Yaoyao Zhong,Weihong Deng

DOI: https://doi.org/10.1109/tifs.2020.3036801

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Face recognition has achieved great success in the last five years due to the development of deep learning methods. However, deep convolutional neural networks (DCNNs) have been found to be vulnerable to adversarial examples. In particular, the existence of transferable adversarial examples can severely hinder the robustness of DCNNs since this type of attacks can be applied in a fully black-box manner without queries on the target system. In this work, we first investigate the characteristics of transferable adversarial attacks in face recognition by showing the superiority of feature-level methods over label-level methods. Then, to further improve transferability of feature-level adversarial examples, we propose DFANet, a dropout-based method used in convolutional layers, which can increase the diversity of surrogate models and obtain ensemble-like effects. Extensive experiments on state-of-the-art face models with various training databases, loss functions and network architectures show that the proposed method can significantly enhance the transferability of existing attack methods. Finally, by applying DFANet to the LFW database, we generate a new set of adversarial face pairs that can successfully attack four commercial APIs without any queries. This TALFW database is available to facilitate research on the robustness and defense of deep face recognition.

computer science, theory & methods,engineering, electrical & electronic

Pengfei Xie,Shuhao Shi,Shuai Yang,Kai Qiao,Ningning Liang,Linyuan Wang,Jian Chen,Guoen Hu,Bin Yan

DOI: https://doi.org/10.3389/fnbot.2021.784053

IF: 3.493

2021-01-01

Frontiers in Neurorobotics

Abstract:Deep neural networks (DNNs) are proven vulnerable to attack against adversarial examples. Black-box transfer attacks pose a massive threat to AI applications without accessing target models. At present, the most effective black-box attack methods mainly adopt data enhancement methods, such as input transformation. Previous data enhancement frameworks only work on input transformations that satisfy accuracy or loss invariance. However, it does not work for other transformations that do not meet the above conditions, such as the transformation which will lose information. To solve this problem, we propose a new noise data enhancement framework (NDEF), which only transforms adversarial perturbation to avoid the above issues effectively. In addition, we introduce random erasing under this framework to prevent the over-fitting of adversarial examples. Experimental results show that the black-box attack success rate of our method Random Erasing Iterative Fast Gradient Sign Method (REI-FGSM) is 4.2% higher than DI-FGSM in six models on average and 6.6% higher than DI-FGSM in three defense models. REI-FGSM can combine with other methods to achieve excellent performance. The attack performance of SI-FGSM can be improved by 22.9% on average when combined with REI-FGSM. Besides, our combined version with DI-TI-MI-FGSM, i.e., DI-TI-MI-REI-FGSM can achieve an average attack success rate of 97.0% against three ensemble adversarial training models, which is greater than the current gradient iterative attack method. We also introduce Gaussian blur to prove the compatibility of our framework.

Cong Hu,Yuanbo Li,Zhenhua Feng,Xiaojun Wu

DOI: https://doi.org/10.1109/tifs.2024.3402167

IF: 7.231

2024-05-25

IEEE Transactions on Information Forensics and Security

Abstract:Modern face recognition systems widely use deep convolutional neural networks (DCNNs). However, DCNNs are susceptible to adversarial examples, posing security risks to these systems. Transferable adversarial examples that can be transferred from surrogate to target models greatly undermine the robustness of DCNNs. Numerous attempts have been made to generate transferable adversarial examples, but the existing methods often suffer from limited transferability or produce adversarial examples with poor image perceptual quality. Recently, diffusion models have shown remarkable success in image generation and have excelled in various downstream tasks. However, their potential in adversarial attacks remains largely unexplored. To bridge this gap, we propose a novel approach, namely Adversarial Diffusion Attack (ADA), in generation of transferable adversarial facial examples. ADA employs a dynamic game-like strategy between injection and denoising that progressively reinforces the robustness of adversarial perturbation in the reverse process of diffusion model. Additionally, both adversarial perturbation and residual image are embedded to drift benign distribution towards adversarial distribution, crafting adversarial examples with high image quality. Extensive experimental results obtained on two benchmarking datasets, LFW and CelebA-HQ, demonstrate that ADA achieves higher attack success rates and produces adversarial examples with superior image quality compared to the state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic

Fengfan Zhou,Hefei Ling,Yuxuan Shi,Jiazhong Chen,Zongyi Li,Ping Li

DOI: https://doi.org/10.1109/tcss.2023.3291565

2023-01-01

IEEE Transactions on Computational Social Systems

Abstract:Face recognition (FR) models can be easily fooled by adversarial examples, which are crafted by adding imperceptible perturbations on benign face images. The existence of adversarial face examples poses a great threat to the security of society. To build a more sustainable digital nation, in this article, we improve the transferability of adversarial face examples to expose more blind spots of the existing FR models. Though generating hard samples has shown its effectiveness in improving the generalization of models in training tasks, the effectiveness of using this idea to improve the transferability of adversarial face examples remains unexplored. To this end, based on the property of hard samples and the symmetry between training tasks and adversarial attack tasks, we propose the concept of hard models, which have similar effects as hard samples for adversarial attack tasks. Using the concept of hard models, we propose a novel attack method called beneficial perturbation feature augmentation attack (BPFA), which reduces the overfitting of adversarial examples to surrogate FR models by constantly generating new hard models to craft the adversarial examples. Specifically, in the backpropagation, BPFA records the gradients on preselected feature maps and uses the gradient on the input image to craft the adversarial example. In the next forward propagation, BPFA leverages the recorded gradients to add beneficial perturbations on their corresponding feature maps to increase the loss. Extensive experiments demonstrate that BPFA can significantly boost the transferability of adversarial attacks on FR.

Haijing Guo,Jiafeng Wang,Zhaoyu Chen,Kaixun Jiang,Lingyi Hong,Pinxue Guo,Jinglun Li,Wenqiang Zhang

2024-08-11

Abstract:Deep neural networks (DNNs) are known to be susceptible to adversarial examples, leading to significant performance degradation. In black-box attack scenarios, a considerable attack performance gap between the surrogate model and the target model persists. This work focuses on enhancing the transferability of adversarial examples to narrow this performance gap. We observe that the gradient information around the clean image, i.e. Neighbourhood Gradient Information, can offer high transferability. Leveraging this, we propose the NGI-Attack, which incorporates Example Backtracking and Multiplex Mask strategies, to use this gradient information and enhance transferability fully. Specifically, we first adopt Example Backtracking to accumulate Neighbourhood Gradient Information as the initial momentum term. Multiplex Mask, which forms a multi-way attack strategy, aims to force the network to focus on non-discriminative regions, which can obtain richer gradient information during only a few iterations. Extensive experiments demonstrate that our approach significantly enhances adversarial transferability. Especially, when attacking numerous defense models, we achieve an average attack success rate of 95.8%. Notably, our method can plugin with any off-the-shelf algorithm to improve their attack performance without additional time cost.

Computer Vision and Pattern Recognition,Cryptography and Security

Jiefang Kong,Huabin Wang,Jiacheng Zhou,Liang Tao,Jingjing Zhang

DOI: https://doi.org/10.1109/icsip61881.2024.10671427

2024-01-01

Abstract:In recent years, deep learning techniques have achieved significant success in many computer vision tasks. However, security concerns have increased as adversarial attacks have discovered potential vulnerabilities in deep learning-based systems. Therefore, a large number of adversarial defense strategies have been developed to improve the security and robustness of FR systems. Introducing an auxiliary model for the face recognition model to enhance the system security is a common approach for adversarial defense which the adversarial examples generated using one model are unlikely to pass when another model is chosen. Second, one of the challenges of face recognition (FR) attacks is that currently the targeted face recognition models are black-box in nature, i.e., the attacker does not have access to their internal relevant parameters and gradient information. As a result, the mobility of samples is poor and the attack performance is low, especially for online commercial FR systems. Therefore, this paper proposes a similarity-based shared gradient adversarial attack algorithm to improve the sample mobility. From the perspective of multi-tasking, the algorithm selects the alternative model (AR) as the auxiliary model, develops a multi-task local optimization strategy and a cross-task gradient mapping strategy, and constructs a mapping mechanism between the two models to share the gradient information, which facilitates weighted fusion of the generated perturbations and avoids the oscillations caused by different models due to the differences in gradients and parameters, thus improves the generalization ability, and makes the generated adversarial examples more efficient. Thus, the generated adversarial examples can attack multiple models at the same time, which greatly improves the transferability and robustness of the adversarial samples, and greatly improves the attacking power. A large number of experiments show that the success rate has been greatly improved.

