su, J. Zhu, Y . Chen, and H. W. Xue, “Towards face encryption by generating adversarial identity masks,”2021 IEEE/CVF International Conference on Computer Vision (ICCV), pp. 3877–3887, 2020. [Online]. Available: https: //api.semanticscholar.org/CorpusID:237108370

work page 2021
[23]

Adv-makeup: A new imperceptible and transferable attack on face recognition,

B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, and C. Liu, “Adv-makeup: A new imperceptible and transferable attack on face recognition,”arXiv preprint arXiv:2105.03162, 2021

work page arXiv 2021
[24]

Generative adversarial networks,

I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial networks,” Advances in Neural Information Processing Systems, vol. 3, 06 2014

work page 2014
[25]

Denoising Diffusion Probabilistic Models

J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,”ArXiv, vol. abs/2006.11239, 2020. [Online]. Available: https://api.semanticscholar.org/CorpusID:219955663

work page internal anchor Pith review Pith/arXiv arXiv 2006
[26]

Learning transferable visual models from natural language supervision,

A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark, G. Krueger, and I. Sutskever, “Learning transferable visual models from natural language supervision,” inInternational Conference on Machine Learning,

work page
[27]

Available: https://api.semanticscholar.org/CorpusID: 231591445

[Online]. Available: https://api.semanticscholar.org/CorpusID: 231591445

work page
[28]

Advfaces: Adversarial face synthesis,

D. Deb, J. Zhang, and A. K. Jain, “Advfaces: Adversarial face synthesis,” 2020 IEEE International Joint Conference on Biometrics (IJCB), pp. 1– 10, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID: 199577709

work page 2020
[29]

High-resolution image synthesis with latent diffusion models,

R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer, “High-resolution image synthesis with latent diffusion models,” 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 10 674–10 685, 2021. [Online]. Available: https://api.semanticscholar.org/CorpusID:245335280

work page 2022
[30]

Adv-cpg: A customized portrait generation framework with facial adversarial attacks,

J. Wang, H. Zhang, and Y . Yuan, “Adv-cpg: A customized portrait generation framework with facial adversarial attacks,”2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 21 001–21 010, 2025. [Online]. Available: https://api.semanticscholar. org/CorpusID:276929020

work page 2025
[31]

Advcloak: Customized adversarial cloak for privacy protection,

X. Liu, Y . Zhong, X. Cui, Y . Zhang, P. Li, and W. Deng, “Advcloak: Customized adversarial cloak for privacy protection,”arXiv preprint arXiv:2312.14407, 2023

work page arXiv 2023
[32]

Personalized privacy protection mask against unauthorized facial recognition,

K.-H. Chow, S. Hu, T. Huang, and L. Liu, “Personalized privacy protection mask against unauthorized facial recognition,” inEuropean Conference on Computer Vision, 2024

work page 2024
[33]

Tailor-made face privacy protection via class-wise targeted universal adversarial pertur- bations,

Y . Zhang, Z. Yang, T. Wang, Z. Hua, and J. Weng, “Tailor-made face privacy protection via class-wise targeted universal adversarial pertur- bations,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 5, pp. 5108–5120, 2025

work page 2025
[34]

Arc2face: A foundation model for id-consistent human faces,

F. P. Papantoniou, A. Lattas, S. Moschoglou, J. Deng, B. Kainz, and S. Zafeiriou, “Arc2face: A foundation model for id-consistent human faces,”arXiv preprint arXiv:2403.11641, 2024

work page arXiv 2024
[35]

Joint face detection and alignment using multitask cascaded convolutional networks,

K. Zhang, Z. Zhang, Z. Li, and Y . Qiao, “Joint face detection and alignment using multitask cascaded convolutional networks,”IEEE Signal Processing Letters, vol. 23, no. 10, pp. 1499–1503, 2016

work page 2016
[36]

Masked face recognition challenge: The insightface track report,

J. Deng, J. Guo, X. An, Z. Zhu, and S. Zafeiriou, “Masked face recognition challenge: The insightface track report,”arXiv preprint arXiv:2108.08191, 2021

work page arXiv 2021
[37]

Generalizable Data-free Objective for Crafting Universal Adversarial Perturbations

