Qian Wang,Yongqin Xian,Hefei Ling,Jinyuan Zhang,Xiaorui Lin,Ping Li,Jiazhong Chen,Ning Yu

2023-05-04

Abstract:Adversarial attacks aim to disturb the functionality of a target system by adding specific noise to the input samples, bringing potential threats to security and robustness when applied to facial recognition systems. Although existing defense techniques achieve high accuracy in detecting some specific adversarial faces (adv-faces), new attack methods especially GAN-based attacks with completely different noise patterns circumvent them and reach a higher attack success rate. Even worse, existing techniques require attack data before implementing the defense, making it impractical to defend newly emerging attacks that are unseen to defenders. In this paper, we investigate the intrinsic generality of adv-faces and propose to generate pseudo adv-faces by perturbing real faces with three heuristically designed noise patterns. We are the first to train an adv-face detector using only real faces and their self-perturbations, agnostic to victim facial recognition systems, and agnostic to unseen attacks. By regarding adv-faces as out-of-distribution data, we then naturally introduce a novel cascaded system for adv-face detection, which consists of training data self-perturbations, decision boundary regularization, and a max-pooling-based binary classifier focusing on abnormal local color aberrations. Experiments conducted on LFW and CelebA-HQ datasets with eight gradient-based and two GAN-based attacks validate that our method generalizes to a variety of unseen adversarial attacks.

Computer Vision and Pattern Recognition,Artificial Intelligence

Haonan Chen,Yaowu Chen,Xiang Tian,Rongxin Jiang

DOI: https://doi.org/10.1109/access.2019.2955383

IF: 3.9

2019-01-01

IEEE Access

Abstract:In consideration of secure and convenient, face gains increasing attention in variety of fields during the past decades. Since human face is most accessible from our daily life and preserves the richest information, face based biometric systems are widely used in person authentication applications. However, face recognition systems are always challenged by face spoofing attacks. Although, researchers have proposed many face spoofing detection methods, which have achieved great performances, we aim to develop a method to counter face spoofing, which combines the face detection stage and face spoofing detection stage together. In this paper, we design face anti-spoofing region-based convolutional neural network (FARCNN), based on improved Faster region-based convolutional neural network (R-CNN) framework. Motivated by face detection, we regard the face spoofing detection as a three-way classification to distinguish real face, fake face and background. We extend the typical Faster R-CNN scheme by optimizing several important strategies, including roi-pooling feature fusion and adding Crystal Loss function to the original multi-task loss function. In addition, an improved Retinex based LBP is presented to handle the different illumination conditions in face spoofing detection. Finally, these two detectors are further cascaded and achieve promising performances on the benchmark databases: CASIA-FASD, REPLAY-ATTACK and OULU-NPU. Besides, for the purpose of verifying the generalization capacity of the proposed cascade detector, we perform experiments on cross-databases and the results testify the effectiveness of our proposed method.

Jiawei Chen,Xiao Yang,Heng Yin,Mingzhi Ma,Bihui Chen,Jianteng Peng,Yandong Guo,Zhaoxia Yin,Hang Su

DOI: https://doi.org/10.1016/j.cviu.2023.103779

2023-08-04

Abstract:Ensuring the reliability of face recognition systems against presentation attacks necessitates the deployment of face anti-spoofing techniques. Despite considerable advancements in this domain, the ability of even the most state-of-the-art methods to defend against adversarial examples remains elusive. While several adversarial defense strategies have been proposed, they typically suffer from constrained practicability due to inevitable trade-offs between universality, effectiveness, and efficiency. To overcome these challenges, we thoroughly delve into the coupled relationship between adversarial detection and face anti-spoofing. Based on this, we propose a robust face anti-spoofing framework, namely AdvFAS, that leverages two coupled scores to accurately distinguish between correctly detected and wrongly detected face images. Extensive experiments demonstrate the effectiveness of our framework in a variety of settings, including different attacks, datasets, and backbones, meanwhile enjoying high accuracy on clean examples. Moreover, we successfully apply the proposed method to detect real-world adversarial examples.

