Transferable face image privacy protection based on federated learning and ensemble models

Face image features represent significant user privacy concerns. Face images cannot be privately transferred under existing privacy protection methods, and data across various social networks are unevenly distributed. This paper proposes a method for face image privacy protection based on federated learning and ensemble models. A federated learning model based on distributed data sets was established by means of federated learning. On the client side, a local facial recognition model was obtained by local face data training and used as the input of PcadvGAN to train PcadvGAN for several rounds. On the server side, a parameter aggregator based on a differential evolutionary algorithm was established as the discriminator of PcadvGAN server, and a client facial recognition model was ensembled simultaneously. The discriminator of the PcadvGAN server experienced mutation, crossover, and interaction with the ensemble model to reveal the optimal global weight of the PcadvGAN model. Finally, the global optimal aggregation parameter matrix of PcadvGAN was obtained by calculation. The server and the client shared the global optimal aggregation parameter matrix, enabling each client to generate private face images with high transferability and practicality. Targeted attack and non-targeted attack experiments demonstrated that the proposed method can generate high-quality, transferable, robust, private face images with only minor perturbations more effectively than other existing methods.


Introduction
Social network usage prevails among Internet users wishing to express themselves, contact friends, and conduct business activities. Unfortunately, the leakage of private information is a relatively common occurrence. For example, in 2018, the private information of over 50 million Facebook users was leaked and used by an outside company for illegal purposes [1]. Regarding the personal information of Internet users, most social networks lack effective privacy protection methods. Criminals and unauthorized parties can obtain the personal information of Internet users for a variety of purposes. Images containing users' facial information characteristics can be used for facial recognition and identity authentication applications [2], and thus can also be used to obtain a user's private data by means of data mining on social networks [3][4][5]. There are large numbers of public face images present on social media which do not fall under any download limitations. If they are extracted by criminals for nefarious purposes, users' privacy, security, and property may be at risk [6,7].
Considering the frequency with which private user information is leaked, actively disturbing the features in a face image may effectively safeguard the user's privacy [8]. Traditional face image privacy protection methods involve directly modifying or deleting sensitive regions of the face image, which can damage the useful information on the 1 3 image and destroy its usability [9]. The basic principle of the current most common face image privacy protection approach is to slightly disturb the image characteristics and reduce the accuracy of a potential facial recognition system while ensuring that the image can still be used on social media. Existing methods primarily include adversarial sample attacks based on gradient attacks and the generative adversarial network (GAN). Liu et al. [10] and Linardos et al. [11] used Fast Gradient Notation (FGSM) [12] to attack a facial recognition model, added slight perturbation to the gradient of the model to reduce the accuracy of the model, and protected private face images accordingly. The main drawback to FGSM is that the added perturbation is easily filtered by the median, and that its robustness is relatively poor.
There have been other valuable contributions to the literature. Xiao et al. [13] proposed the generation of adversarial samples based on a GAN, where adding tiny perturbations to the image via GAN drives the target recognition model toward misclassification. He et al. [14] proposed substituting U-NET for the GAN generator (PriGAN), where the generated private face image reduces the accuracy of the recognition network in social networks without destroying the usability of face images. Yang et al. [15] proposed a face image privacy protection method (PcadvGAN) based on adversarial-blocking principal components, where slight perturbation is added to the principal components of the blocked face image to protect the facial features in the image from being easily extracted while ensuring its usability.
The structures of the potential facial recognition models used by criminals cannot be predicted. An adversarial example attack on a potential facial recognition model is, essentially, a black-box attack. When perturbing the features in a face image, all of the above adversarial sample attack methods seek to reduce the accuracy of the potential facial recognition model in social networks via single-model adversarial training and transferable adversarial examples. However, an experiment by Yang et al. [15] showed that if the potential facial recognition model in the social network differs significantly from the single-model structure adopted in the adversarial sample attack, the adversarial sample is not transferable enough to resist a black-box attack. In other words, previously established methods have low adversarial transferability leading to an ineffective decrease in the accuracy of the facial recognition model in social networks, and thus, ineffective privacy protection effects.
Liu et al. [16] and Tramèr et al. [17] established a method wherein multiple models of different structures are simultaneously subjected to adversarial training to generate adversarial examples with the same strength, which can effectively improve the transferability of adversarial examples and protect private face images. However, this method requires high-quality face image training data in large quantities; data from major social networks must be shared and integrated for it to function properly. In consideration of industry competition and complex management procedures, a given social network only allows user data to be stored in its own server database. As a result, it is difficult to integrate face image data from different social networks. Even when face image data are successfully integrated, the transferability and robustness of the face image privacy protection method cannot be guaranteed.
The privacy protection of transferable face images was investigated in this study based on federated learning and ensemble models. In the existing method, the weight of each model parameter in the ensemble model is equal. The method we propose regards the generation process of face privacy image as a multi-objective optimization problem, that is, the generated face privacy image is similar to the original face image; it also must mislead multiple face recognition models with different structures. When multiple models of different structures are trained at the same time, the weight of each model is calculated by the server version of the PcadvGAN. The discriminator of the server version of the PcadvGAN uses the differential evolutionary algorithm to solve the multi-objective optimization problem and calculates the optimal weight of the integrated model.
The main contributions of this work can be summarized as follows.
1. A facial recognition model based on the ensemble client was employed for training. A parameter aggregator based on the differential evolutionary algorithm was used as the discriminator for PcadvGAN+ +. After multiple rounds of mutation, crossover, and selection, the optimal weight of the ensemble model was calculated. The face image privacy protection model following this parameter fusion shows superior practicability and transferability to those of other methods. 2. The private face image generated with the proposed method shows a certain degree of adversarial transferability for facial recognition models with defensive strategies. 3. Distributed training of the proposed method was performed using federated learning. No face image data were required to be uploaded on the client's social network during the training process. The structure of the client's facial recognition model is unknown to the server throughout to ensure user privacy and data security. 4. If a user is new to the social network or has lost their data under other circumstances, the proposed method can use their data from other social networks to generate a private face image for them.