K. R. Mopuri, A. Ganeshan, and R. V . Babu, “Generalizable data- free objective for crafting universal adversarial perturbations,” inarXiv preprint arXiv: 1801.08092, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018
[38]

Generative adversarial perturbations,

O. Poursaeed, I. Katsman, B. Gao, and S. Belongie, “Generative adversarial perturbations,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 4422–4431

work page 2018
[39]

Towards Deep Learning Models Resistant to Adversarial Attacks

A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,”arXiv preprint arXiv:1706.06083, 2019

work page internal anchor Pith review Pith/arXiv arXiv 2019
[40]

Level playing field for million scale face recognition,

A. Nech and I. Kemelmacher-Shlizerman, “Level playing field for million scale face recognition,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017

work page 2017
[41]

MS-Celeb-1M: A Dataset and Benchmark for Large-Scale Face Recognition

Y . Guo, L. Zhang, Y . Hu, X. He, and J. Gao, “Ms-celeb-1m: A dataset and benchmark for large-scale face recognition,”arXiv preprint arXiv:1607.08221, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[42]

Labeled faces in the wild: A database forstudying face recognition in unconstrained environments,

G. Huang, M. Mattar, T. Berg, and E. Learned-Miller, “Labeled faces in the wild: A database forstudying face recognition in unconstrained environments,”Tech. rep., 10 2008

work page 2008
[43]

Deep learning face attributes in the wild,

Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild,” inProceedings of International Conference on Computer Vision (ICCV), December 2015

work page 2015
[44]

Transferable adversarial facial images for privacy protection,

M. Li, J. Wang, H. Zhang, Z. Zhou, S. shou Hu, and X. Pei, “Transferable adversarial facial images for privacy protection,” Proceedings of the 32nd ACM International Conference on Multimedia,

work page
[45]

Available: https://api.semanticscholar.org/CorpusID: 271709384

[Online]. Available: https://api.semanticscholar.org/CorpusID: 271709384

work page
[46]

Squeeze-and-Excitation Networks

J. Hu, L. Shen, S. Albanie, G. Sun, and E. Wu, “Squeeze-and-excitation networks,”arXiv preprint arXiv:1709.01507, 2019

work page internal anchor Pith review Pith/arXiv arXiv 2019
[47]

Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning

C. Szegedy, S. Ioffe, V . Vanhoucke, and A. Alemi, “Inception-v4, inception-resnet and the impact of residual connections on learning,” arXiv preprint arXiv:1602.07261, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[48]

Facenet: A unified embed- ding for face recognition and clustering,

F. Schroff, D. Kalenichenko, and J. Philbin, “Facenet: A unified embed- ding for face recognition and clustering,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015, pp. 815– 823

work page 2015
[49]

MobileFaceNets: Efficient CNNs for Accurate Real-Time Face Verification on Mobile Devices

S. Chen, Y . Liu, X. Gao, and Z. Han, “Mobilefacenets: Efficient cnns for accurate real-time face verification on mobile devices,” 2018. [Online]. Available: https://arxiv.org/abs/1804.07573

work page internal anchor Pith review Pith/arXiv arXiv 2018
[50]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,”CoRR, vol. abs/1412.6572, 2014. [Online]. Available: https://api.semanticscholar.org/CorpusID:6706414

work page internal anchor Pith review Pith/arXiv arXiv 2014
[51]

Boosting adversarial attacks with momentum,

Y . Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,”2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 9185–9193, 2017. [Online]. Available: https://api.semanticscholar.org/CorpusID:4119221

work page 2018
[52]

Evading defenses to transferable adversarial examples by translation-invariant attacks,

Y . Dong, T. Pang, H. Su, and J. Zhu, “Evading defenses to transferable adversarial examples by translation-invariant attacks,” 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4307–4316, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID:102350868

work page 2019
[53]

Advhat: Real-world adversarial attack on arcface face id system,

S. A. Komkov and A. Petiushko, “Advhat: Real-world adversarial attack on arcface face id system,”2020 25th International Conference on Pattern Recognition (ICPR), pp. 819–826, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID:201645162

work page 2020
[54]

