Gaurav Goswami,Akshay Agarwal,Nalini Ratha,Richa Singh,Mayank Vatsa

DOI: https://doi.org/10.1007/s11263-019-01160-w

IF: 13.369

2019-03-22

International Journal of Computer Vision

Abstract:Deep neural network (DNN) architecture based models have high expressive power and learning capacity. However, they are essentially a black box method since it is not easy to mathematically formulate the functions that are learned within its many layers of representation. Realizing this, many researchers have started to design methods to exploit the drawbacks of deep learning based algorithms questioning their robustness and exposing their singularities. In this paper, we attempt to unravel three aspects related to the robustness of DNNs for face recognition: (i) assessing the impact of deep architectures for face recognition in terms of vulnerabilities to attacks, (ii) detecting the singularities by characterizing abnormal filter response behavior in the hidden layers of deep networks; and (iii) making corrections to the processing pipeline to alleviate the problem. Our experimental evaluation using multiple open-source DNN-based face recognition networks, and three publicly available face databases demonstrates that the performance of deep learning based face recognition algorithms can suffer greatly in the presence of such distortions. We also evaluate the proposed approaches on four existing quasi-imperceptible distortions: DeepFool, Universal adversarial perturbations, <span>\(l_2\)</span>, and Elastic-Net (EAD). The proposed method is able to detect both types of attacks with very high accuracy by suitably designing a classifier using the response of the hidden layers in the network. Finally, we present effective countermeasures to mitigate the impact of adversarial attacks and improve the overall robustness of DNN-based face recognition.

computer science, artificial intelligence

Daeha Kim,Heeje Kim,Yoojin Jung,Seongho Kim,Byung Cheol Song

DOI: https://doi.org/10.1016/j.neucom.2024.127588

IF: 6

2024-03-23

Neurocomputing

Abstract:Beyond the in-the-lab environment, deep-learning-based facial expression recognition (FER) models that provide reliable performance on wild datasets are gradually becoming applied to the real world. However, the fact that neural networks are inherently vulnerable to digital attacks (e.g., adversarial examples) and their performance is not exposed to external threats reduces the applicability of FER technology. So, we design a so-called test-time attack scenario in which FER models are deceived by superimposing imperceptible perturbation(s) on test images. This scenario, which targets the testing phase in which model weakness is revealed, clearly shows how vulnerable FER models are to external attacks. As a remedy against this attack, we propose a novel method called FAAT, which adversarially trains the model by paying attention to core region(s) of face. FAAT aims to improve model robustness so that the model can be generalized to unseen perturbation(s) while focusing on facial expression-related areas. For example, FAAT's robustness against PGD attack with a performance improvement of up to 18% is encouraging. Also, various benchmarking results based on our attack scenario analyze the fidelity of prior arts and will promote the development direction of future models.

computer science, artificial intelligence

Ali Dabouei,Sobhan Soleymani,Jeremy Dawson,Nasser M. Nasrabadi

DOI: https://doi.org/10.48550/arXiv.1809.08999

2018-09-29

Abstract:The state-of-the-art performance of deep learning algorithms has led to a considerable increase in the utilization of machine learning in security-sensitive and critical applications. However, it has recently been shown that a small and carefully crafted perturbation in the input space can completely fool a deep model. In this study, we explore the extent to which face recognition systems are vulnerable to geometrically-perturbed adversarial faces. We propose a fast landmark manipulation method for generating adversarial faces, which is approximately 200 times faster than the previous geometric attacks and obtains 99.86% success rate on the state-of-the-art face recognition models. To further force the generated samples to be natural, we introduce a second attack constrained on the semantic structure of the face which has the half speed of the first attack with the success rate of 99.96%. Both attacks are extremely robust against the state-of-the-art defense methods with the success rate of equal or greater than 53.59%. Code is available at <a class="link-external link-https" href="https://github.com/alldbi/FLM" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Hetvi Waghela,Jaydip Sen,Sneha Rakshit

2024-08-20

Abstract:Adversarial attacks, particularly the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) pose significant threats to the robustness of deep learning models in image classification. This paper explores and refines defense mechanisms against these attacks to enhance the resilience of neural networks. We employ a combination of adversarial training and innovative preprocessing techniques, aiming to mitigate the impact of adversarial perturbations. Our methodology involves modifying input data before classification and investigating different model architectures and training strategies. Through rigorous evaluation of benchmark datasets, we demonstrate the effectiveness of our approach in defending against FGSM and PGD attacks. Our results show substantial improvements in model robustness compared to baseline methods, highlighting the potential of our defense strategies in real-world applications. This study contributes to the ongoing efforts to develop secure and reliable machine learning systems, offering practical insights and paving the way for future research in adversarial defense. By bridging theoretical advancements and practical implementation, we aim to enhance the trustworthiness of AI applications in safety-critical domains.

Cryptography and Security,Computer Vision and Pattern Recognition

Kun Fang,Jie Yang

DOI: https://doi.org/10.1145/3467707.3467737

2021-01-01

Abstract:Face recognition has always been a hot topic in research, and has also widely been applied in industry areas and daily life. Nowadays, face recognition models with excellent performance are mostly based on deep neural networks (DNN). However, recently researchers find that images added invisible perturbations could successfully fool neural networks, which is known as the so-called adversarial attack. The perturbed images, also known as adversarial examples, are almost the same as the original images, but neural network could give different and wrong predictions with high confidence on these adversarial examples. Such a phenomenon indicates the vulnerable robustness of neural network and thus casts a shadow on the security of DNN-based face recognition models. Therefore, in this paper, we focus on the facial attribute prediction task in face recognition, investigate the influence of adversarial attack on facial attribute prediction and give a solution on improving the robustness of facial attribute prediction models. Extensive experiment results illustrate that the solution could indeed produce much more robust results in facial attribute prediction against adversarial attacks.

