Qi Liang,Qiang Li,Weizhi Nie

DOI: https://doi.org/10.1016/j.image.2022.116659

2022-01-01

Abstract:Deep neural networks achieve outstanding performance in many tasks, so they have been widely used in many applications. However, the vulnerability of deep neural networks will produce many security threats, which drives us to provide sufficient attention to adversarial robustness. Many researchers have paid attention to addressing this problem based on the perturbation injection method, which may fail to consider the content of images that correspond to the perturbed feature while only focusing on their classification scores. In general, the existing methods often improve the robustness of the model at the expense of accuracy. In this paper, we propose LD-GAN, a novel framework to improve the adversarial robustness by learning perturbations and guaranteeing classification accuracy. The classic GAN structure is employed in this work. First, we utilize a generative model to reconstruct a training image from the corresponding perturbed feature. Then, the discriminative model is utilized to control the category. The purpose is to control the magnitude of noise addition and ensure that the noise addition does not fundamentally change the feature distribution of the original category. More specifically, we utilize the soft-attention model in the perturbation-injection module, which generates noise according to different layer concerns and improves the flexibility of the noise parameters. Extensive white-box and black-box attack experiments on CIFAR-10 and CIF-100 with state-of-the-art defense methods show the effectiveness of our method.

Dan Ma,Bin Liu,Zhao Kang,Jianke Zhu,Zenglin Xu

2017-01-01

Abstract:Generating high fidelity identity-preserving faces has a wide range of applications. Although a number of generative models have been developed to tackle this problem, it is still far from satisfying. Recently, Generative adversarial network (GAN) has shown great potential for generating or transforming images of exceptional visual fidelity. In this paper, we propose to train GAN iteratively via regularizing the minmax process with an integrated loss, which includes not only the per-pixel loss but also the perceptual loss. We argue that the perceptual information benefits the output of a high-quality image, while preserving the identity information. In contrast to the existing methods only deal with either image generation or transformation, our proposed iterative architecture can achieve both of them. Experiments on the multi-label facial dataset CelebA demonstrate that the proposed model has excellent performance on recognizing multiple attributes, generating a high-quality image, and transforming image with controllable attributes.

Shengshan Hu,Xiaogeng Liu,Yechao Zhang,Minghui Li,Leo Yu Zhang,Hai Jin,Libing Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01459

2022-01-01

Abstract:While deep face recognition (FR) systems have shown amazing performance in identification and verification, they also arouse privacy concerns for their excessive surveillance on users, especially for public face images widely spread on social networks. Recently, some studies adopt adversarial examples to protect photos from being identified by unauthorized face recognition systems. However, existing methods of generating adversarial face images suffer from many limitations, such as awkward visual, white-box setting, weak transferability, making them difficult to be applied to protect face privacy in reality. In this paper, we propose adversarial makeup transfer GAN (AMT-GAN) 1 1 https://github.com/CGCL-codes/AMT-GAN, a novel face protection method aiming at constructing adversarial face images that preserve stronger black-box transferability and better visual quality simultaneously. AMT-GAN leverages generative adversarial networks (GAN) to synthesize adversarial face images with makeup transferred from reference images. In particular, we introduce a new regularization module along with a joint training strategy to reconcile the conflicts between the adversarial noises and the cycle consistence loss in makeup transfer, achieving a desirable balance between the attack strength and visual changes. Extensive experiments verify that compared with state of the arts, AMT-GAN can not only preserve a comfortable visual quality, but also achieve a higher attack success rate over commercial FR APIs, including Face++, Aliyun, and Microsoft.