Makeup-guided facial privacy protection via untrained neural network priors,

F. Shamshad, M. Naseer, and K. Nandakumar, “Makeup-guided facial privacy protection via untrained neural network priors,” inECCV Work- shops, 2025, pp. 227–246

work page 2025
[55]

Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection,

J. Liu, C. P. Lau, and R. Chellappa, “Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection,”ArXiv, vol. abs/2305.13625, 2023. [Online]. Available: https://api.semanticscholar.org/CorpusID:258841845

work page arXiv 2023
[56]

Dip-watermark: A double identity protection method based on robust adversarial watermark,

Y . Zhang, D. Ye, C. Xie, S. Shen, Z. Liu, J. Deng, and L. Tang, “Dip-watermark: A double identity protection method based on robust adversarial watermark,” 2024. [Online]. Available: https://arxiv.org/abs/2404.14693

work page arXiv 2024
[57]

Adv-diffusion: imperceptible adversarial face identity attack via latent diffusion model,

D. Liu, X. Wang, C. Peng, N. Wang, R. Hu, and X. Gao, “Adv-diffusion: imperceptible adversarial face identity attack via latent diffusion model,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 4, 2024, pp. 3585–3593

work page 2024
[58]

The unreasonable effectiveness of deep features as a perceptual metric,

R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 586–595

work page 2018
[59]

Image quality assessment: Unifying structure and texture similarity,

K. Ding, K. Ma, S. Wang, and E. P. Simoncelli, “Image quality assessment: Unifying structure and texture similarity,”IEEE transactions on pattern analysis and machine intelligence, vol. 44, no. 5, pp. 2567– 2581, 2020

work page 2020
[60]

Dreamsim: Learning new dimensions of human visual similarity using synthetic data.arXiv preprint arXiv:2306.09344, 2023

S. Fu, N. Tamir, S. Sundaram, L. Chai, R. Zhang, T. Dekel, and P. Isola, “Dreamsim: Learning new dimensions of human visual similarity using synthetic data,”arXiv preprint arXiv:2306.09344, 2023. 10 VII. BIOGRAPHYSECTION Zachary Yahngraduated from University of Virginia with a BS in Computer Science and in Computer Engineering and from Univerity College D...

work page arXiv 2023
[61]

Tiansheng Huanggraduated from Southern University, China, with BS and MS and started his CS PhD program in the Georgia Institute of Technology since 2022

Fatih’s research interest lies in efficient AI and Machine Learning systems and algorithms, and published in IEEE and ACM journals, and top conferences, e.g., CVPR, ICDCS, NeurIPS, WWW. Tiansheng Huanggraduated from Southern University, China, with BS and MS and started his CS PhD program in the Georgia Institute of Technology since 2022. He is working on...

work page 2022
[62]

Yichang Xugraduated with BS from China Science and Technology University (Talented Class) in 2024 and joined the CS PhD program in the Georgia Institute of Technology since 2024

Sihao is working on Game AI agents and detection of Fraudulent activities in Decentralized Financial and Crypto Systems, and has published in IEEE and ACM journals, and top conferences like WWW, CVPR, NeurIPS. Yichang Xugraduated with BS from China Science and Technology University (Talented Class) in 2024 and joined the CS PhD program in the Georgia Inst...

work page 2024

[1] [1]

Facial recognition in the united states: Privacy concerns and legal developments,

AISOnline, “Facial recognition in the united states: Privacy concerns and legal developments,” 2021. [Online]. Available: https: //www.asisonline.org/security-management-magazine/monthly-issues/ security-technology/archive/2021/december/facial-recognition-in-the-us

work page 2021

[2] [2]

Facial recognition and identity risk,

Equifax, “Facial recognition and identity risk,”

work page

[3] [3]

Available: https://www.equifax.co.uk/resources/ identity-protection/facial-recognition-and-identity-risk.html

[Online]. Available: https://www.equifax.co.uk/resources/ identity-protection/facial-recognition-and-identity-risk.html

work page

[4] [4]

The secret company that might end privacy as we know it,

T. N. Y . Times, “The secret company that might end privacy as we know it,” 2021. [Online]. Available: https://www.nytimes.com/2020/01/ 18/technology/clearview-privacy-facial-recognition.html

work page 2021

[5] [5]