Computer Vision and Pattern Recognition,Artificial Intelligence

Ren-Hung Hwang,Jia-You Lin,Sun-Ying Hsieh,Hsuan-Yu Lin,Chia-Liang Lin

DOI: https://doi.org/10.3390/s23020853

IF: 3.9

2023-01-12

Sensors

Abstract:Deep learning technology has developed rapidly in recent years and has been successfully applied in many fields, including face recognition. Face recognition is used in many scenarios nowadays, including security control systems, access control management, health and safety management, employee attendance monitoring, automatic border control, and face scan payment. However, deep learning models are vulnerable to adversarial attacks conducted by perturbing probe images to generate adversarial examples, or using adversarial patches to generate well-designed perturbations in specific regions of the image. Most previous studies on adversarial attacks assume that the attacker hacks into the system and knows the architecture and parameters behind the deep learning model. In other words, the attacked model is a white box. However, this scenario is unrepresentative of most real-world adversarial attacks. Consequently, the present study assumes the face recognition system to be a black box, over which the attacker has no control. A Generative Adversarial Network method is proposed for generating adversarial patches to carry out dodging and impersonation attacks on the targeted face recognition system. The experimental results show that the proposed method yields a higher attack success rate than previous works.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jiazhi Guan,Yi Zhao,Zhuoer Xu,Changhua Meng,Ke Xu,Youjian Zhao

DOI: https://doi.org/10.1609/aaai.v38i1.27762

2024-01-01

Abstract:The non-consensual exploitation of facial manipulation has emerged as a pressing societal concern. In tandem with the identification of such fake content, recent research endeavors have advocated countering manipulation techniques through proactive interventions, specifically the incorporation of adversarial noise to impede the manipulation in advance. Nevertheless, with insufficient consideration of robustness, we show that current methods falter in providing protection after simple perturbations, e.g., blur. In addition, traditional optimization-based methods face limitations in scalability as they struggle to accommodate the substantial expansion of data volume, a consequence of the time-intensive iterative pipeline. To solve these challenges, we propose a learning-based model, Adversarial Robust Safeguard (ARS), to generate desirable protection noise in a single forward process, concurrently exhibiting a heightened resistance against prevalent perturbations. Specifically, our method involves a two-way protection design, characterized by a basic protection component responsible for generating efficacious noise features, coupled with robust protection for further enhancement. In robust protection, we first fuse image features with spatially duplicated noise embedding, thereby accounting for inherent information redundancy. Subsequently, a combination comprising a differentiable perturbation module and an adversarial network is devised to simulate potential information degradation during the training process. To evaluate it, we conduct experiments on four manipulation methods and compare recent works comprehensively. The results of our method exhibit good visual effects with pronounced robustness against varied perturbations at different levels.

Jiaming Zhang,Qi Yi,Dongyuan Lu,Jitao Sang

2023-09-03

Abstract:In light of the growing concerns regarding the unauthorized use of facial recognition systems and its implications on individual privacy, the exploration of adversarial perturbations as a potential countermeasure has gained traction. However, challenges arise in effectively deploying this approach against unauthorized facial recognition systems due to the effects of JPEG compression on image distribution across the internet, which ultimately diminishes the efficacy of adversarial perturbations. Existing JPEG compression-resistant techniques struggle to strike a balance between resistance, transferability, and attack potency. To address these limitations, we propose a novel solution referred to as \emph{low frequency adversarial perturbation} (LFAP). This method conditions the source model to leverage low-frequency characteristics through adversarial training. To further enhance the performance, we introduce an improved \emph{low-mid frequency adversarial perturbation} (LMFAP) that incorporates mid-frequency components for an additive benefit. Our study encompasses a range of settings to replicate genuine application scenarios, including cross backbones, supervisory heads, training datasets, and testing datasets. Moreover, we evaluated our approaches on a commercial black-box API, \texttt{Face++}. The empirical results validate the cutting-edge performance achieved by our proposed solutions.