Xiaoliang Liu,Furao Shen,Feng Han,Jian Zhao,Changhai Nie

DOI: https://doi.org/10.2139/ssrn.4730221

2023-01-01

Abstract:Face recognition (FR) technology plays a crucial role in various applications, but its vulnerability to adversarial attacks poses significant security concerns. Existing research primarily focuses on transferability to different FR models, overlooking the direct transferability to victim's face images, which is a practical threat in real-world scenarios. In this study, we propose a novel adversarial attack method that considers both the transferability to the FR model and the victim's face image, called NeRFTAP. Leveraging NeRF-based 3D-GAN, we generate new view face images for the source and target subjects to enhance transferability of adversarial patches. We introduce a style consistency loss to ensure the visual similarity between the adversarial UV map and the target UV map under a 0-1 mask, enhancing the effectiveness and naturalness of the generated adversarial face images. Extensive experiments and evaluations on various FR models demonstrate the superiority of our approach over existing attack techniques. Our work provides valuable insights for enhancing the robustness of FR systems in practical adversarial settings.

Guoqiu Wang,Huanqian Yan,Ying Guo,Xingxing Wei

DOI: https://doi.org/10.48550/arxiv.2105.04834

2021-01-01

Abstract: Deep neural networks are vulnerable to adversarial examples, which are crafted by adding human-imperceptible perturbations to original images. Most existing adversarial attack methods achieve nearly 100% attack success rates under the white-box setting, but only achieve relatively low attack success rates under the black-box setting. To improve the transferability of adversarial examples for the black-box setting, several methods have been proposed, e.g., input diversity, translation-invariant attack, and momentum-based attack. In this paper, we propose a method named Gradient Refining, which can further improve the adversarial transferability by correcting useless gradients introduced by input diversity through multiple transformations. Our method is generally applicable to many gradient-based attack methods combined with input diversity. Extensive experiments are conducted on the ImageNet dataset and our method can achieve an average transfer success rate of 82.07% for three different models under single-model setting, which outperforms the other state-of-the-art methods by a large margin of 6.0% averagely. And we have applied the proposed method to the competition CVPR 2021 Unrestricted Adversarial Attacks on ImageNet organized by Alibaba and won the second place in attack success rates among 1558 teams.

Fengfan Zhou,Bangjie Yin,Hefei Ling,Qianyu Zhou,Wenxuan Wang

2024-11-23

Abstract:Face Recognition (FR) models are vulnerable to adversarial examples that subtly manipulate benign face images, underscoring the urgent need to improve the transferability of adversarial attacks in order to expose the blind spots of these systems. Existing adversarial attack methods often overlook the potential benefits of augmenting the surrogate model with diverse initializations, which limits the transferability of the generated adversarial examples. To address this gap, we propose a novel method called Diverse Parameters Augmentation (DPA) attack method, which enhances surrogate models by incorporating diverse parameter initializations, resulting in a broader and more diverse set of surrogate models. Specifically, DPA consists of two key stages: Diverse Parameters Optimization (DPO) and Hard Model Aggregation (HMA). In the DPO stage, we initialize the parameters of the surrogate model using both pre-trained and random parameters. Subsequently, we save the models in the intermediate training process to obtain a diverse set of surrogate models. During the HMA stage, we enhance the feature maps of the diversified surrogate models by incorporating beneficial perturbations, thereby further improving the transferability. Experimental results demonstrate that our proposed attack method can effectively enhance the transferability of the crafted adversarial face examples.

Computer Vision and Pattern Recognition

Shehzeen Hussain,Todd Huster,Chris Mesterharm,Paarth Neekhara,Kevin An,Malhar Jere,Harshvardhan Sikka,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2206.04783

2022-06-09

Computer Vision and Pattern Recognition

Abstract:Deep neural network based face recognition models have been shown to be vulnerable to adversarial examples. However, many of the past attacks require the adversary to solve an input-dependent optimization problem using gradient descent which makes the attack impractical in real-time. These adversarial examples are also tightly coupled to the attacked model and are not as successful in transferring to different models. In this work, we propose ReFace, a real-time, highly-transferable attack on face recognition models based on Adversarial Transformation Networks (ATNs). ATNs model adversarial example generation as a feed-forward neural network. We find that the white-box attack success rate of a pure U-Net ATN falls substantially short of gradient-based attacks like PGD on large face recognition datasets. We therefore propose a new architecture for ATNs that closes this gap while maintaining a 10000x speedup over PGD. Furthermore, we find that at a given perturbation magnitude, our ATN adversarial perturbations are more effective in transferring to new face recognition models than PGD. ReFace attacks can successfully deceive commercial face recognition services in a transfer attack setting and reduce face identification accuracy from 82% to 16.4% for AWS SearchFaces API and Azure face verification accuracy from 91% to 50.1%.