Deyu Lin,Huanxin Wang,Xin Lei,Weidong Min,Chenguang Yao,Yuan Zhong,Yong Liang Guan

DOI: https://doi.org/10.1016/j.cviu.2024.104128

2024-01-01

Abstract:Face recognition technology is widely used indifferent areas, such as entrance guard, payment etc. . However, little attention has been given to non-positive faces recognition, especially model training and the quality of the generated images. To this end, a novel robust frontal face recognition approach based on generative adversarial network (DSU-GAN) is proposed in this paper. A mechanism of consistency loss is presented in deformable convolution proposed in the generator-encoder to avoid additional computational overhead and the problem of overfitting. In addition, a self-attention mechanism is presented in generator-encoder to avoid information overloading and construct the long-term dependencies at the pixel level. To balance the capability between the generator and discriminator, a novelf discriminator architecture based U-Net is proposed. Finally, the single-way discriminator is improved through anew up-sampling module. Experiment results demonstrate that our proposal achieves an average Rank-1 recognition rate of 95.14% on the Multi-PIE face dataset in dealing with the multi-pose. In addition, it is proven that our proposal has achieved outstanding performance in recent benchmarks conducted on both IJB-A and IJB-C.

Xingbo Dong,Zhihui Miao,Lan Ma,Jiajun Shen,Zhe Jin,Zhenhua Guo,Andrew Beng Jin Teoh

DOI: https://doi.org/10.1016/j.cose.2022.103026

IF: 5.105

2022-01-01

Computers & Security

Abstract:Face recognition based on deep convolutional neural networks (CNN) shows superior accuracy performance attributed to the high discriminative features extracted. Yet, the security and privacy of the extracted features from deep learning models (deep features) have often been overlooked. This paper proposes the reconstruction of face images from deep features without accessing the CNN network configurations as a constrained optimization problem. Such optimization minimizes the distance between the features extracted from the original face image and the reconstructed face image. Instead of directly solving the optimization problem in the image space, we innovatively reformulate the problem by looking for a latent vector of a generative adversarial networks (GAN) generator, then use it to generate the face image. The GAN generator serves a dual role in this novel framework, i.e., face distribution constraint of the optimization goal and a face generator. To solve this optimization problem, We present an optimization approach based on a Genetic Algorithm. On top of the novel optimization task, we also propose an attack pipeline to impersonate the target user based on the generated face image. Our results show that the generated face images can achieve a state-of-the-art successful attack rate of 99.33% on Labeled Faces in the Wild (LFW) under type-I attack at a false accept rate of 0.1%. Our work sheds light on biometric deployment to meet privacy-preserving and security policies.

Mandi Luo,Jie Cao,Xin Ma,Xiaoyu Zhang,Ran He

DOI: https://doi.org/10.1109/tifs.2021.3053460

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Substantial improvements have been achieved in the field of face recognition due to the successful application of deep neural networks. However, existing methods are sensitive to both the quality and quantity of the training data. Despite the availability of large-scale datasets, the long tail data distribution induces strong biases in model learning. In this paper, we present a Face Augmentation Generative Adversarial Network (FA-GAN) to reduce the influence of imbalanced deformation attribute distributions. We propose to decouple these attributes from the identity representation with a novel hierarchical disentanglement module. Moreover, Graph Convolutional Networks (GCNs) are applied to recover geometric information by exploring the interrelations among local regions to guarantee the preservation of identities in face data augmentation. Extensive experiments on face reconstruction, face manipulation, and face recognition demonstrate the effectiveness and generalization ability of the proposed method.

computer science, theory & methods,engineering, electrical & electronic

Xingbo Dong,Zhihui Miao,Lan Ma,Jiajun Shen,Zhe Jin,Zhenhua Guo,Andrew Beng Jin Teoh

DOI: https://doi.org/10.48550/arxiv.2206.04295

2022-01-01

Abstract: Face recognition based on the deep convolutional neural networks (CNN) shows superior accuracy performance attributed to the high discriminative features extracted. Yet, the security and privacy of the extracted features from deep learning models (deep features) have been often overlooked. This paper proposes the reconstruction of face images from deep features without accessing the CNN network configurations as a constrained optimization problem. Such optimization minimizes the distance between the features extracted from the original face image and the reconstructed face image. Instead of directly solving the optimization problem in the image space, we innovatively reformulate the problem by looking for a latent vector of a GAN generator, then use it to generate the face image. The GAN generator serves as a dual role in this novel framework, i.e., face distribution constraint of the optimization goal and a face generator. On top of the novel optimization task, we also propose an attack pipeline to impersonate the target user based on the generated face image. Our results show that the generated face images can achieve a state-of-the-art successful attack rate of 98.0\% on LFW under type-I attack @ FAR of 0.1\%. Our work sheds light on the biometric deployment to meet the privacy-preserving and security policies.