Computer Vision and Pattern Recognition,Image and Video Processing

CAI Chuxin,WANG Yufei,ZHANG Liepiao,ZHUO Sichao,ZHANG Juanmiao,HU Yongjian

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2023.03.10

2023-01-01

Journal of Cyber Security

Abstract:Adversarial attacks exhibit both potential insecurity of face recognition systems and the way of performing attacks. Most current adversarial attacks on face recognition systems are carried out in digital domain. However, based on the recent reports in literature, more and more studies begin to concern about how to put the physical patches containing adversarial noise on human face and its neighboring regions, for example, eyeglass framework, paper sticker, and cap, so as to implement adversarial attacks in physical domain. Such a new type of attacks can easily break through most of current living face detection systems and thus affect the decision of face recognition systems. Although there are a few methods proposed for the generation of adversarial samples in digital domain, it is not easy or cheap to realize those methods in physical domain. This paper proposes a method of generating adversarial attack in digital domain which can be readily extended to physical domain. By adding adversarial perturbation of special shapes into an original face sample, we can fool the face recognition system and make it regard the face as someone else’s face（i.e., dodging attack） or a specific person’s face（i.e., impersonation attack）. The major contributions of this paper include: First, we propose a method of using the face landmarks to construct a specific shape mask of the adversarial perturbation for individual face. Second, we design the adversarial loss function to train the generator to produce digital samples. Third, we design the printing score loss function to reduce the color difference between display and printer so as to reproduce those samples in physical domain.We improve the quality of adversarial samples by means of data enhancement which aims at simulating the way of wearing eyeglasses, illumination variations and other situations in real-world applications. Experimental results show that the proposed method can attack the face recognition system VggFace10 in a high success rate in digital domain. Moreover, it can be readily extended to physical domain and generates samples quickly and economically. Our study exposes the security risk of face recognition systems, which can provide us with useful information to design better face recognition systems against adversarial attacks in the future.

Meng Shen,Hao Yu,Liehuang Zhu,Ke Xu,Qi Li,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2021.3102492

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which potentially mislead DNN-based FR systems in the physical world. Existing attacks either generate perturbations working merely in the digital world, or rely on customized equipment to generate perturbations that are not robust in the ever-changing physical environment. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a convertor, where the former can craft several stickers with different shapes while the latter aims to digitally attach stickers to human faces and provide feedback to the generator to improve the effectiveness. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking three typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve the success rates of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

computer science, theory & methods,engineering, electrical & electronic

Meng Shen,Hao Yu,Liehuang Zhu,Ke Xu,Qi Li,Xiaojiang Du

DOI: https://doi.org/10.48550/arXiv.2011.13526

2020-11-27

Computer Vision and Pattern Recognition

Abstract:Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which can potentially mislead the FR systems using DNNs in the physical world. Existing attacks on these systems either generate perturbations working merely in the digital world, or rely on customized equipments to generate perturbations and are not robust in varying physical environments. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a transformer, where the former can craft several stickers with different shapes and the latter transformer aims to digitally attach stickers to human faces and provide feedbacks to the generator to improve the effectiveness of stickers. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking 3 typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve success rate of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

Qian Wang,Chen Li,Yuchen Luo,Hefei Ling,Ping Li,Jiazhong Chen,Shijuan Huang,Ning Yu

2024-09-25

Abstract:As a defense strategy against adversarial attacks, adversarial detection aims to identify and filter out adversarial data from the data flow based on discrepancies in distribution and noise patterns between natural and adversarial data. Although previous detection methods achieve high performance in detecting gradient-based adversarial attacks, new attacks based on generative models with imbalanced and anisotropic noise patterns evade detection. Even worse, existing techniques either necessitate access to attack data before deploying a defense or incur a significant time cost for inference, rendering them impractical for defending against newly emerging attacks that are unseen by defenders. In this paper, we explore the proximity relationship between adversarial noise distributions and demonstrate the existence of an open covering for them. By learning to distinguish this open covering from the distribution of natural data, we can develop a detector with strong generalization capabilities against all types of adversarial attacks. Based on this insight, we heuristically propose Perturbation Forgery, which includes noise distribution perturbation, sparse mask generation, and pseudo-adversarial data production, to train an adversarial detector capable of detecting unseen gradient-based, generative-model-based, and physical adversarial attacks, while remaining agnostic to any specific models. Comprehensive experiments conducted on multiple general and facial datasets, with a wide spectrum of attacks, validate the strong generalization of our method.