Han Qiu,Yi Zeng,Qinkai Zheng,Tianwei Zhang,Meikang Qiu,G. Memmi

2020-01-01

Abstract:Deep Neural Networks (DNNs) are well-known to be vulnerable to Adversarial Examples (AEs). A large amount of efforts have been spent to launch and heat the arms race between the attackers and defenders. Recently, advanced gradient-based attack techniques were proposed (e.g., BPDA and EOT), which have defeated a considerable number of existing defense methods. Up to today, there are still no satisfactory solutions that can effectively and efficiently defend against those attacks. In this paper, we make a steady step towards mitigating those advanced gradient-based attacks with two major contributions. First, we perform an in-depth analysis about the root causes of those attacks, and propose four properties that can break the fundamental assumptions of those attacks. Second, we identify a set of operations that can meet those properties. By integrating these operations, we design two preprocessing functions that can invalidate these powerful attacks. Extensive evaluations indicate that our solutions can effectively mitigate all existing standard and advanced attack techniques, and beat 11 state-of-the-art defense solutions published in top-tier conferences over the past 2 years. The defender can employ our solutions to constrain the attack success rate below 7% for the strongest attacks even the adversary has spent dozens of GPU hours.

Zexin Li,Bangjie Yin,Taiping Yao,Juefeng Guo,Shouhong Ding,Simin Chen,Cong Liu

DOI: https://doi.org/10.48550/arXiv.2303.12512

2023-03-22

Computer Vision and Pattern Recognition

Abstract:A hard challenge in developing practical face recognition (FR) attacks is due to the black-box nature of the target FR model, i.e., inaccessible gradient and parameter information to attackers. While recent research took an important step towards attacking black-box FR models through leveraging transferability, their performance is still limited, especially against online commercial FR systems that can be pessimistic (e.g., a less than 50% ASR--attack success rate on average). Motivated by this, we present Sibling-Attack, a new FR attack technique for the first time explores a novel multi-task perspective (i.e., leveraging extra information from multi-correlated tasks to boost attacking transferability). Intuitively, Sibling-Attack selects a set of tasks correlated with FR and picks the Attribute Recognition (AR) task as the task used in Sibling-Attack based on theoretical and quantitative analysis. Sibling-Attack then develops an optimization framework that fuses adversarial gradient information through (1) constraining the cross-task features to be under the same space, (2) a joint-task meta optimization framework that enhances the gradient compatibility among tasks, and (3) a cross-task gradient stabilization method which mitigates the oscillation effect during attacking. Extensive experiments demonstrate that Sibling-Attack outperforms state-of-the-art FR attack techniques by a non-trivial margin, boosting ASR by 12.61% and 55.77% on average on state-of-the-art pre-trained FR models and two well-known, widely used commercial FR systems.

Lei Wu,Zhanxing Zhu,Cheng Tai,E Weinan

2018-01-01

Abstract:Deep neural networks provide state-of-the-art performance for many applications of interest. Unfortunately they are known to be vulnerable to adversarial examples, formed by applying small but malicious perturbations to the original inputs. Moreover, the perturbations can transfer across models: adversarial examples generated for a specific model will often mislead other unseen models. Consequently the adversary can leverage it to attack against the deployed black-box systems. In this work, we demonstrate that the adversarial perturbation can be decomposed into two components: model-specific and data-dependent one, and it is the latter that mainly contributes to the transferability. Motivated by this understanding, we propose to craft adversarial examples by utilizing the noise reduced gradient (NRG) which approximates the data-dependent component. Experiments on various classification models trained on ImageNet demonstrates that the new approach enhances the transferability dramatically. We also find that low-capacity models have more powerful attack capability than high-capacity counterparts, under the condition that they have comparable test performance. These insights give rise to a principled manner to construct adversarial examples with high success rates and could potentially provide us guidance for designing effective defense approaches against black-box attacks.

Fengfan Zhou,Qianyu Zhou,Bangjie Yin,Hui Zheng,Xuequan Lu,Lizhuang Ma,Hefei Ling

DOI: https://doi.org/10.1145/3664647.3681440

2024-08-18

Abstract:Face Recognition (FR) systems can be easily deceived by adversarial examples that manipulate benign face images through imperceptible perturbations. Adversarial attacks on FR encompass two types: impersonation (targeted) attacks and dodging (untargeted) attacks. Previous methods often achieve a successful impersonation attack on FR, however, it does not necessarily guarantee a successful dodging attack on FR in the black-box setting. In this paper, our key insight is that the generation of adversarial examples should perform both impersonation and dodging attacks simultaneously. To this end, we propose a novel attack method termed as Adversarial Pruning (Adv-Pruning), to fine-tune existing adversarial examples to enhance their dodging capabilities while preserving their impersonation capabilities. Adv-Pruning consists of Priming, Pruning, and Restoration stages. Concretely, we propose Adversarial Priority Quantification to measure the region-wise priority of original adversarial perturbations, identifying and releasing those with minimal impact on absolute model output variances. Then, Biased Gradient Adaptation is presented to adapt the adversarial examples to traverse the decision boundaries of both the attacker and victim by adding perturbations favoring dodging attacks on the vacated regions, preserving the prioritized features of the original perturbations while boosting dodging performance. As a result, we can maintain the impersonation capabilities of original adversarial examples while effectively enhancing dodging capabilities. Comprehensive experiments demonstrate the superiority of our method compared with state-of-the-art adversarial attack methods.

Computer Vision and Pattern Recognition,Machine Learning

Qiu Han,Zeng Yi,Zheng Qinkai,Zhang Tianwei,Qiu Meikang,Memmi Gerard

DOI: https://doi.org/10.48550/arxiv.2005.13712

2020-01-01

Abstract: Deep Neural Networks (DNNs) are well-known to be vulnerable to Adversarial Examples (AEs). A large amount of efforts have been spent to launch and heat the arms race between the attackers and defenders. Recently, advanced gradient-based attack techniques were proposed (e.g., BPDA and EOT), which have defeated a considerable number of existing defense methods. Up to today, there are still no satisfactory solutions that can effectively and efficiently defend against those attacks. In this paper, we make a steady step towards mitigating those advanced gradient-based attacks with two major contributions. First, we perform an in-depth analysis about the root causes of those attacks, and propose four properties that can break the fundamental assumptions of those attacks. Second, we identify a set of operations that can meet those properties. By integrating these operations, we design two preprocessing functions that can invalidate these powerful attacks. Extensive evaluations indicate that our solutions can effectively mitigate all existing standard and advanced attack techniques, and beat 11 state-of-the-art defense solutions published in top-tier conferences over the past 2 years. The defender can employ our solutions to constrain the attack success rate below 7% for the strongest attacks even the adversary has spent dozens of GPU hours.

Yasmeen M. Khedr,Xin Liu,Kun He

DOI: https://doi.org/10.1016/j.imavis.2024.105022

IF: 3.86

2024-01-01

Image and Vision Computing

Abstract:The main challenge in deceiving face recognition (FR) models lies in the target model under the black-box setting. Existing works seek to generate adversarial examples to improve the adversarial transferability for black-box attacks. However, the attack performance and quality of the crafted image still have room for improvement. In this work, we propose a novel method called TransMix to improve the transferability of adversarial face examples based on data augmentation. Our approach leverages the mixture of the original image with a mixed sample image that is randomly mixed using images from different identities or the same identities, incorporating information from diverse categories. Then, we perform random transformations N times to create diverse input patterns, exploiting the gradient from various images and other identities in the same iteration. Extensive experiments conducted on the CelebA dataset demonstrate that TransMix achieves a significantly higher attack success rate against different FR models and Vision Transformers (ViTs), outperforming the best competitor by a large margin of 5.6% and 8.8% when attacking the ViTs using adversarial images generated on the ArcFace model. Our results also confirm that adversarial examples crafted by TransMix exhibit good adversarial transferability against defense models, achieving an attack success rate of 52.3% on the Bit-Red model.