Yea-Shuan Huang,Mahmood HB Alhlffee

DOI: https://doi.org/10.1080/08839514.2023.2175108

IF: 2.777

2023-02-12

Applied Artificial Intelligence

Abstract:Posture variation and self-occlusion are well-known factors that can compromise the accuracy and robustness of face recognition systems. There are a variety of ways to combat the challenges listed above, include using Generative Adversarial Networks (GANs). Nevertheless, many GAN methods cannot guarantee high-quality frontal-face images, which can improve recognition accuracy and verification when applied to multiple datasets. Recent results have proven that the two-pathway GAN (TP-GAN) method is superior to many traditional GAN deep learning methods that provide better face-texture details due to a unique architecture that enables the method to perceive global structure and local details in a supervised fashion. Although the TP-GAN overcomes some of the difficulties associated with generating photorealistic frontal views through the use of texture information provided by landmark detection and synthesis functions, it is difficult to replicate across different datasets. Particularly, under extreme pose scenarios, TP-GAN fails to further boost photo-realistic face frontalization image samples, minimizes the training time, and reduces computational resources, all of which result in substantially lower performance. This paper proposes simple adaptive strategies for overcoming TP-GAN's inherent limitations. First, we incorporate the powerful discrimination capabilities of a decision forest into the discriminator of a TP-GAN. This method will result in a more stable discriminator model over time. Secondly, we acclimate a data augmentation technique along with a method which reduces training errors and accelerates the convergence of existing learning algorithms. Our proposed approaches are evaluated on three datasets, Multi-PIE, FEI and CAS-PEAL. We demonstrate both quantitatively and qualitatively that our proposed approaches can enhance TP-GAN performance by restoring identity information contaminated by variations in posture and self-occlusion, resulting in high quality visualizations and rank-1 individual face identification.

computer science, artificial intelligence,engineering, electrical & electronic

Zhenfei Chen,Tianqing Zhu,Ping Xiong,Chenguang Wang,Wei Ren

DOI: https://doi.org/10.1002/int.22356

IF: 8.993

2021-01-05

International Journal of Intelligent Systems

Abstract:<p>The importance of protecting personal information, like, a person's address or health history, is well known and commonly discussed. However, images also contain sensitive information that can compromise a person's privacy or be used for nefarious purposes. To date, most methods for preserving privacy with images have relied on obfuscation techniques, such as pixelation, blurring, or masking parts of the image. However, new face‐recognition technologies driven by deep learning are showing cracks in the old techniques. Moreover, faceless recognition is presenting a whole new set of challenges for image privacy. The core of these issues it is how to ensure privacy while still being able to see and use the image. Our solution is a model based on a generative adversarial network that protects identity information while preserving face features of the original image as much as possible. The premise is to generate a fake image of a face that shares all the same attributes as the original image, for example, a brown‐eyed child smiling. With this strategy, the image remains useful, but no person or algorithm could determine the identity of the pictured individual. The framework consists of three parts: a detection module, an image creation module, and an image transformation module. The detection module extracts the attribute labels. The image creation module generates images of faces, and the image transformation module transforms the fake features to match the attributes in the original image. A comprehensive set of experiments shows the effectiveness of the proposed framework.</p>

computer science, artificial intelligence

Weicheng Xie,Wenya Lu,Zhibin Peng,Linlin Shen

DOI: https://doi.org/10.1109/tmm.2023.3289757

IF: 7.3

2023-01-01

IEEE Transactions on Multimedia

Abstract:Generative Adversarial Network (GAN) has been widely used for image-to-image translation-based facial attribute editing. Existing GAN networks are likely to generate samples with anomalies, which may be caused by the lack of consistency preservation and feature entanglement. For preserving image consistency, many studies resorted to the design of the network framework and loss functions, e.g. cycle-consistency loss. However, the generator with the cycle-consistency loss could not well preserve the attribute-irrelevant features, and its feature-level noises may possibly cause synthesis abnormalities. For feature disentanglement, previous works were devoted to mining the implicit semantics of feature spaces, while these semantics are not stable and intuitive enough. For consistency preservation, we propose a target consistency loss to complement the cycle-consistency loss, and enable the network to learn to preserve features of the image more directly. Meanwhile, we filter out outlier feature maps to reduce the synthesis abnormalities and propose a dynamic dropout to better preserve the attribute-irrelevant features. For feature disentanglement, we encode the image semantics more stably and intuitively and propose an entropy regularization to decouple these semantics to allow independent editing of different attributes. The proposed modules are general and can be easily integrated with available image-to-image-based GAN models like StarGAN, AttGAN, and STGAN. Extensive experiments on CelebA dataset show that the our strategy can largely reduce the artifacts and better preserve the subtle facial features, and thus significantly improve the facial editing performance of these mainstream GAN models, in terms of FID, PSNR and SSIM. Additional experiments on realistic expression editing show that our method outperforms StarGAN on RaFD, and achieves much better generalization performances than the three baselines on datasets of FFHQ, RaFD and LFW.

computer science, information systems,telecommunications, software engineering

Zheng Li,Ning Yu,Ahmed Salem,Michael Backes,Mario Fritz,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2210.00957

2023-01-01

Abstract:Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, against GAN-inversion-based face manipulation. In specific, UnGANable focuses on defending GAN inversion, an essential step for face manipulation. Its core technique is to search for alternative images (called cloaked images) around the original images (called target images) in image space. When posted online, these cloaked images can jeopardize the GAN inversion process. We consider two state-of-the-art inversion techniques including optimization-based inversion and hybrid inversion, and design five different defenses under five scenarios depending on the defender's background knowledge. Extensive experiments on four popular GAN models trained on two benchmark face datasets show that UnGANable achieves remarkable effectiveness and utility performance, and outperforms multiple baseline methods. We further investigate four adaptive adversaries to bypass UnGANable and show that some of them are slightly effective.(1)

Qing Song,Yingqi Wu,Lu Yang

DOI: https://doi.org/10.48550/arXiv.1811.12026

2018-11-30

Abstract:With the broad use of face recognition, its weakness gradually emerges that it is able to be attacked. So, it is important to study how face recognition networks are subject to attacks. In this paper, we focus on a novel way to do attacks against face recognition network that misleads the network to identify someone as the target person not misclassify inconspicuously. Simultaneously, for this purpose, we introduce a specific attentional adversarial attack generative network to generate fake face images. For capturing the semantic information of the target person, this work adds a conditional variational autoencoder and attention modules to learn the instance-level correspondences between faces. Unlike traditional two-player GAN, this work introduces face recognition networks as the third player to participate in the competition between generator and discriminator which allows the attacker to impersonate the target person better. The generated faces which are hard to arouse the notice of onlookers can evade recognition by state-of-the-art networks and most of them are recognized as the target person.

Computer Vision and Pattern Recognition

Beijing Chen,Xin Liu,Yuhui Zheng,Guoying Zhao,Yun-Qing Shi

DOI: https://doi.org/10.1109/tcsvt.2021.3116679

IF: 5.859

2021-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In recent years, generative adversarial networks (GANs) have been widely used to generate realistic fake face images, which can easily deceive human beings. To detect these images, some methods have been proposed. However, their detection performance will be degraded greatly when the testing samples are post-processed. In this paper, some experimental studies on detecting post-processed GAN-generated face images find that (a) both the luminance component and chrominance components play an important role, and (b) the RGB and YCbCr color spaces achieve better performance than the HSV and Lab color spaces. Therefore, to enhance the robustness, both the luminance component and chrominance components of dual-color spaces (RGB and YCbCr) are considered to utilize color information effectively. In addition, the convolutional block attention module and multilayer feature aggregation module are introduced into the Xception model to enhance its feature representation power and aggregate multilayer features, respectively. Finally, a robust dual-stream network is designed by integrating dual-color spaces RGB and YCbCr and using an improved Xception model. Experimental results demonstrate that our method outperforms some existing methods, especially in its robustness against different types of post-processing operations, such as JPEG compression, Gaussian blurring, gamma correction, and median filtering.

engineering, electrical & electronic

Jiliang Zhang,Junjie Hou

DOI: https://doi.org/10.1145/3453688.3461751

2021-01-01

Abstract:Recent studies have shown that neural networks are vulnerable to adversarial example (AE) attacks. However, the existing AE generation techniques restrict the pixel perturbation to improve imperceptibility, resulting in low attack success rates. Although increasing perturbations can improve the attack success rate, the imperceptibility of AEs will be reduced. In order to mitigate this contradiction, we propose a new attack method, named AttAdvGAN, which uses adversarial-consistency loss for unpaired image-to-image translation to generate semantic-based AEs for faces, encouraging the generated image contains important features of the original image and hiding adversarial perturbations into shared feature in the target domain. Experiment results show that the proposed approach can generate imperceptible face AEs on the CelebA dataset with high attack success rate in fooling the state-of-the-art face recognition model. In addition, our proposed method can also be used for facial privacy protection.

Yong Fu,Tanfeng Sun,Xinghao Jiang,Ke Xu,Peisong He

DOI: https://doi.org/10.1109/CISP-BMEI48845.2019.8965991

2019-01-01

Abstract:Nowadays, the identification of Generative adversarial networks (GAN) generated face images has become an important issue. Unfortunately, existing methods cannot detect these images with post-processing operations efficiently, such as image denoising and image sharpening. In this paper, the images are pre-processed by a gaussian low-pass filter, the combination of pre-processed images and the high-frequent components of original images can mitigate the influence of various image contents and can improve the detection capability against some widely-used image post-processing operations. Therefore, we carefully design a dual-channel structure based on Convolutional Neural Network (CNN) aiming to extract robust representations for detection of GAN generated face images. Extensive experiments are conducted on the public available dataset. Experimental results demonstrate that the proposed approach outperforms the state-of-the-arts with several image post-processing operations.

Ziyang Han,He Huang,Tingwen Huang,Jinde Cao

DOI: https://doi.org/10.1016/j.neucom.2019.08.049

IF: 6

2019-01-01

Neurocomputing

Abstract:With the development of deep learning, the accuracy of face recognition of learning based approaches has even exceeded that of humans in some circumstances. However, identifying faces that are heavily deflected is still a challenging issue. To synthesize the frontal view from large-pose faces, a face merged generative adversarial network (FM-GAN) equipped with two generators and one discriminator is proposed in this paper. Generally, generative adversarial network (GAN) has only one generator and one discriminator to compete with each other to make the network convergence. By introducing an additional generator, the confrontation power is greatly enhanced and thus the performance of the designed model is improved. In the proposed framework, the first generator learns the upper and lower parts of a face to capture essential facial features. These high-dimensional information of the merged face together with the multi-scale encoded profile are transmitted into the second generator. Based on the competition with the discriminator, the final frontal face is synthesized by the second generator. To reduce the model complexity, FM-GAN only encodes the original image once through a pre-trained network, and the extracted features are shared by the two decoders. In addition, the first generator simultaneously produces the upper and lower parts of a face by the same encoder. Therefore, only the parameters of two decoders and one discriminator are required to be updated during the training process. The experimental results show that the frontal faces synthesized by our model can better preserve the facial identity and photorealistic than by some existing GANs.

Qirui Bao,Haiyang Mei,Huilin Wei,Zheng Lü,Yuxin Wang,Xin Yang

DOI: https://doi.org/10.1007/s12204-023-2692-x

2024-01-01

Journal of Shanghai Jiaotong University (Science)

Abstract:Deep neural networks, especially face recognition models, have been shown to be vulnerable to adversarial examples. However, existing attack methods for face recognition systems either cannot attack black-box models, are not universal, have cumbersome deployment processes, or lack camouflage and are easily detected by the human eye. In this paper, we propose an adversarial pattern generation method for face recognition and achieve universal black-box attacks by pasting the pattern on the frame of goggles. To achieve visual camouflage, we use a generative adversarial network (GAN). The scale of the generative network of GAN is increased to balance the performance conflict between concealment and adversarial behavior, the perceptual loss function based on VGG19 is used to constrain the color style and enhance GAN’s learning ability, and the fine-grained meta-learning adversarial attack strategy is used to carry out black-box attacks. Sufficient visualization results demonstrate that compared with existing methods, the proposed method can generate samples with camouflage and adversarial characteristics. Meanwhile, extensive quantitative experiments show that the generated samples have a high attack success rate against black-box models.

Qian Wang,Yongqin Xian,Hefei Ling,Jinyuan Zhang,Xiaorui Lin,Ping Li,Jiazhong Chen,Ning Yu

2023-05-04

Abstract:Adversarial attacks aim to disturb the functionality of a target system by adding specific noise to the input samples, bringing potential threats to security and robustness when applied to facial recognition systems. Although existing defense techniques achieve high accuracy in detecting some specific adversarial faces (adv-faces), new attack methods especially GAN-based attacks with completely different noise patterns circumvent them and reach a higher attack success rate. Even worse, existing techniques require attack data before implementing the defense, making it impractical to defend newly emerging attacks that are unseen to defenders. In this paper, we investigate the intrinsic generality of adv-faces and propose to generate pseudo adv-faces by perturbing real faces with three heuristically designed noise patterns. We are the first to train an adv-face detector using only real faces and their self-perturbations, agnostic to victim facial recognition systems, and agnostic to unseen attacks. By regarding adv-faces as out-of-distribution data, we then naturally introduce a novel cascaded system for adv-face detection, which consists of training data self-perturbations, decision boundary regularization, and a max-pooling-based binary classifier focusing on abnormal local color aberrations. Experiments conducted on LFW and CelebA-HQ datasets with eight gradient-based and two GAN-based attacks validate that our method generalizes to a variety of unseen adversarial attacks.

Computer Vision and Pattern Recognition,Artificial Intelligence

Zihao Xiao,Xianfeng Gao,Chilin Fu,Yinpeng Dong,Wei Gao,Xiaolu Zhang,Jun Zhou,Jun Zhu

DOI: https://doi.org/10.1109/CVPR46437.2021.01167

2021-01-01

Abstract:Face recognition is greatly improved by deep convolutional neural networks (CNNs). Recently, these face recognition models have been used for identity authentication in security sensitive applications. However, deep CNNs are vulnerable to adversarial patches, which are physically realizable and stealthy, raising new security concerns on the real-world applications of these models. In this paper, we evaluate the robustness of face recognition models using adversarial patches based on transferability, where the attacker has limited accessibility to the target models. First, we extend the existing transfer-based attack techniques to generate transferable adversarial patches. However, we observe that the transferability is sensitive to initialization and degrades when the perturbation magnitude is large, indicating the overfitting to the substitute models. Second, we propose to regularize the adversarial patches on the low dimensional data manifold. The manifold is represented by generative models pre-trained on legitimate human face images. Using face-like features as adversarial perturbations through optimization on the manifold, we show that the gaps between the responses of substitute models and the target models dramatically decrease, exhibiting a better transferability. Extensive digital world experiments are conducted to demonstrate the superiority of the proposed method in the black-box setting. We apply the proposed method in the physical world as well.