Computer Vision and Pattern Recognition,Machine Learning

Yigit Alparslan,Ken Alparslan,Jeremy Keim-Shenk,Shweta Khade,Rachel Greenstadt

DOI: https://doi.org/10.48550/arXiv.2001.11137

IF: 5.414

2020-01-30

Machine Learning

Abstract:Numerous recent studies have demonstrated how Deep Neural Network (DNN) classifiers can be fooled by adversarial examples, in which an attacker adds perturbations to an original sample, causing the classifier to misclassify the sample. Adversarial attacks that render DNNs vulnerable in real life represent a serious threat in autonomous vehicles, malware filters, or biometric authentication systems. In this paper, we apply Fast Gradient Sign Method to introduce perturbations to a facial image dataset and then test the output on a different classifier that we trained ourselves, to analyze transferability of this method. Next, we craft a variety of different black-box attack algorithms on a facial image dataset assuming minimal adversarial knowledge, to further assess the robustness of DNNs in facial recognition. While experimenting with different image distortion techniques, we focus on modifying single optimal pixels by a large amount, or modifying all pixels by a smaller amount, or combining these two attack approaches. While our single-pixel attacks achieved about a 15% average decrease in classifier confidence level for the actual class, the all-pixel attacks were more successful and achieved up to an 84% average decrease in confidence, along with an 81.6% misclassification rate, in the case of the attack that we tested with the highest levels of perturbation. Even with these high levels of perturbation, the face images remained identifiable to a human. Understanding how these noised and perturbed images baffle the classification algorithms can yield valuable advances in the training of DNNs against defense-aware adversarial attacks, as well as adaptive noise reduction techniques. We hope our research may help to advance the study of adversarial attacks on DNNs and defensive mechanisms to counteract them, particularly in the facial recognition domain.

Daeha Kim,Heeje Kim,Yoojin Jung,Seongho Kim,Byung Cheol Song

DOI: https://doi.org/10.1016/j.neucom.2024.127588

IF: 6

2024-03-23

Neurocomputing

Abstract:Beyond the in-the-lab environment, deep-learning-based facial expression recognition (FER) models that provide reliable performance on wild datasets are gradually becoming applied to the real world. However, the fact that neural networks are inherently vulnerable to digital attacks (e.g., adversarial examples) and their performance is not exposed to external threats reduces the applicability of FER technology. So, we design a so-called test-time attack scenario in which FER models are deceived by superimposing imperceptible perturbation(s) on test images. This scenario, which targets the testing phase in which model weakness is revealed, clearly shows how vulnerable FER models are to external attacks. As a remedy against this attack, we propose a novel method called FAAT, which adversarially trains the model by paying attention to core region(s) of face. FAAT aims to improve model robustness so that the model can be generalized to unseen perturbation(s) while focusing on facial expression-related areas. For example, FAAT's robustness against PGD attack with a performance improvement of up to 18% is encouraging. Also, various benchmarking results based on our attack scenario analyze the fidelity of prior arts and will promote the development direction of future models.

computer science, artificial intelligence

Chih-Yang Lin,Feng-Jie Chen,Hui-Fuang Ng,Wei-Yang Lin

DOI: https://doi.org/10.1109/access.2023.3279488

IF: 3.9

2023-01-01

IEEE Access

Abstract:Deep learning technology has grown rapidly in recent years and achieved tremendous success in the field of computer vision. At present, many deep learning technologies have been applied in daily life, such as face recognition systems. However, as human life increasingly relies on deep neural networks, the potential harms of neural networks are being revealed, particularly in terms of deep neural network security. More and more studies have shown that existing deep learning-based face recognition models are vulnerable to attacks by adversarial samples, resulting in misjudgments that could have serious consequences. However, existing adversarial face images are rather easy to identify with the naked eye, so it is difficult for attackers to carry out attacks on face recognition systems in practice. This paper proposes a method for generating adversarial face images that are indistinguishable from the source images based on facial landmark detection and superpixel segmentation. First, the eyebrows, eyes, nose, and mouth regions are extracted from the face image using a facial landmark detection algorithm. Next, the superpixel segmentation algorithm is used to include the pixels neighboring the extracted facial landmarks with similar pixel values. Lastly, the segmented regions are used as masks to guide existing attack methods to insert adversarial noise within the masked areas. Experimental results show that our method can generate adversarial samples with high Structural Similarity Index Measure (SSIM) values at the cost of a small percentage of attack success rate. In addition, to simulate real-time physical attacks, printouts of the adversarial images generated by the proposed method are presented to the face recognition system via a camera and are still able to fool the face recognition model. Experimental results indicated that the proposed method can successfully perform adversarial attacks on face recognition systems in real-world scenarios.