PcadvGAN
A mentioned above, features in a given face image create a strong likelihood of private user data leakage. Yang et al. [15] built the PcadvGAN method based on the principal component of adversarial patches. After the face image is divided into blocks, the principal components of the block image are extracted and a small perturbation is added. An image similar to the original face image is generated with the GAN. The tag of the face image generated by the driver generator of the latent recognition network differs from that of the original face image. The loss function of PcadvGAN is calculated as follows: where 1 , 2 , 3 are the hyperparameters of the loss function. L GAN is the GAN loss function. The purpose of L GAN is to use the discriminator to drive the face image data generated by the generator toward the same distribution as the original data set.L adv is the loss function of the misleading rate of the potential target network, which can be calculated as follows: The purpose is to make the face image generated by the generator mislead the target face recognition model. The private face image X ′ is generated by PcadvGAN generator. If the private face image X ′ can mislead the output of the face recognition model f to be the label t ′ instead of the original label t , then L adv returns a smaller value, otherwise it returns a larger value. L N is the loss function that controls the perturbation size and prevents the distortion of the generated face image. L sim is calculated as follows: L sim is the loss function for assessing pixel similarity between the generated private face image and the original face image, which can make the generated face privacy image very similar to the original face image. This method is superior to other methods in terms of the quality of the generated face image, the operation speed, and the reduction in accuracy of the target recognition network. Based on PcadvGAN, a Pcad-vGAN server (PGS) was designed in this study for improved transferability under the framework of federated learning.

