Yuheng Zhang,Ruoxi Jia,Hengzhi Pei,Wenxiao Wang,Bo Li,Dawn Song

DOI: https://doi.org/10.1109/CVPR42600.2020.00033

2020-01-01

Abstract:This paper studies model-inversion attacks, in which the access to a model is abused to infer information about the training data. Since its first introduction by [7], such attacks have raised serious concerns given that training data usually contain privacy-sensitive information. Thus far, successful model-inversion attacks have only been demonstrated on simple models, such as linear regression and logistic regression. Previous attempts to invert neural networks, even the ones with simple architectures, have failed to produce convincing results. We present a novel attack method, termed the generative model-inversion attack, which can invert deep neural networks with high success rates. Rather than reconstructing private training data from scratch, we leverage partial public information, which can be very generic, to learn a distributional prior via generative adversarial networks (GANs) and use it to guide the inversion process. Moreover, we theoretically prove that a model's predictive power and its vulnerability to inversion attacks are indeed two sides of the same coin-highly predictive models are able to establish a strong correlation between features and labels, which coincides exactly with what an adversary exploits to mount the attacks. Our extensive experiments demonstrate that the proposed attack improves identification accuracy over the existing work by about 75% for reconstructing face images from a state-of-the-art face recognition classifier. We also show that differential privacy, in its canonical form, is of little avail to defend against our attacks.

Fatemeh Vakhshiteh,Ahmad Nickabadi,Raghavendra Ramachandra

DOI: https://doi.org/10.1109/access.2021.3092646

IF: 3.9

2021-01-01

IEEE Access

Abstract:Face recognition (FR) systems have demonstrated reliable verification performance, suggesting suitability for real-world applications ranging from photo tagging in social media to automated border control (ABC). In an advanced FR system with deep learning-based architecture, however, promoting the recognition efficiency alone is not sufficient, and the system should also withstand potential kinds of attacks. Recent studies show that (deep) FR systems exhibit an intriguing vulnerability to imperceptible or perceptible but natural-looking adversarial input images that drive the model to incorrect output predictions. In this article, we present a comprehensive survey on adversarial attacks against FR systems and elaborate on the competence of new countermeasures against them. Further, we propose a taxonomy of existing attack and defense methods based on different criteria. We compare attack methods on the orientation, evaluation process, and attributes, and defense approaches on the category. Finally, we discuss the challenges and potential research direction.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shengshan Hu,Xiaogeng Liu,Yechao Zhang,Minghui Li,Leo Yu Zhang,Hai Jin,Libing Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01459

2022-01-01

Abstract:While deep face recognition (FR) systems have shown amazing performance in identification and verification, they also arouse privacy concerns for their excessive surveillance on users, especially for public face images widely spread on social networks. Recently, some studies adopt adversarial examples to protect photos from being identified by unauthorized face recognition systems. However, existing methods of generating adversarial face images suffer from many limitations, such as awkward visual, white-box setting, weak transferability, making them difficult to be applied to protect face privacy in reality. In this paper, we propose adversarial makeup transfer GAN (AMT-GAN) 1 1 https://github.com/CGCL-codes/AMT-GAN, a novel face protection method aiming at constructing adversarial face images that preserve stronger black-box transferability and better visual quality simultaneously. AMT-GAN leverages generative adversarial networks (GAN) to synthesize adversarial face images with makeup transferred from reference images. In particular, we introduce a new regularization module along with a joint training strategy to reconcile the conflicts between the adversarial noises and the cycle consistence loss in makeup transfer, achieving a desirable balance between the attack strength and visual changes. Extensive experiments verify that compared with state of the arts, AMT-GAN can not only preserve a comfortable visual quality, but also achieve a higher attack success rate over commercial FR APIs, including Face++, Aliyun, and Microsoft.

Jiahao Chen,Zhiqiang Shen,Yuwen Pu,Chunyi Zhou,Changjiang Li,Jiliang Li,Ting Wang,Shouling Ji

2024-06-08

Abstract:Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication, highlighting their pivotal role in modern security systems. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning), raising significant concerns about their reliability and trustworthiness. Previous studies primarily focus on traditional adversarial or backdoor attacks, overlooking the resource-intensive or privileged-manipulation nature of such threats, thus limiting their practical generalization, stealthiness, universality and robustness. Correspondingly, in this paper, we delve into the inherent vulnerabilities in FRS through user studies and preliminary explorations. By exploiting these vulnerabilities, we identify a novel attack, facial identity backdoor attack dubbed FIBA, which unveils a potentially more devastating threat against FRS:an enrollment-stage backdoor attack. FIBA circumvents the limitations of traditional attacks, enabling broad-scale disruption by allowing any attacker donning a specific trigger to bypass these systems. This implies that after a single, poisoned example is inserted into the database, the corresponding trigger becomes a universal key for any attackers to spoof the FRS. This strategy essentially challenges the conventional attacks by initiating at the enrollment stage, dramatically transforming the threat landscape by poisoning the feature database rather than the training data.

Cryptography and Security

Yuanqing Huang,Huilong Chen,Yinggui Wang,Lei Wang

2024-01-24

Abstract:Face recognition (FR) has been applied to nearly every aspect of daily life, but it is always accompanied by the underlying risk of leaking private information. At present, almost all attack models against FR rely heavily on the presence of a classification layer. However, in practice, the FR model can obtain complex features of the input via the model backbone, and then compare it with the target for inference, which does not explicitly involve the outputs of the classification layer adopting logit or other losses. In this work, we advocate a novel inference attack composed of two stages for practical FR models without a classification layer. The first stage is the membership inference attack. Specifically, We analyze the distances between the intermediate features and batch normalization (BN) parameters. The results indicate that this distance is a critical metric for membership inference. We thus design a simple but effective attack model that can determine whether a face image is from the training dataset or not. The second stage is the model inversion attack, where sensitive private data is reconstructed using a pre-trained generative adversarial network (GAN) guided by the attack model in the first stage. To the best of our knowledge, the proposed attack model is the very first in the literature developed for FR models without a classification layer. We illustrate the application of the proposed attack model in the establishment of privacy-preserving FR techniques.

Computer Vision and Pattern Recognition,Machine Learning

Yu Liang,Huabin Wang,Shuo Cao,Junwu Wang,Liang Tao,Jianyu Zhang

DOI: https://doi.org/10.1145/3604078.3604157

2023-01-01

Abstract:Recent studies have shown that machine learning as a service is susceptible to reconstruction attacks that would expose users' privacy. When it comes to face recognition systems, privacy leakage could incur unpredictable effects on confidential or financial matters. This paper focuses on black-box reconstruction attacks on face recognition systems, including face verification and face identification applications. Considering a face recognition system in the real world, the adversary only has access to the similarity score of a query compared to a certain ID. We build our method based on a pretrained StyleGAN face generator and optimize its latent code to obtain a face image that maximizes the similarity score. Given the similarity score alone, we adopt zeroth-order optimization to estimate the gradients faithfully. Our method can attack 1:1 verification system with efficient and high-quality. To validate the effectiveness of the proposed method, we perform extensive experiments on face recognition systems, and reveal their risks of privacy leakage.

Qian Li,Yuxiao Hu,Ye Liu,Dongxiao Zhang,Xin Jin,Yuntian Chen

DOI: https://doi.org/10.1109/cvpr52729.2023.01971

2023-01-01

Abstract:Classical adversarial attacks for Face Recognition (FR) models typically generate discrete examples for target identity with a single state image. However, such paradigm of point-wise attack exhibits poor generalization against numerous unknown states of identity and can be easily defended. In this paper, by rethinking the inherent relationship between the face of target identity and its variants, we introduce a new pipeline of Generalized Manifold Adversarial Attack (GMAA) to achieve a better attack performance by expanding the attack range. Specifically, this expansion lies on two aspects - GMAA not only expands the target to be attacked from one to many to encourage a good generalization ability for the generated adversarial examples, but it also expands the latter from discrete points to manifold by leveraging the domain knowledge that face expression change can be continuous, which enhances the attack effect as a data augmentation mechanism did. Moreover, we further design a dual supervision with local and global constraints as a minor contribution to improve the visual quality of the generated adversarial examples. We demonstrate the effectiveness of our method based on extensive experiments, and reveal that GMAA promises a semantic continuous adversarial space with a higher generalization ability and visual quality

Yueming Lyu,Yue Jiang,Ziwen He,Bo Peng,Yunfan Liu,Jing Dong

DOI: https://doi.org/10.1109/TPAMI.2023.3290175

Abstract:The privacy and security of face data on social media are facing unprecedented challenges as it is vulnerable to unauthorized access and identification. A common practice for solving this problem is to modify the original data so that it could be protected from being recognized by malicious face recognition (FR) systems. However, such "adversarial examples" obtained by existing methods usually suffer from low transferability and poor image quality, which severely limits the application of these methods in real-world scenarios. In this paper, we propose a 3D-Aware Adversarial Makeup Generation GAN (3DAM-GAN). which aims to improve the quality and transferability of synthetic makeup for identity information concealing. Specifically, a UV-based generator consisting of a novel Makeup Adjustment Module (MAM) and Makeup Transfer Module (MTM) is designed to render realistic and robust makeup with the aid of symmetric characteristics of human faces. Moreover, a makeup attack mechanism with an ensemble training strategy is proposed to boost the transferability of black-box models. Extensive experiment results on several benchmark datasets demonstrate that 3DAM-GAN could effectively protect faces against various FR models, including both publicly available state-of-the-art models and commercial face verification APIs, such as Face++, Baidu, and Aliyun.

Chun Pong Lau,Jiang Liu,Rama Chellappa

DOI: https://doi.org/10.48550/arXiv.2305.13548

2023-05-23

Abstract:The increasingly pervasive facial recognition (FR) systems raise serious concerns about personal privacy, especially for billions of users who have publicly shared their photos on social media. Several attempts have been made to protect individuals from unauthorized FR systems utilizing adversarial attacks to generate encrypted face images to protect users from being identified by FR systems. However, existing methods suffer from poor visual quality or low attack success rates, which limit their usability in practice. In this paper, we propose Attribute Guided Encryption with Facial Texture Masking (AGE-FTM) that performs a dual manifold adversarial attack on FR systems to achieve both good visual quality and high black box attack success rates. In particular, AGE-FTM utilizes a high fidelity generative adversarial network (GAN) to generate natural on-manifold adversarial samples by modifying facial attributes, and performs the facial texture masking attack to generate imperceptible off-manifold adversarial samples. Extensive experiments on the CelebA-HQ dataset demonstrate that our proposed method produces more natural-looking encrypted images than state-of-the-art methods while achieving competitive attack performance. We further evaluate the effectiveness of AGE-FTM in the real world using a commercial FR API and validate its usefulness in practice through an user study.

Computer Vision and Pattern Recognition,Cryptography and Security

Yoon Gyo Jung,Jaewoo Park,Xingbo Dong,Hojin Park,Andrew Beng Jin Teoh,Octavia Camps

2024-09-13

Abstract:Understanding the vulnerability of face recognition systems to malicious attacks is of critical importance. Previous works have focused on reconstructing face images that can penetrate a targeted verification system. Even in the white-box scenario, however, naively reconstructed images misrepresent the identity information, hence the attacks are easily neutralized once the face system is updated or changed. In this paper, we aim to reconstruct face images which are capable of transferring face attacks on unseen encoders. We term this problem as Face Reconstruction Transfer Attack (FRTA) and show that it can be formulated as an out-of-distribution (OOD) generalization problem. Inspired by its OOD nature, we propose to solve FRTA by Averaged Latent Search and Unsupervised Validation with pseudo target (ALSUV). To strengthen the reconstruction attack on OOD unseen encoders, ALSUV reconstructs the face by searching the latent of amortized generator StyleGAN2 through multiple latent optimization, latent optimization trajectory averaging, and unsupervised validation with a pseudo target. We demonstrate the efficacy and generalization of our method on widely used face datasets, accompanying it with extensive ablation studies and visually, qualitatively, and quantitatively analyses. The source code will be released.

Computer Vision and Pattern Recognition,Artificial Intelligence

Ying Xu,Kiran Raja,Raghavendra Ramachandra,Christoph Busch

DOI: https://doi.org/10.1007/978-3-030-87664-7_7

2022-01-01

Abstract:Abstract Face recognition has been widely used for identity verification both in supervised and unsupervised access control applications. The advancement in deep neural networks has opened up the possibility of scaling it to multiple applications. Despite the improvement in performance, deep network-based Face Recognition Systems (FRS) are not well prepared against adversarial attacks at the deployment level. The output performance of such FRS can be drastically impacted simply by changing the trained parameters, for instance, by changing the number of layers, subnetworks, loss and activation functions. This chapter will first demonstrate the impact on biometric performance using a publicly available face dataset. Further to this, this chapter will also present some strategies to defend against such attacks by incorporating defense mechanisms at the training level to mitigate the performance degradation. With the empirical evaluation of the deep FRS with and without a defense mechanism, we demonstrate the impact on biometric performance for the completeness of the chapter.

Hatef Otroshi Shahreza,Sébastien Marcel

DOI: https://doi.org/10.1109/tpami.2023.3312123

IF: 23.6

2023-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:In this article, we comprehensively evaluate the vulnerability of state-of-the-art face recognition systems to template inversion attacks using 3D face reconstruction. We propose a new method (called GaFaR) to reconstruct 3D faces from facial templates using a pretrained geometry-aware face generation network, and train a mapping from facial templates to the intermediate latent space of the face generator network. We train our mapping with a semi-supervised approach using real and synthetic face images. For real face images, we use a generative adversarial network (GAN)-based framework to learn the distribution of generator intermediate latent space. For synthetic face images, we directly learn the mapping from facial templates to the generator intermediate latent code. Furthermore, to improve the success attack rate, we use two optimization methods on the camera parameters of the GNeRF model. We propose our method in the whitebox and blackbox attacks against face recognition systems and compare the transferability of our attack with state-of-the-art methods across other face recognition systems on the MOBIO and LFW datasets. We also perform practical presentation attacks on face recognition systems using the digital screen replay and printed photographs, and evaluate the vulnerability of face recognition systems to different template inversion attacks.

computer science, artificial intelligence,engineering, electrical & electronic

Sandeep Gupta,Kiran Raja,Roberto Passerone

DOI: https://doi.org/10.1109/access.2024.3479949

IF: 3.9

2024-10-25

IEEE Access

Abstract:Deep learning has unequivocally emerged as the backbone of simple to highly sensitive systems demanding artificial intelligence across diverse domains. For instance, foundation models based on deep neural networks (DNNs) can play a crucial role in the design of security-sensitive systems, such as facial recognition systems (FRS). Despite achieving exceptional accuracy and human-like performance, DNNs tend to be severely sensitive to adversarial attacks. While DNNs are deemed irreplaceable in the artificial intelligence domain, the vulnerability of DNNs against adversarial examples can be detrimental to sensitive systems robustness. The paper presents a pilot study introducing an attack-defense framework aimed at enhancing the robustness of FRS against evasion attacks. Our generative adversarial network (GAN) based attack successfully deceives FRS, demonstrating that they are not only vulnerable against synthetic images visibly comparable to real user images (i.e., best-match scenarios) but also to partially constructed user images (i.e., average-match scenarios). Based on our analysis, we propose a novel solution that extends the visual prompt engineering (VPE) concept for detecting synthetic images to secure downstream tasks in FRS. The VPE detection module achieves an accuracy of 97.92% in the average-match scenario and 87.08% in the best-match scenario on our generated dataset. Furthermore, we use the Trueface postsocial dataset to validate the efficacy of the detection module obtaining an accuracy of 91.96%. Our experimental evaluation shows that VPE can effectively tackle the GAN attacks from average-match to best-match scenarios, thus enhancing the overall robustness of a security-sensitive system against evasion attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Minghui Li,Jiangxiong Wang,Hao Zhang,Ziqi Zhou,Shengshan Hu,Xiaobing Pei

2024-07-18

Abstract:The success of deep face recognition (FR) systems has raised serious privacy concerns due to their ability to enable unauthorized tracking of users in the digital world. Previous studies proposed introducing imperceptible adversarial noises into face images to deceive those face recognition models, thus achieving the goal of enhancing facial privacy protection. Nevertheless, they heavily rely on user-chosen references to guide the generation of adversarial noises, and cannot simultaneously construct natural and highly transferable adversarial face images in black-box scenarios. In light of this, we present a novel face privacy protection scheme with improved transferability while maintain high visual quality. We propose shaping the entire face space directly instead of exploiting one kind of facial characteristic like makeup information to integrate adversarial noises. To achieve this goal, we first exploit global adversarial latent search to traverse the latent space of the generative model, thereby creating natural adversarial face images with high transferability. We then introduce a key landmark regularization module to preserve the visual identity information. Finally, we investigate the impacts of various kinds of latent spaces and find that $\mathcal{F}$ latent space benefits the trade-off between visual naturalness and adversarial transferability. Extensive experiments over two datasets demonstrate that our approach significantly enhances attack transferability while maintaining high visual quality, outperforming state-of-the-art methods by an average 25% improvement in deep FR models and 10% improvement on commercial FR APIs, including Face++, Aliyun, and Tencent.

Computer Vision and Pattern Recognition,Artificial Intelligence

Ren-Hung Hwang,Jia-You Lin,Sun-Ying Hsieh,Hsuan-Yu Lin,Chia-Liang Lin

DOI: https://doi.org/10.3390/s23020853

IF: 3.9

2023-01-12

Sensors

Abstract:Deep learning technology has developed rapidly in recent years and has been successfully applied in many fields, including face recognition. Face recognition is used in many scenarios nowadays, including security control systems, access control management, health and safety management, employee attendance monitoring, automatic border control, and face scan payment. However, deep learning models are vulnerable to adversarial attacks conducted by perturbing probe images to generate adversarial examples, or using adversarial patches to generate well-designed perturbations in specific regions of the image. Most previous studies on adversarial attacks assume that the attacker hacks into the system and knows the architecture and parameters behind the deep learning model. In other words, the attacked model is a white box. However, this scenario is unrepresentative of most real-world adversarial attacks. Consequently, the present study assumes the face recognition system to be a black box, over which the attacker has no control. A Generative Adversarial Network method is proposed for generating adversarial patches to carry out dodging and impersonation attacks on the targeted face recognition system. The experimental results show that the proposed method yields a higher attack success rate than previous works.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Reena Zelenkova,Jack Swallow,M.A.P. Chamikara,Dongxi Liu,Mohan Baruwal Chhetri,Seyit Camtepe,Marthie Grobler,Mahathir Almashor

DOI: https://doi.org/10.48550/arXiv.2202.10320

2022-02-18

Abstract:Biometric data, such as face images, are often associated with sensitive information (e.g medical, financial, personal government records). Hence, a data breach in a system storing such information can have devastating consequences. Deep learning is widely utilized for face recognition (FR); however, such models are vulnerable to backdoor attacks executed by malicious parties. Backdoor attacks cause a model to misclassify a particular class as a target class during recognition. This vulnerability can allow adversaries to gain access to highly sensitive data protected by biometric authentication measures or allow the malicious party to masquerade as an individual with higher system permissions. Such breaches pose a serious privacy threat. Previous methods integrate noise addition mechanisms into face recognition models to mitigate this issue and improve the robustness of classification against backdoor attacks. However, this can drastically affect model accuracy. We propose a novel and generalizable approach (named BA-BAM: Biometric Authentication - Backdoor Attack Mitigation), that aims to prevent backdoor attacks on face authentication deep learning models through transfer learning and selective image perturbation. The empirical evidence shows that BA-BAM is highly robust and incurs a maximal accuracy drop of 2.4%, while reducing the attack success rate to a maximum of 20%. Comparisons with existing approaches show that BA-BAM provides a more practical backdoor mitigation approach for face recognition.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Danny Keller,Margarita Osadchy,Orr Dunkelman

DOI: https://doi.org/10.48550/arXiv.2012.13293

2020-12-24

Abstract:In this work, we study the protection that fuzzy commitments offer when they are applied to facial images, processed by the state of the art deep learning facial recognition systems. We show that while these systems are capable of producing great accuracy, they produce templates of too little entropy. As a result, we present a reconstruction attack that takes a protected template, and reconstructs a facial image. The reconstructed facial images greatly resemble the original ones. In the simplest attack scenario, more than 78% of these reconstructed templates succeed in unlocking an account (when the system is configured to 0.1% FAR). Even in the "hardest" settings (in which we take a reconstructed image from one system and use it in a different system, with different feature extraction process) the reconstructed image offers 50 to 120 times higher success rates than the system's FAR.

Cryptography and Security,Artificial Intelligence

Qing Song,Yingqi Wu,Lu Yang

DOI: https://doi.org/10.48550/arXiv.1811.12026

2018-11-30

Abstract:With the broad use of face recognition, its weakness gradually emerges that it is able to be attacked. So, it is important to study how face recognition networks are subject to attacks. In this paper, we focus on a novel way to do attacks against face recognition network that misleads the network to identify someone as the target person not misclassify inconspicuously. Simultaneously, for this purpose, we introduce a specific attentional adversarial attack generative network to generate fake face images. For capturing the semantic information of the target person, this work adds a conditional variational autoencoder and attention modules to learn the instance-level correspondences between faces. Unlike traditional two-player GAN, this work introduces face recognition networks as the third player to participate in the competition between generator and discriminator which allows the attacker to impersonate the target person better. The generated faces which are hard to arouse the notice of onlookers can evade recognition by state-of-the-art networks and most of them are recognized as the target person.

Computer Vision and Pattern Recognition