Shuai Jia,Bangjie Yin,Taiping Yao,Shouhong Ding,Chunhua Shen,Xiaokang Yang,Chao Ma

DOI: https://doi.org/10.48550/arxiv.2210.06871

2022-01-01

Abstract: Deep learning models have shown their vulnerability when dealing with adversarial attacks. Existing attacks almost perform on low-level instances, such as pixels and super-pixels, and rarely exploit semantic clues. For face recognition attacks, existing methods typically generate the l_p-norm perturbations on pixels, however, resulting in low attack transferability and high vulnerability to denoising defense models. In this work, instead of performing perturbations on the low-level pixels, we propose to generate attacks through perturbing on the high-level semantics to improve attack transferability. Specifically, a unified flexible framework, Adversarial Attributes (Adv-Attribute), is designed to generate inconspicuous and transferable attacks on face recognition, which crafts the adversarial noise and adds it into different attributes based on the guidance of the difference in face recognition features from the target. Moreover, the importance-aware attribute selection and the multi-objective optimization strategy are introduced to further ensure the balance of stealthiness and attacking strength. Extensive experiments on the FFHQ and CelebA-HQ datasets show that the proposed Adv-Attribute method achieves the state-of-the-art attacking success rates while maintaining better visual effects against recent attack methods.

Fengfan Zhou,Hefei Ling,Yuxuan Shi,Jiazhong Chen,Zongyi Li,Ping Li

DOI: https://doi.org/10.1109/tcss.2023.3291565

2023-01-01

IEEE Transactions on Computational Social Systems

Abstract:Face recognition (FR) models can be easily fooled by adversarial examples, which are crafted by adding imperceptible perturbations on benign face images. The existence of adversarial face examples poses a great threat to the security of society. To build a more sustainable digital nation, in this article, we improve the transferability of adversarial face examples to expose more blind spots of the existing FR models. Though generating hard samples has shown its effectiveness in improving the generalization of models in training tasks, the effectiveness of using this idea to improve the transferability of adversarial face examples remains unexplored. To this end, based on the property of hard samples and the symmetry between training tasks and adversarial attack tasks, we propose the concept of hard models, which have similar effects as hard samples for adversarial attack tasks. Using the concept of hard models, we propose a novel attack method called beneficial perturbation feature augmentation attack (BPFA), which reduces the overfitting of adversarial examples to surrogate FR models by constantly generating new hard models to craft the adversarial examples. Specifically, in the backpropagation, BPFA records the gradients on preselected feature maps and uses the gradient on the input image to craft the adversarial example. In the next forward propagation, BPFA leverages the recorded gradients to add beneficial perturbations on their corresponding feature maps to increase the loss. Extensive experiments demonstrate that BPFA can significantly boost the transferability of adversarial attacks on FR.

Ying Guo,Xingxing Wei,Guoqiu Wang,Bo Zhang

2021-01-01

Abstract:Face recognition (FR) systems have been widely applied in safety-critical fields with the introduction of deep learning. However, the existence of adversarial examples brings potential security risks to FR systems. To identify their vulnerability and help improve their robustness, in this paper, we propose Meaningful Adversarial Stickers, a physically feasible and easily implemented attack method by using meaningful real stickers existing in our life, where the attackers manipulate the pasting parameters of stickers on the face, instead of designing perturbation patterns and then printing them like most existing works. We conduct attacks in the black-box setting with limited information which is more challenging and practical. To effectively solve the pasting position, rotation angle, and other parameters of the stickers, we design Region based Heuristic Differential Algorithm, which utilizes the inbreeding strategy based on regional aggregation of effective solutions and the adaptive adjustment strategy of evaluation criteria. Extensive experiments are conducted on two public datasets including LFW and CelebA with respective to three representative FR models like FaceNet, SphereFace, and CosFace, achieving attack success rates of 81.78%, 72.93%, and 79.26% respectively with only hundreds of queries. The results in the physical world confirm the effectiveness of our method in complex physical conditions. When continuously changing the face posture of testers, the method can still perform successful attacks up to 98.46%, 91.30% and 86.96% in the time series.

Ali Dabouei,Sobhan Soleymani,Jeremy Dawson,Nasser M. Nasrabadi

DOI: https://doi.org/10.48550/arXiv.1809.08999

2018-09-29

Abstract:The state-of-the-art performance of deep learning algorithms has led to a considerable increase in the utilization of machine learning in security-sensitive and critical applications. However, it has recently been shown that a small and carefully crafted perturbation in the input space can completely fool a deep model. In this study, we explore the extent to which face recognition systems are vulnerable to geometrically-perturbed adversarial faces. We propose a fast landmark manipulation method for generating adversarial faces, which is approximately 200 times faster than the previous geometric attacks and obtains 99.86% success rate on the state-of-the-art face recognition models. To further force the generated samples to be natural, we introduce a second attack constrained on the semantic structure of the face which has the half speed of the first attack with the success rate of 99.96%. Both attacks are extremely robust against the state-of-the-art defense methods with the success rate of equal or greater than 53.59%. Code is available at <a class="link-external link-https" href="https://github.com/alldbi/FLM" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Yao Zhu,Yuefeng Chen,Xiaodan Li,Rong Zhang,Xiang Tian,Bolun Zheng,Yaowu Chen