Yinpeng Dong,Tianyu Pang,Hang Su,Jun Zhu

DOI: https://doi.org/10.1109/cvpr.2019.00444

2019-06-01

Abstract:Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversarial attacks, many methods have been proposed to improve the robustness. Several state-of-the-art defenses are shown to be robust against transferable adversarial examples. In this paper, we propose a translation-invariant attack method to generate more transferable adversarial examples against the defense models. By optimizing a perturbation over an ensemble of translated images, the generated adversarial example is less sensitive to the white-box model being attacked and has better transferability. To improve the efficiency of attacks, we further show that our method can be implemented by convolving the gradient at the untranslated image with a pre-defined kernel. Our method is generally applicable to any gradient-based attack method. Extensive experiments on the ImageNet dataset validate the effectiveness of the proposed method. Our best attack fools eight state-of-the-art defenses at an 82% success rate on average based only on the transferability, demonstrating the insecurity of the current defense techniques.

Minghui Li,Jiangxiong Wang,Hao Zhang,Ziqi Zhou,Shengshan Hu,Xiaobing Pei

2024-07-18

Abstract:The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.

Computer Vision and Pattern Recognition,Artificial Intelligence

Bowen Sun,Hang Su,Shibao Zheng

DOI: https://doi.org/10.1007/s00521-024-09543-y

2024-01-01

Neural Computing and Applications

Abstract:Deep neural network (DNN)-based face recognition has shown impressive performance in verification; however, recent studies reveal a vulnerability in deep face recognition algorithms, making them susceptible to adversarial attacks. Specifically, these attacks can be executed in a black-box manner with limited knowledge about the target network. While this characteristic is practically significant due to hidden model details in reality, it presents challenges such as high query budgets and low success rates. To improve the performance of attacks, we establish the whole framework through affine-invariant training, serving as a substitute for inefficient sampling. We also propose AI-block—a novel module that enhances transferability by introducing generalized priors. Generalization is achieved by creating priors with stable features when sampled over affine transformations. These priors guide attacks, improving efficiency and performance in black-box scenarios. The conversion via AI-block enables the transfer gradients of a surrogate model to be used as effective priors for estimating the gradients of a black-box model. Our method leverages this enhanced transferability to boost both transfer-based and query-based attacks. Extensive experiments conducted on 5 commonly utilized databases and 7 widely employed face recognition models demonstrate a significant improvement of up to 11.9 percentage points in success rates while maintaining comparable or even reduced query times.

Yigit Alparslan,Ken Alparslan,Jeremy Keim-Shenk,Shweta Khade,Rachel Greenstadt

DOI: https://doi.org/10.48550/arXiv.2001.11137

IF: 5.414

2020-01-30

Machine Learning

Abstract:Numerous recent studies have demonstrated how Deep Neural Network (DNN) classifiers can be fooled by adversarial examples, in which an attacker adds perturbations to an original sample, causing the classifier to misclassify the sample. Adversarial attacks that render DNNs vulnerable in real life represent a serious threat in autonomous vehicles, malware filters, or biometric authentication systems. In this paper, we apply Fast Gradient Sign Method to introduce perturbations to a facial image dataset and then test the output on a different classifier that we trained ourselves, to analyze transferability of this method. Next, we craft a variety of different black-box attack algorithms on a facial image dataset assuming minimal adversarial knowledge, to further assess the robustness of DNNs in facial recognition. While experimenting with different image distortion techniques, we focus on modifying single optimal pixels by a large amount, or modifying all pixels by a smaller amount, or combining these two attack approaches. While our single-pixel attacks achieved about a 15% average decrease in classifier confidence level for the actual class, the all-pixel attacks were more successful and achieved up to an 84% average decrease in confidence, along with an 81.6% misclassification rate, in the case of the attack that we tested with the highest levels of perturbation. Even with these high levels of perturbation, the face images remained identifiable to a human. Understanding how these noised and perturbed images baffle the classification algorithms can yield valuable advances in the training of DNNs against defense-aware adversarial attacks, as well as adaptive noise reduction techniques. We hope our research may help to advance the study of adversarial attacks on DNNs and defensive mechanisms to counteract them, particularly in the facial recognition domain.