Transferability of adversarial examples
Models such as those discussed here are similar at the decision surface of the local space, so the error generated by the adversarial example can be generalized to other models of different structures [12]. This is the so-called "transferability" of the adversarial example, a term often used in reference to black-box attacks [18]. The concept adversarial example transferability was first proposed by Szegedy et al. [19], where training models with the same structure or different structures on different subsets of the MNIST data set results in target models with high-confidence misclassification. Papernot et al. [20,21] studied the transferability of adversarial examples between deep neural networks and other models, and launched black-box attacks on Amazon, Google, and MetaMind via the adversarial example transferability of alternative models. Unlike the method of training alternative models, the method proposed by Cheng et al. [18] centers on a transfer gradient introduced a priori into query-based attacks, where the optimal parameters are derived theoretically to reduce the number of queries required for a successful black-box attack. Carlini et al. [22] proposed a method to generate adversarial examples under different norms which has shown strong transferability experimentally. Moosavi-Dezfooli [23] proposed a universal adversarial perturbation algorithm, where adding the same perturbation to different training data results in misclassification regardless of the specific training data input.
Liu et al. [17] proposed training based on ensemble models for large-scale data sets which achieves adversarial example transfer attacks under multiple models using the

Federated learning
The objective of federated learning is to establish a training model based on distributed data sets under strict privacy protection conditions. This model solves the problem of data islands and enables multiple parties to process big data collaboratively [24][25][26]. Federated learning eliminates the need for concentrating the facial image data in social networks at a central storage point. Rather, each social network organization trains its own model and ultimately produces a global training model by means of aggregation.
Previous research on federated learning has centered primarily on dealing with statistical challenges [27,28] and protecting user privacy [24,29,30]. McMahan [31], for example, proposed a master-slave architectural federated learning model where each client trains a deep learning model locally using its own data, and then uploads the parameters of the properly trained deep learning model to the server. The server constructs a global model using the federated average method and shares it with the client, thus well protecting user privacy and data security.
Manually designing deep neural networks requires a great deal of expertise in the field of deep learning. Scholars have begun to prioritize automated machine learning (Auto ML), especially neural architecture searching (NAS). Federated NAS requires maximizing the model performance and minimizing the payload to be transferred between the server and clients [32]. Zhu et al. [33] regarded it as a multi-objective optimization problem and optimized a neural network model structure for federated learning using a multi-objective evolutionary algorithm.
Inspired by the studies discussed above, we sought to improve the master-slave architecture federated learning model and optimized the PcadvGAN using a differential evolutionary algorithm for enhanced parameter aggregation effects. The proposed method allows various social networks to collaborate on a global model for face image privacy protection without sharing their own users' data.

Problem definition
Assuming that there are N social networks, that is, user data holders S 1 , S 2 , … , S N , each has a face image data set D 1 , D 2 , … , D N ; there are N sets of facial recognition models in the social network Any face image X , X ∈ D may be taken, that is, the face image X can be trained and recognized by the facial recognition model sets F and F ′ . X ′ is the private face image X after being processed by the privacy protection method. X ′ and the face image X should be similar visually. For any potential facial recognition model f i ∈ F ∪ F � , however, the difference between face image X and privacy image X ′ is the preferably more significant-that is, the private face image X ′ may result in misclassification with high confidence by any potential recognition model f i , as shown, for example, in Formula (4): If the label of T is not specified, Formula (4) is suitable for non-targeted misdirecting attacks, i.e., when the private face image X ′ to be identified by the potential facial recognition model f i is not specified. If specify the label of T, Formula (4) is suitable for targeted misdirecting attacks. The private face image X ′ is misclassified as T by the potential recognition model f i .

Model structure based on federated learning
A diagram of the model supporting the proposed method is given in Fig. 1. The arrows in Fig. 1 represent the direction of data transmission. The server is an honest and reliable third-party secure computing node in this case, and the client is N social network, the user data holder S 1 , S 2 , … , S N . All face data are stored on the client. The client does not need to upload face image data at any point during the model training process, but the server and the client do need to interact several times. As described below, the proposed method is operated in eight steps. These eight steps are also marked in Fig. 1.
The flow of the proposed method is shown in Table 1. To allow the server to generate private face images and prevent any leakage of the client's private data, both the server and the client have the same public face datasets (e.g., VGGFACE or self-built datasets). When the clients train PcadvGAN, they add the public face datasets to the training sets and the test sets.
In Step 1, the encrypted user ID alignment technique [33] is applied to manage user group inconsistency in social networks. The user IDs in social networks are aligned to ensure that the label spaces of overlapping data of N clients are consistent while protecting user privacy and not leaking social network data.
In Step 2, the facial recognition model may be defined by the client itself or randomly selected from the server facial recognition model library. The training datasets and model structure of the client facial recognition model are unknown to the server. The proposed method is based on the training of the facial recognition model of the ensemble client. To improve the transferability of the adversarial example of the private face image, the facial recognition model of the client needs a relatively high recognition rate. In Step 4, to improve the entire model's training efficiency and reduce the number of communications between the server and the client, PcadvGAN is trained several times and the loss function is ensured to be relatively stable before Step 5 can begin.
In Step 6, the PGS generator loads the aggregation parameters W , selects face images from the public face datasets pre-stored on the server, generates adversarial samples to perturb the original face image, and produces a private face image.
Steps 6 and 7 involve aggregation of the server-side global model parameters using PGS. The private face image generated by PGS has high transferability after training, which may also lead to misclassification of the facial recognition model set F ′ by criminals with high confidence.
If User A is a new user of a certain client (social network), the client's facial recognition model cannot recognize them, and its PcadvGAN cannot generate a private face image X ′ corresponding to the user. However, if User A has a large amount of data in other clients, the proposed method allows this client's PcadvGAN to generate private face images X ′ for User A after loading the parameters issued by the server.

PcadvGAN sever
In the scenario discussed here, the server performs parameter aggregation and performance evaluation for the global model using PcadvGAN server (PGS). The network architecture of PGS is shown in Fig. 2. The generator structure of PGS is exactly the same as that of PcadvGAN. After the original face image X is blocked and subjected to PCA, the perturbation generated by the generator is added and a private face image X ′ is generated via PCA  where T is the misclassification label of the adversarial example of targeted misdirecting attacks and 1 T represents the one-hot encoding of label T. f i ∈ F is the facial recognition model of the client. The function of L D is that the private face image X ′ misclassifies F with high confidence.
The complete loss function of PGS is where L sim is the constraint condition for the private face image X ′ and the original face image X in PcadvGAN at the pixel level; is the hyperparameter. A smaller value of L sim may lead to higher similarity between the generated private face image X ′ and the original face image.

Parameter aggregator based on differential evolutionary algorithm
The parameter aggregator based on the differential evolutionary algorithm was used as the discriminator of PGS to optimize Formula (5), so that, F , the facial recognition models of all clients, were misclassified with high confidence. Formula (5) is evidently non-differentiable, and F , the facial recognition models of N clients, are unknown to the server. The differential evolutionary algorithm does not require the objective function to be differentiable or known to find the optimal solution, so it is a workable method to solve the complex multi-model optimization problem in Formula (5) [34,35]. Table 2 shows the server algorithm flow of the parameter aggregator using the differential evolutionary algorithm optimization technique in Formula (6).
Client function(X): Select the best individual of this round according to the client facial recognition model f . For f in F, return L adv (X).
Client function run on the client. The facial recognition models have been trained using the client face datasets and run on the client. Each model may have a different structure but both have high recognition accuracy. The face recognition model parameters do not participate in the gradient update during Algorithm 1, but rather, they only return the recognition results to the two functions.
g is the algebra of the weight population, i is the individual label in the weight population, the value range of i is defined according to the training intensity m, K i is the individual of the weight population, 1 ≤ i ≤ m is the weight matrix of the ith set, j is the gene in the individual K i , K j,i is the weight of the model parameter matrix W j , and 1 ≤ j ≤ N , that is, N is the total number of genes in the individual; iter  Table 2 Server-side algorithm flow of parameter aggregator based on differential evolutionary algorithm is the number of iterations of the evolutionary algorithm, v is the weight population of the mutation, and Q is the scaling factor during mutation. Q = rand(0, 1) was defined in the experiment. u is the cross-weighted population, CR is the crossover probability, and f ∈ F is the client facial recognition model.
The training process of this aggregator is shown in Fig. 3. The most significant difference from the ensemble model training proposed by Liu et al. [17] is that according to the differential evolutionary algorithm, K , the optimal weight of the attacked target client facial recognition model F , is calculated following mutation, crossover, and selection before the best aggregation parameter matrix W of this round of training is derived. After the PGS generator loads the parameter matrix W to generate a new private face image X ′ , the next round of training is initiated repetitively until a satisfactory training result is derived.

Experimental environment and data set
The experimental test server hardware environment was an Intel i7-8700 K CPU with 32 GB memory and an NVDIA GeForce RTX 2080Ti graphics card, plus an Intel i7-9750H CPU client software environment with 16 GB memory and an NVDIA GeForce RTX 2060 graphics card. The network environment was a 1000 M local area network. The software environment was the Windows10 64bit operating system and the Google Tensorflow framework was used. Codes were written in Python.
Two types of experimental data sets were used, the VGGFACE and VGGFACE2 public face data sets. VGGFACE contains more than 2.6 million face images of 2,622 individuals [36]. VGGFACE2 contains more than 3.31 million face images for 8,631 people [37]. Some of the face data of VGGFACE and VGGFACE2 overlap. Before training the client facial recognition model, the overlapping portion of the face data was aligned as label data.
The population generation of the differential evolutionary algorithm was set to g = 40 and the number of individuals in the population to m = 14. The scaling factor during mutation was set to Q = 0.5. The crossover probability CR was operated with the adaptive adjustment strategy. The hyperparameter in the loss function of PGS was set to = 0.1.

Setting of ensemble model
Face image data sets were randomly extracted for 1,000 individuals appearing in VGGFACE and VGGFACE2. A total of 101,211 images were selected from the training set and test set after clipping the facial area. Three types of facial recognition network models, VGG16 [38], Resnet18 [39], and Resnet50 [40], were trained, respectively. Another 900 individual facial region images were selected from the same set and used to train the facial recognition models VGG19 [41] and Senet50 [42]. One hundred face image test data sets for 900 long-term social network users were randomly extracted to form a face image test data set A 1 . Fifty images were randomly selected from A 1 and 50 face image test data sets of the other 100 individuals, and newer users of social networks from VGG19 and Senet50 models were selected to form a face image test data set A 2 . In the subsequent Fig. 3 Parameter aggregator training process based on differential evolutionary algorithm experiment, four facial recognition network models were randomly selected as the training model set. The client facial recognition models F and the remaining facial recognition network model was used as the test model, F ′ , the "criminal" facial recognition model. A 2 was used when VGG16, Resnet18, and Resnet50 were used as test models and A 1 was used when VGG19 and Senet50 were used as test models. A 1 and A 2 can be considered the same public face datasets for the server and clients.
We have five clients in total. Each client has a facial recognition network model and PcadvGAN. The client's facial recognition model from F and F ′ serves as the attack model of the PcadvGAN, which trains the client's Pcadv-GAN model at a learning rate of 10 -3 . The hyperparameters in the loss function of PcadvGAN models were set to 1 = 1, 2 = 30, and 3 = 0.1. After every client trains the model of PcadvGAN 100 times, it uploads the model parameters of PcadvGAN to the server.
The main objective of the experiment was to test whether there was better transferability on the criminal facial recognition model set when using the client facial recognition model F to train the original face image X and generate the private face image X ′ . The accuracy rate of each trained facial recognition model is shown in Table 3.

Non-targeted attacks
In the non-targeted attack experiment, a private face image X ′ was generated based on the face image test data set using the training model set, and then input to both the test model and the training model set. The accuracy of the facial recognition model was tested accordingly.
One of the five facial recognition models was used as the test model and the other models were used as the training set. The proposed method was used to train the model set by means of non-targeted attacks. As a result, the recognition accuracy rate of the generated private face image on the training model set was minimized, and the private face image had high transferability on the test model. The private face image is shown in Fig. 4. The generated private face image suffered from only slight perturbation in quality and was very similar to the original face image visually. Figure 5 shows changes in the accuracy of each model and the generated private face image L sim in the case of nontargeted attacks with VGG16, VGG19, Resnet18, Resnet50, and Senet50 as the test models and the other four models   In the first case shown in Fig. 5, VGG16 and Resnet18 served as test models and the training model set was attacked by the proposed method. The generated private face images drove the accuracy of the five facial recognition models down to 0%, and the L sim values were only 0.2776 and 0.2765, respectively. In the second case, Resnet50 served as the test model. The generated private face images again drove the accuracy of the four facial recognition models in the training model down to 0%. The accuracy of Resnet50 as the test model declined to 5% with an L sim value of 0.2799.
In the third case shown in Fig. 5, Senet50 served as the test model. The generated private face images brought the accuracy of the three facial recognition models in the training model set down to 0%. The accuracy of VGG19 in the training model set was reduced to 5% and the accuracy rate of Senet50 as the test model declined to 5% with an L sim of 0.2892. When VGG19 served as the test model, the generated private face images made for 0% accuracy of the three facial recognition models in the training model set. The accuracy rate of Resnet50 in the training model set declined to 2%. The accuracy rate of VGG19 as the test model declined to 2% with an L sim of 0.2855. The faces generated in all of these experimental cases have high adversarial transferability on the test model, and new users in the social networks with VGG19 and Senet5 did not affect the results.
The experimental process shown in Fig. 5 shows that at the beginning of the operation of the PGS, as the perturbation added to the private face image is large, although the accuracy of the five facial recognition models may be lower, the quality of the private face images can be very low. As the training progresses, PGS would learn to adjust the size of the weight K on the premise of ensuring the quality of the private face image to aggregate the better parameter matrix W , thereby decreasing the accuracy rates of the training model set and the test model.
The original face image was subtracted concurrently from the private face image generated by the proposed method. The private face image generated by the Pcadv-GAN attack single model was used to obtain the perturbation, as shown in Fig. 6a, b. Compared with the perturbation in the private face image generated by PcadvGAN, the perturbation in the private face image generated by the proposed method was significantly more concentrated on the key facial features of the face; the perturbation of key features of the face was also greater. This is why, the private face image generated by the proposed method has stronger adversarial transferability.
The proposed method and four current state-of-the-art methods were used to perform non-targeted attacks on the training model set with the goal of enhancing transferability. The accuracy rate of the generated private face image on the test model was investigated, as shown in Fig. 7. The facial recognition model in each row was used as the test model, and the remaining four facial recognition models were used as the training set. A comparison of the generated private face images L sim is shown in Table 4. The methods developed by Carlini et al. [22] and Moosavi-Dezfooli et al. [23] only non-targeted attacked one model in the training set at a given time. The optimal result was selected from the private face images generated by the four models in the test set.
As shown in Fig. 7, the proposed method showed the strongest transferability among all methods tested in this non-targeted attack experiment. It effectively minimized the accuracy rate of the test model and showed the strongest privacy protection effects for face images. Table 4 shows that the quality of the face image generated by the proposed method is higher than that by Liu

Targeted attacks
In the targeted attack experiment, X ′ , a private face image with a directional misdirecting label T, was generated based on the face image test data set via the training model set. The generated image was input to both the test model set and the training model set to test whether all facial recognition models in the experiment could be misdirected as the label T. The misdirecting rate of a targeted attack is calculated by the number of face images with a label T divided by the number of images S that can be non-targeted attacked in the face image test data set Figure 8 shows the changes in the directional misdirecting rate and the generated private face image L sim during a targeted attack on the training model with VGG16, VGG19, Resnet18, Resnet50, and Senet50 as the test models with the (9) M r = num(T) ∕ num(S) .
remaining four models as the training set. The abscissa is the epoch changes of the PGS. The ordinates (a)-(e) represent the directional misdirection rate of the private face images generated by the face image test data set as the input for each model. The ordinate (f) represents the changes in the average quality L sim of the generated private face image during the (a)-(e) training process.
In the first case shown in Fig. 8, the training model set was attacked using the proposed method and the generated private face images brought the misdirection rate of the facial recognition model in the four-training model sets to 100% when VGG19, Resnet18, Resnet50, and Senet50 were used as test models. The misdirection rates of VGG19, Resnet18, Resnet50, and Senet50 as test models were 58%, 87%, 83%, and 81%, respectively. In the second case shown in Fig. 8, when VGG16 was the test model, the generated private face image made the misdirection rate of the four facial recognition models in the training set approximate 100%. Senet50 had the lowest misdirection rate at 91%, and  VGG16 as the test model had a misdirection rate of only 61%. The face images generated in both cases had a high misdirection rate under targeted attacks. However, the quality of the generated face images was slightly lower than that under non-targeted attacks and PGS was required to run more epochs.
The proposed method and other four methods mentioned above were next used to conduct targeted attacks on the training model set under the same experimental settings as the non-targeted attacks discussed above. The misdirecting rates of the generated private face images on the test model are shown in Fig. 9. The facial recognition  Table 5 shows the comparison of the generated private face images L sim .
As shown in Fig. 9, in the targeted attack experiment, the proposed method maximized the test model misdirection rate compared to other methods. Table 5 shows that the quality of the private face image generated by the proposed method is higher than that of the method proposed by Liu et al., and slightly inferior to that by the Carlini et al. method. The quality of the private face image generated by the proposed method was slightly inferior to the image generated under the non-targeted attack, because the more massive perturbation added by the targeted attack misled the test model to recognize the private face image as a specific label. These experiments altogether showed that the proposed method gives images high transferability without sacrificing quality under targeted attacks.

Robustness experiment
The proposed method and the other four methods were next used to attack the test models with different defense strategies to determine their respective robustness. Private face images were generated using non-targeted attacks. The resulting attack success rates are shown in Table 6.
As shown in Table 6, the private face images generated by Cheng  The proposed method appears to have strong robustness. The perturbation generated by the proposed method is not easy to be defended against by methods such as median filtering, because the perturbation is mainly concentrated on the main features of the face image.

Conclusions
A transferable face image privacy protection method based on federated learning and ensemble models was developed in this study. Comparative experiments demonstrated its superior adversarial transferability, robustness, and practicality in generating private face images. The proposed method is also Fig. 9 Misdirection rates of testing models following targeted attack on training model set The experimental results show that private face images generated from more types of facial recognition models in the training model set contribute greater transferability. In the training model set, the facial recognition model with a similar structure to the test model set has a larger weight K than other models. Also in the training model set, the facial recognition model with a dissimilar structure the test model set has a non-zero weight K , indicating that the perturbation it generates contributes to the models in the test set with dissimilar attack structures.
If the parameters of each PcadvGAN are transmitted in plaintext between each client and the server in the federated learning training process, there is still a risk of privacy leakage. The differential privacy protection method may be employed to adjust the model parameters for protection during facial recognition model training at the client [43]. Otherwise, homomorphic encryption [24] can be utilized for transmission between each client and the server. Certain network security strategies [44,45] can also be adopted to reduce the threat of the fractional-order malware propagation models in social networks. In a Gigabit LAN environment, the proposed method takes 18 min and 38 s for one iteration. In the future, the server-side evolutionary algorithm may be optimized to accelerate the running speed.

Availability of data and materials
The article uses public datasets.

Code availability
The article algorithm is implemented based on the Google Tensorflow.

Declarations
Conflicts of interest/competing interests On behalf of all authors, the corresponding author states that there is no conflict of interest.

Consent for publication Written informed consent for publication was obtained from all participants.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http:// creat iveco mmons. org/ licen ses/ by/4. 0/.