2023-03-21

Abstract:With the development of deep learning technology, the facial manipulation system has become powerful and easy to use. Such systems can modify the attributes of the given facial images, such as hair color, gender, and age. Malicious applications of such systems pose a serious threat to individuals' privacy and reputation. Existing studies have proposed various approaches to protect images against facial manipulations. Passive defense methods aim to detect whether the face is real or fake, which works for posterior forensics but can not prevent malicious manipulation. Initiative defense methods protect images upfront by injecting adversarial perturbations into images to disrupt facial manipulation systems but can not identify whether the image is fake. To address the limitation of existing methods, we propose a novel two-tier protection method named Information-containing Adversarial Perturbation (IAP), which provides more comprehensive protection for {facial images}. We use an encoder to map a facial image and its identity message to a cross-model adversarial example which can disrupt multiple facial manipulation systems to achieve initiative protection. Recovering the message in adversarial examples with a decoder serves passive protection, contributing to provenance tracking and fake image detection. We introduce a feature-level correlation measurement that is more suitable to measure the difference between the facial images than the commonly used mean squared error. Moreover, we propose a spectral diffusion method to spread messages to different frequency channels, thereby improving the robustness of the message against facial manipulation. Extensive experimental results demonstrate that our proposed IAP can recover the messages from the adversarial examples with high average accuracy and effectively disrupt the facial manipulation systems.

Computer Vision and Pattern Recognition

Gaurav Goswami,Akshay Agarwal,Nalini Ratha,Richa Singh,Mayank Vatsa

DOI: https://doi.org/10.1007/s11263-019-01160-w

IF: 13.369

2019-03-22

International Journal of Computer Vision

Abstract:Deep neural network (DNN) architecture based models have high expressive power and learning capacity. However, they are essentially a black box method since it is not easy to mathematically formulate the functions that are learned within its many layers of representation. Realizing this, many researchers have started to design methods to exploit the drawbacks of deep learning based algorithms questioning their robustness and exposing their singularities. In this paper, we attempt to unravel three aspects related to the robustness of DNNs for face recognition: (i) assessing the impact of deep architectures for face recognition in terms of vulnerabilities to attacks, (ii) detecting the singularities by characterizing abnormal filter response behavior in the hidden layers of deep networks; and (iii) making corrections to the processing pipeline to alleviate the problem. Our experimental evaluation using multiple open-source DNN-based face recognition networks, and three publicly available face databases demonstrates that the performance of deep learning based face recognition algorithms can suffer greatly in the presence of such distortions. We also evaluate the proposed approaches on four existing quasi-imperceptible distortions: DeepFool, Universal adversarial perturbations, <span>\(l_2\)</span>, and Elastic-Net (EAD). The proposed method is able to detect both types of attacks with very high accuracy by suitably designing a classifier using the response of the hidden layers in the network. Finally, we present effective countermeasures to mitigate the impact of adversarial attacks and improve the overall robustness of DNN-based face recognition.

computer science, artificial intelligence

Decheng Liu,Xijun Wang,Chunlei Peng,Nannan Wang,Ruiming Hu,Xinbo Gao

2023-12-28

Abstract:Adversarial attacks involve adding perturbations to the source image to cause misclassification by the target model, which demonstrates the potential of attacking face recognition models. Existing adversarial face image generation methods still can't achieve satisfactory performance because of low transferability and high detectability. In this paper, we propose a unified framework Adv-Diffusion that can generate imperceptible adversarial identity perturbations in the latent space but not the raw pixel space, which utilizes strong inpainting capabilities of the latent diffusion model to generate realistic adversarial images. Specifically, we propose the identity-sensitive conditioned diffusion generative model to generate semantic perturbations in the surroundings. The designed adaptive strength-based adversarial perturbation algorithm can ensure both attack transferability and stealthiness. Extensive qualitative and quantitative experiments on the public FFHQ and CelebA-HQ datasets prove the proposed method achieves superior performance compared with the state-of-the-art methods without an extra generative model training process. The source code is available at <a class="link-external link-https" href="https://github.com/kopper-xdu/Adv-Diffusion" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence