Search

CN-121837009-B - Robust anti-watermark generation method, device and equipment for face depth counterfeiting

CN121837009BCN 121837009 BCN121837009 BCN 121837009BCN-121837009-B

Abstract

A robust anti-watermark generation method, device and equipment for human face deep counterfeiting relates to the technical field of deep counterfeiting defense. The method comprises the steps of inputting an original face image into a forward diffusion process of a denoising diffusion implicit model, obtaining a noise latent variable, and executing a reverse denoising process. And each denoising step is to generate a current intermediate image, calculate the loss of fake output, acquire gradient information according to the loss and add the gradient information to the current intermediate image to obtain an intermediate noise image. And executing a denoising step until the complete denoising process is completed, obtaining an intermediate countermeasure image, obtaining a post-processing image through noise layer processing, calculating the mean square error loss of fake output, and obtaining a total loss function through weighting and fusion of the intermediate countermeasure image and the original face image. And based on the total loss function, acquiring gradient information, adding the gradient information to a noise latent variable, and carrying out a new round of denoising. And finally outputting the intermediate step countermeasure image of the last iteration.

Inventors

  • LI YUE
  • Xue Linying
  • TIAN HUI
  • LIN DONGDONG
  • WANG BIN
  • QUAN HANYU
  • LU JING

Assignees

  • 华侨大学

Dates

Publication Date
20260508
Application Date
20260312

Claims (9)

  1. 1. A robust counter watermark generation method for face depth forgery, comprising: S1, inputting an original face image into a forward diffusion process of a denoising diffusion implicit model to obtain a noise latent variable after a preset noise adding step, wherein S1 specifically comprises gradually adding Gaussian noise to the original face image according to a preset noise scheduling strategy, and obtaining the original face image Inversion to the first Noise latent variable of step Wherein, the method comprises the steps of, In order to preset the noise adding step, Is the first Step-corresponding noise potential variables; S2, performing a reverse denoising process of a denoising diffusion implicit model based on a noise latent variable, wherein in each denoising step, a current intermediate image is generated according to the input of the current denoising step, the current intermediate image and an original face image are respectively input into a depth falsification model, then mean square error loss between two outputs of the model is calculated, gradient information of the current intermediate image is obtained according to the mean square error loss through a reverse propagation mechanism of the depth falsification model so as to be added to the current intermediate image to obtain an intermediate noise image, the current intermediate image is a denoising intermediate result containing residual noise in the reverse denoising process, the depth falsification model comprises a face attribute editing model and/or a face replacement model, gradient information of the current intermediate image is obtained according to the mean square error loss through the reverse propagation mechanism of the depth falsification model so as to be added to the current intermediate image, and the intermediate noise image is obtained and is expressed as: In the formula (I), in the formula (II), Is an intermediate noise image; is the current intermediate image; the step weight is preset; losing gradient information about the current intermediate image for the mean square error; Is a gradient; is the mean square error loss; the preset step weight is used for controlling the disturbance resistance intensity injected into the current intermediate image; S3, continuing denoising by taking the intermediate noise image as the input of the last denoising step until the complete denoising process is completed, obtaining an intermediate countermeasure image, and obtaining a post-processing image through noise layer processing; respectively inputting the post-processing image and the original face image into a depth fake model, calculating the mean square error loss between two outputs of the model and the structural consistency loss of the intermediate countermeasure image and the original face image, and then carrying out weighted fusion to obtain a total loss function; S4, acquiring gradient information of a noise potential variable through a back propagation mechanism of a depth fake model based on a total loss function, and adding the gradient information to the noise potential variable to perform new-round denoising; And S5, outputting an intermediate countermeasure image of the last iteration as a face image with countermeasure watermark when the iteration termination condition is met.
  2. 2. A robust counter watermark generation method for face depth forgery according to claim 1, wherein said forward diffusion process satisfies: In the formula (I), in the formula (II), The number of steps in the forward noise adding process; to add noise step as Noise potential variable at time; reserving coefficients for the accumulated signals; is a gaussian noise parameter.
  3. 3. The robust counter watermark generation method for face depth forgery according to claim 1, wherein the inverse denoising process specifically comprises the steps of firstly obtaining an estimated clean image corresponding to a current denoising step and predicting noise components by a denoising network, and then generating a current intermediate image by the estimated clean image, wherein the image of the previous denoising step is less noisy than the image of the current denoising step.
  4. 4. A robust counter watermark generation method for face depth forgery according to claim 3, wherein when said depth forgery model is a face property editing model, forgery output is expressed as: In the formula (I), in the formula (II), Editing a result for the attribute; editing a model for the face attribute; An original face image; Is an attribute to be edited; when the depth forgery model is a face replacement model, forgery output is expressed as: In the formula (I), in the formula (II), Replacing the result for the face; A face replacement model; An original face image; The method comprises the steps of taking a target face image; s2, forgery output of original face image through depth forgery model by maximizing ( ) And forgery output of current intermediate image via depth forgery model Distance over Realizing interference depth forging a target output by the model; ; in the formula, Representation maximization; representing an anti-watermark added to the image; editing models for face properties And face replacement model Is also referred to as a general term; mean square error loss of S2 Expressed as: In the middle of Is the current intermediate image; Is the L2 norm; is the number of steps of the inverse denoising process.
  5. 5. The robust against face depth forgery generation method according to any one of claims 1 to 4, wherein the noise layer processing is configured to apply a preset image disturbance to the intermediate challenge image after completing one complete denoising to simulate a post-processing operation in the image propagation process; The post-processing image after noise layer processing is expressed as: In the formula (I), in the formula (II), For post-processing the image; processing the function for a noise layer; The image is opposed for the intermediate step.
  6. 6. A robust against face depth forgery method according to any of claims 1 to 4, characterized in that the mean square error loss of S3 is: In the formula (I), in the formula (II), Is the mean square error loss; An original face image; for post-processing the image; Antagonizing the image for the intermediate step; The original face image is forged and output by a depth forging model; Forgery output of the processed image through a depth forgery model; Is the L2 norm; the structural consistency loss is: ; Is an L1 loss function; Calculating absolute values for each pixel; Total loss function The method comprises the following steps: In the formula (I), in the formula (II), Is a first weight coefficient; is the second weight coefficient.
  7. 7. A robust against watermark generation method for face depth forgery according to claim 1, wherein S4 updates noise latent variables based on a total loss function by: In the formula (I), in the formula (II), Is an updated noise latent variable; noise latent variable; gradient information that is a noise latent variable; Is a gradient; As a total loss function; the iteration termination condition comprises reaching the preset iteration times; and repeatedly performing the steps of inverse denoising, intermediate image gradient updating, noise layer processing and noise latent variable updating when the iteration termination condition is not met.
  8. 8. A robust counter watermark generation apparatus for face depth forgery, characterized by performing a robust counter watermark generation method for face depth forgery according to any one of claims 1 to 7; the robust countermeasure watermark generation device includes: The original image acquisition module is used for inputting the original face image into a forward diffusion process of the denoising diffusion implicit model to obtain a noise potential variable after a preset noise adding step; The intermediate image module is used for executing a reverse denoising process of the denoising diffusion implicit model based on the noise latent variable, wherein in each denoising step, a current intermediate image is generated according to the input of the current denoising step, the current intermediate image and the original face image are respectively input into the deep fake model, and then the mean square error loss between two outputs of the model is calculated; The total loss module is used for continuing denoising by taking the middle noise image as the input of the last denoising step until the complete denoising process is completed, obtaining a middle step countermeasure image, and obtaining a post-processing image through noise layer processing; respectively inputting the post-processing image and the original face image into a depth fake model, calculating the mean square error loss between two outputs of the model and the structural consistency loss of the intermediate countermeasure image and the original face image, and then carrying out weighted fusion to obtain a total loss function; The iteration module is used for acquiring gradient information of the noise potential variable through a back propagation mechanism of the depth fake model based on the total loss function, adding the gradient information to the noise potential variable and carrying out new-round denoising; and the output module is used for outputting the intermediate countermeasure image of the last iteration as the face image with the countermeasure watermark when the iteration termination condition is met.
  9. 9. A robust against face depth forgery generating device comprising a processor, a memory, and a computer program stored in the memory, the computer program being executable by the processor to implement a robust against face depth forgery generating method as claimed in any one of claims 1 to 7.

Description

Robust anti-watermark generation method, device and equipment for face depth counterfeiting Technical Field The invention relates to the technical field of deep counterfeiting defense, in particular to a robust anti-watermark generation method, device and equipment for face deep counterfeiting. Background With the rapid development of artificial intelligence technology, deep forging technology, especially for attribute editing and face replacement of face images, brings serious information security and privacy protection challenges. In order to effectively cope with unauthorized malicious tampering and prevent damages to the transmission of counterfeit contents on public platforms such as social networks, the industry needs a defense means capable of embedding a protection mechanism before image release so as to actively destroy the output effect of a deep counterfeit model. The active defense technology needs to ensure that the added protection information is invisible to human eyes while disturbing the counterfeiting result so as to maintain the normal look and feel of the image. Currently, research has explored the application of challenge-resistant technologies to active defense against face-depth counterfeiting. For example, in 2020, ruiz and other students first proposed to attack the deep forgery model by using a challenge attack algorithm for classification models, such as I-FGSM and PGD, so as to generate macroscopic anomalies in the output result, thereby achieving the purpose of defending. Thereafter, most of active defense schemes in white box scenarios are developed based on the improvements. However, prior art schemes have not adequately considered their robustness in generating a resistant watermark. Although researchers have attempted to improve the ability of watermarks to resist compression by simulating compression noise in real social media environments, these methods remain inadequate against robustness against image post-processing operations that are extremely common in actual network propagation, such as gaussian blur, average blur, downsampling, and the like. This lack of robustness limits the reliability and practicality of existing active defense techniques in complex real-world scenarios. Disclosure of Invention The invention provides a robust anti-watermark generation method, device and equipment for face depth counterfeiting, so as to improve at least one of the technical problems. In a first aspect, the present invention provides a robust anti-watermark generation method for face depth forgery, which includes steps S1 to S5. S1, inputting an original face image into a forward diffusion process of a denoising diffusion implicit model, and obtaining a noise potential variable after a preset noise adding step. S2, executing a reverse denoising process of the denoising diffusion implicit model based on the noise latent variable. In each denoising step, generating a current intermediate image according to the input of the current denoising step. The current intermediate image and the original face image are respectively input into a depth fake model, and then the mean square error loss between two outputs of the model is calculated. According to the mean square error loss, gradient information of the current intermediate image is obtained through a back propagation mechanism of the depth fake model so as to be added to the current intermediate image, and an intermediate noise image is obtained. S3, continuing denoising by taking the intermediate noise image as the input of the last denoising step until the complete denoising process is completed, obtaining an intermediate step countermeasure image, and obtaining a post-processing image through noise layer processing. And respectively inputting the post-processing image and the original face image into a deep pseudo model, calculating the mean square error loss between two outputs of the model and the structural consistency loss of the intermediate countermeasure image and the original face image, and then carrying out weighted fusion to obtain a total loss function. S4, acquiring gradient information of the noise potential variable through a back propagation mechanism of the depth fake model based on the total loss function, and adding the gradient information to the noise potential variable to perform new denoising. And S5, outputting an intermediate countermeasure image of the last iteration as a face image with countermeasure watermark when the iteration termination condition is met. As a further scheme of the invention, S1 is specifically that Gaussian noise is gradually added to the original face image according to a preset noise scheduling strategy, and the original face image is processedInversion to the firstNoise latent variable of step. Wherein, the In order to preset the noise adding step,Is the firstStep corresponds to a noise latent variable. The forward diffusion process satisfies: . In the formula, Is the number of s