Pimeyes,

PimEyes, “Pimeyes,” 2025. [Online]. Available: https://pimeyes.com/en

work page 2025

[6] [6]

Clearview ai,

C. AI, “Clearview ai,” 2025. [Online]. Available: https://www.clearview. ai/

work page 2025

[7] [7]

Arcface: Additive angular margin loss for deep face recognition,

J. Deng, J. Guo, and S. Zafeiriou, “Arcface: Additive angular margin loss for deep face recognition,”CoRR, vol. abs/1801.07698, 2018. [Online]. Available: http://arxiv.org/abs/1801.07698

work page arXiv 2018

[8] [8]

CosFace: Large Margin Cosine Loss for Deep Face Recognition

H. Wang, Y . Wang, Z. Zhou, X. Ji, D. Gong, J. Zhou, Z. Li, and W. Liu, “Cosface: Large margin cosine loss for deep face recognition,”arXiv preprint arXiv:1801.09414, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018

[9] [9]

MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications

A. G. Howard, M. Zhu, B. Chen, D. Kalenichenko, W. Wang, T. Weyand, M. Andreetto, and H. Adam, “Mobilenets: Efficient convo- lutional neural networks for mobile vision applications,”arXiv preprint arXiv:1704.04861, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[10] [10]

Sface: Sigmoid-constrained hypersphere loss for robust face recognition,

Y . Zhong, W. Deng, J. Hu, D. Zhao, X. Li, and D. Wen, “Sface: Sigmoid-constrained hypersphere loss for robust face recognition,”IEEE Transactions on Image Processing, vol. 30, pp. 2587–2598, 2021

work page 2021

[11] [11]

Fawkes: Protecting personal privacy against unauthorized deep learning models,

S. Shan, E. Wenger, J. Zhang, H. Li, H. Zheng, and B. Y . Zhao, “Fawkes: Protecting personal privacy against unauthorized deep learning models,” inProc. of USENIX Security, 2020

work page 2020

[12] [12]

Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition,

V . Cherepanova, M. Goldblum, H. Foley, S. Duan, J. Dickerson, G. Taylor, and T. Goldstein, “Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition,”arXiv preprint arXiv:2101.07922, 2021

work page arXiv 2021

[13] [13]

Sok: Anti- facial recognition technology,

E. Wenger, S. Shan, H. Zheng, and B. Y . Zhao, “Sok: Anti- facial recognition technology,”2023 IEEE Symposium on Security and Privacy (SP), pp. 864–881, 2021. [Online]. Available: https: //api.semanticscholar.org/CorpusID:245005742

work page 2023

[14] [14]

Face-off: Adversarial face obfuscation,

V . Chandrasekaran, C. Gao, B. Tang, K. Fawaz, S. Jha, and S. Banerjee, “Face-off: Adversarial face obfuscation,”arXiv preprint arXiv:2003.08861, 2020

work page arXiv 2003

[15] [15]

Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer,

S. Hu, X. Liu, Y . Zhang, M. Li, L. Y . Zhang, H. Jin, and L. Wu, “Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer,”2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 14 994–15 003,

work page 2022

[16] [16]

Available: https://api.semanticscholar.org/CorpusID: 247291928

[Online]. Available: https://api.semanticscholar.org/CorpusID: 247291928

work page

[17] [17]

Diffam: Diffusion- based adversarial makeup transfer for facial privacy protection,

Y . Sun, L. Yu, H. Xie, J. Li, and Y . Zhang, “Diffam: Diffusion- based adversarial makeup transfer for facial privacy protection,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), June 2024, pp. 24 584–24 594

work page 2024

[18] [18]

Sd4privacy: Exploiting stable diffusion for protecting facial privacy,

J. An, W. Zhang, D. Wu, Z. Lin, J. Gu, and W. Wang, “Sd4privacy: Exploiting stable diffusion for protecting facial privacy,”2024 IEEE International Conference on Multimedia and Expo (ICME), pp. 1– 6, 2024. [Online]. Available: https://api.semanticscholar.org/CorpusID: 273021715

work page 2024

[19] [19]

Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search,

F. Shamshad, M. Naseer, and K. Nandakumar, “Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 20 595–20 605. 9

work page 2023

[20] [20]

Opom: Customized invisible cloak towards face privacy protection,

Y . Zhong and W. Deng, “Opom: Customized invisible cloak towards face privacy protection,”IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022

work page 2022

[21] [21]

Foggysight: A scheme for facial lookup privacy,

I. Evtimov, P. Sturmfels, and T. Kohno, “Foggysight: A scheme for facial lookup privacy,”arXiv preprint arXiv:2012.08588, 2020

work page arXiv 2012

[22] [22]

Towards face encryption by generating adversarial identity masks,

X. Yang, Y . Dong, T. Pang, H. Su, J. Zhu, Y . Chen, and H. W. Xue, “Towards face encryption by generating adversarial identity masks,”2021 IEEE/CVF International Conference on Computer Vision (ICCV), pp. 3877–3887, 2020. [Online]. Available: https: //api.semanticscholar.org/CorpusID:237108370

work page 2021

[23] [23]

Adv-makeup: A new imperceptible and transferable attack on face recognition,

B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, and C. Liu, “Adv-makeup: A new imperceptible and transferable attack on face recognition,”arXiv preprint arXiv:2105.03162, 2021

work page arXiv 2021

[24] [24]

Generative adversarial networks,

I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial networks,” Advances in Neural Information Processing Systems, vol. 3, 06 2014

work page 2014

[25] [25]

Denoising Diffusion Probabilistic Models

J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,”ArXiv, vol. abs/2006.11239, 2020. [Online]. Available: https://api.semanticscholar.org/CorpusID:219955663

work page internal anchor Pith review Pith/arXiv arXiv 2006

[26] [26]

Learning transferable visual models from natural language supervision,

A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark, G. Krueger, and I. Sutskever, “Learning transferable visual models from natural language supervision,” inInternational Conference on Machine Learning,

work page

[27] [27]

Available: https://api.semanticscholar.org/CorpusID: 231591445

[Online]. Available: https://api.semanticscholar.org/CorpusID: 231591445

work page

[28] [28]

Advfaces: Adversarial face synthesis,

D. Deb, J. Zhang, and A. K. Jain, “Advfaces: Adversarial face synthesis,” 2020 IEEE International Joint Conference on Biometrics (IJCB), pp. 1– 10, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID: 199577709

work page 2020

[29] [29]

High-resolution image synthesis with latent diffusion models,

R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer, “High-resolution image synthesis with latent diffusion models,” 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 10 674–10 685, 2021. [Online]. Available: https://api.semanticscholar.org/CorpusID:245335280

work page 2022

[30] [30]

Adv-cpg: A customized portrait generation framework with facial adversarial attacks,

J. Wang, H. Zhang, and Y . Yuan, “Adv-cpg: A customized portrait generation framework with facial adversarial attacks,”2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 21 001–21 010, 2025. [Online]. Available: https://api.semanticscholar. org/CorpusID:276929020

work page 2025

[31] [31]

Advcloak: Customized adversarial cloak for privacy protection,

X. Liu, Y . Zhong, X. Cui, Y . Zhang, P. Li, and W. Deng, “Advcloak: Customized adversarial cloak for privacy protection,”arXiv preprint arXiv:2312.14407, 2023

work page arXiv 2023

[32] [32]

Personalized privacy protection mask against unauthorized facial recognition,

K.-H. Chow, S. Hu, T. Huang, and L. Liu, “Personalized privacy protection mask against unauthorized facial recognition,” inEuropean Conference on Computer Vision, 2024

work page 2024

[33] [33]

Tailor-made face privacy protection via class-wise targeted universal adversarial pertur- bations,

Y . Zhang, Z. Yang, T. Wang, Z. Hua, and J. Weng, “Tailor-made face privacy protection via class-wise targeted universal adversarial pertur- bations,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 5, pp. 5108–5120, 2025

work page 2025

[34] [34]

Arc2face: A foundation model for id-consistent human faces,

F. P. Papantoniou, A. Lattas, S. Moschoglou, J. Deng, B. Kainz, and S. Zafeiriou, “Arc2face: A foundation model for id-consistent human faces,”arXiv preprint arXiv:2403.11641, 2024

work page arXiv 2024

[35] [35]

Joint face detection and alignment using multitask cascaded convolutional networks,

K. Zhang, Z. Zhang, Z. Li, and Y . Qiao, “Joint face detection and alignment using multitask cascaded convolutional networks,”IEEE Signal Processing Letters, vol. 23, no. 10, pp. 1499–1503, 2016

work page 2016

[36] [36]

Masked face recognition challenge: The insightface track report,

J. Deng, J. Guo, X. An, Z. Zhu, and S. Zafeiriou, “Masked face recognition challenge: The insightface track report,”arXiv preprint arXiv:2108.08191, 2021

work page arXiv 2021

[37] [37]

Generalizable Data-free Objective for Crafting Universal Adversarial Perturbations

K. R. Mopuri, A. Ganeshan, and R. V . Babu, “Generalizable data- free objective for crafting universal adversarial perturbations,” inarXiv preprint arXiv: 1801.08092, 2018

work page internal anchor Pith review Pith/arXiv arXiv 2018

[38] [38]

Generative adversarial perturbations,

O. Poursaeed, I. Katsman, B. Gao, and S. Belongie, “Generative adversarial perturbations,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 4422–4431

work page 2018

[39] [39]

Towards Deep Learning Models Resistant to Adversarial Attacks

A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,”arXiv preprint arXiv:1706.06083, 2019

work page internal anchor Pith review Pith/arXiv arXiv 2019

[40] [40]

Level playing field for million scale face recognition,

A. Nech and I. Kemelmacher-Shlizerman, “Level playing field for million scale face recognition,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017

work page 2017

[41] [41]

MS-Celeb-1M: A Dataset and Benchmark for Large-Scale Face Recognition

Y . Guo, L. Zhang, Y . Hu, X. He, and J. Gao, “Ms-celeb-1m: A dataset and benchmark for large-scale face recognition,”arXiv preprint arXiv:1607.08221, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016

[42] [42]

Labeled faces in the wild: A database forstudying face recognition in unconstrained environments,

G. Huang, M. Mattar, T. Berg, and E. Learned-Miller, “Labeled faces in the wild: A database forstudying face recognition in unconstrained environments,”Tech. rep., 10 2008

work page 2008

[43] [43]

Deep learning face attributes in the wild,

Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild,” inProceedings of International Conference on Computer Vision (ICCV), December 2015

work page 2015

[44] [44]

Transferable adversarial facial images for privacy protection,

M. Li, J. Wang, H. Zhang, Z. Zhou, S. shou Hu, and X. Pei, “Transferable adversarial facial images for privacy protection,” Proceedings of the 32nd ACM International Conference on Multimedia,

work page

[45] [45]

Available: https://api.semanticscholar.org/CorpusID: 271709384

[Online]. Available: https://api.semanticscholar.org/CorpusID: 271709384

work page

[46] [46]

Squeeze-and-Excitation Networks

J. Hu, L. Shen, S. Albanie, G. Sun, and E. Wu, “Squeeze-and-excitation networks,”arXiv preprint arXiv:1709.01507, 2019

work page internal anchor Pith review Pith/arXiv arXiv 2019

[47] [47]

Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning

C. Szegedy, S. Ioffe, V . Vanhoucke, and A. Alemi, “Inception-v4, inception-resnet and the impact of residual connections on learning,” arXiv preprint arXiv:1602.07261, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016

[48] [48]

Facenet: A unified embed- ding for face recognition and clustering,

F. Schroff, D. Kalenichenko, and J. Philbin, “Facenet: A unified embed- ding for face recognition and clustering,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015, pp. 815– 823

work page 2015

[49] [49]

MobileFaceNets: Efficient CNNs for Accurate Real-Time Face Verification on Mobile Devices

S. Chen, Y . Liu, X. Gao, and Z. Han, “Mobilefacenets: Efficient cnns for accurate real-time face verification on mobile devices,” 2018. [Online]. Available: https://arxiv.org/abs/1804.07573

work page internal anchor Pith review Pith/arXiv arXiv 2018

[50] [50]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,”CoRR, vol. abs/1412.6572, 2014. [Online]. Available: https://api.semanticscholar.org/CorpusID:6706414

work page internal anchor Pith review Pith/arXiv arXiv 2014

[51] [51]

Boosting adversarial attacks with momentum,

Y . Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,”2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 9185–9193, 2017. [Online]. Available: https://api.semanticscholar.org/CorpusID:4119221

work page 2018

[52] [52]

Evading defenses to transferable adversarial examples by translation-invariant attacks,

Y . Dong, T. Pang, H. Su, and J. Zhu, “Evading defenses to transferable adversarial examples by translation-invariant attacks,” 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4307–4316, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID:102350868

work page 2019

[53] [53]

Advhat: Real-world adversarial attack on arcface face id system,

S. A. Komkov and A. Petiushko, “Advhat: Real-world adversarial attack on arcface face id system,”2020 25th International Conference on Pattern Recognition (ICPR), pp. 819–826, 2019. [Online]. Available: https://api.semanticscholar.org/CorpusID:201645162

work page 2020

[54] [54]

Makeup-guided facial privacy protection via untrained neural network priors,

F. Shamshad, M. Naseer, and K. Nandakumar, “Makeup-guided facial privacy protection via untrained neural network priors,” inECCV Work- shops, 2025, pp. 227–246

work page 2025

[55] [55]

Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection,

J. Liu, C. P. Lau, and R. Chellappa, “Diffprotect: Generate adversarial examples with diffusion models for facial privacy protection,”ArXiv, vol. abs/2305.13625, 2023. [Online]. Available: https://api.semanticscholar.org/CorpusID:258841845

work page arXiv 2023

[56] [56]

Dip-watermark: A double identity protection method based on robust adversarial watermark,

Y . Zhang, D. Ye, C. Xie, S. Shen, Z. Liu, J. Deng, and L. Tang, “Dip-watermark: A double identity protection method based on robust adversarial watermark,” 2024. [Online]. Available: https://arxiv.org/abs/2404.14693

work page arXiv 2024

[57] [57]

Adv-diffusion: imperceptible adversarial face identity attack via latent diffusion model,

D. Liu, X. Wang, C. Peng, N. Wang, R. Hu, and X. Gao, “Adv-diffusion: imperceptible adversarial face identity attack via latent diffusion model,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 4, 2024, pp. 3585–3593

work page 2024

[58] [58]

The unreasonable effectiveness of deep features as a perceptual metric,

R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 586–595

work page 2018

[59] [59]

Image quality assessment: Unifying structure and texture similarity,

K. Ding, K. Ma, S. Wang, and E. P. Simoncelli, “Image quality assessment: Unifying structure and texture similarity,”IEEE transactions on pattern analysis and machine intelligence, vol. 44, no. 5, pp. 2567– 2581, 2020

work page 2020

[60] [60]

Dreamsim: Learning new dimensions of human visual similarity using synthetic data.arXiv preprint arXiv:2306.09344, 2023

S. Fu, N. Tamir, S. Sundaram, L. Chai, R. Zhang, T. Dekel, and P. Isola, “Dreamsim: Learning new dimensions of human visual similarity using synthetic data,”arXiv preprint arXiv:2306.09344, 2023. 10 VII. BIOGRAPHYSECTION Zachary Yahngraduated from University of Virginia with a BS in Computer Science and in Computer Engineering and from Univerity College D...

work page arXiv 2023

[61] [61]

Tiansheng Huanggraduated from Southern University, China, with BS and MS and started his CS PhD program in the Georgia Institute of Technology since 2022

Fatih’s research interest lies in efficient AI and Machine Learning systems and algorithms, and published in IEEE and ACM journals, and top conferences, e.g., CVPR, ICDCS, NeurIPS, WWW. Tiansheng Huanggraduated from Southern University, China, with BS and MS and started his CS PhD program in the Georgia Institute of Technology since 2022. He is working on...

work page 2022

[62] [62]

Yichang Xugraduated with BS from China Science and Technology University (Talented Class) in 2024 and joined the CS PhD program in the Georgia Institute of Technology since 2024

Sihao is working on Game AI agents and detection of Fraudulent activities in Decentralized Financial and Crypto Systems, and has published in IEEE and ACM journals, and top conferences like WWW, CVPR, NeurIPS. Yichang Xugraduated with BS from China Science and Technology University (Talented Class) in 2024 and joined the CS PhD program in the Georgia Inst...

work page 2024