Meng Shen,Hao Yu,Liehuang Zhu,Ke Xu,Qi Li,Xiaojiang Du

DOI: https://doi.org/10.48550/arXiv.2011.13526

2020-11-27

Computer Vision and Pattern Recognition

Abstract:Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which can potentially mislead the FR systems using DNNs in the physical world. Existing attacks on these systems either generate perturbations working merely in the digital world, or rely on customized equipments to generate perturbations and are not robust in varying physical environments. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a transformer, where the former can craft several stickers with different shapes and the latter transformer aims to digitally attach stickers to human faces and provide feedbacks to the generator to improve the effectiveness of stickers. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking 3 typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve success rate of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

Xiao Yang,Dingcheng Yang,Yinpeng Dong,Wenjian Yu,Hang Su,Jun Zhu

2021-01-01

Abstract: Face recognition has recently made substantial progress and achieved high accuracy on standard benchmarks based on the development of deep convolutional neural networks (CNNs). However, the lack of robustness in deep CNNs to adversarial examples has raised security concerns to enormous face recognition applications. To facilitate a better understanding of the adversarial vulnerability of the existing face recognition models, in this paper we perform comprehensive robustness evaluations, which can be applied as reference for evaluating the robustness of subsequent works on face recognition. We investigate 15 popular face recognition models and evaluate their robustness by using various adversarial attacks as an important surrogate. These evaluations are conducted under diverse adversarial settings, including dodging and impersonation attacks, $\ell_2$ and $\ell_\infty$ attacks, white-box and black-box attacks. We further propose a landmark-guided cutout (LGC) attack method to improve the transferability of adversarial examples for black-box attacks, by considering the special characteristics of face recognition. Based on our evaluations, we draw several important findings, which are crucial for understanding the adversarial robustness and providing insights for future research on face recognition. Code is available at \url{https://github.com/ShawnXYang/Face-Robustness-Benchmark}.

William Villegas-Ch,Angel Jaramillo-Alcázar,Sergio Luján-Mora

DOI: https://doi.org/10.3390/bdcc8010008

2024-01-16

Big Data and Cognitive Computing

Abstract:This study evaluated the generation of adversarial examples and the subsequent robustness of an image classification model. The attacks were performed using the Fast Gradient Sign method, the Projected Gradient Descent method, and the Carlini and Wagner attack to perturb the original images and analyze their impact on the model’s classification accuracy. Additionally, image manipulation techniques were investigated as defensive measures against adversarial attacks. The results highlighted the model’s vulnerability to conflicting examples: the Fast Gradient Signed Method effectively altered the original classifications, while the Carlini and Wagner method proved less effective. Promising approaches such as noise reduction, image compression, and Gaussian blurring were presented as effective countermeasures. These findings underscore the importance of addressing the vulnerability of machine learning models and the need to develop robust defenses against adversarial examples. This article emphasizes the urgency of addressing the threat posed by harmful standards in machine learning models, highlighting the relevance of implementing effective countermeasures and image manipulation techniques to mitigate the effects of adversarial attacks. These efforts are crucial to safeguarding model integrity and trust in an environment marked by constantly evolving hostile threats. An average 25% decrease in accuracy was observed for the VGG16 model when exposed to the Fast Gradient Signed Method and Projected Gradient Descent attacks, and an even more significant 35% decrease with the Carlini and Wagner method.

Fengfan Zhou,Hefei Ling,Yuxuan Shi,Jiazhong Chen,Ping Li

DOI: https://doi.org/10.48550/arXiv.2309.01582

2023-09-04

Computer Vision and Pattern Recognition

Abstract:Visual Quality and Transferability are the two key property of adversarial face examples. However, few works consider to improve the key properties simultaneously. To this end, we proposed a novel adversarial attack called Adversarial Restoration (AdvRestore) that enhances the visual quality and the transferability of adversarial face examples simultaneously by using a face Restoration Latent Diffusion Model Prior. Specifically, we first train a face Restoration Latent Diffusion Model (RLDM) for face restoration. Then, we use RLDM to restore of the attacker image, in the process of restoration, we add adversarial perturbations on the output feature of the UNet of RLDM. Combined with the prior, the visual quality and tranferability of the crafted adversarial face examples can be further improved. Experimental results demonstrate the effectiveness of our proposed attack method.

Yigit Alparslan,Ken Alparslan,Jeremy Keim-Shenk,Shweta Khade,Rachel Greenstadt

DOI: https://doi.org/10.48550/arXiv.2001.11137

IF: 5.414

2020-01-30

Machine Learning

Abstract:Numerous recent studies have demonstrated how Deep Neural Network (DNN) classifiers can be fooled by adversarial examples, in which an attacker adds perturbations to an original sample, causing the classifier to misclassify the sample. Adversarial attacks that render DNNs vulnerable in real life represent a serious threat in autonomous vehicles, malware filters, or biometric authentication systems. In this paper, we apply Fast Gradient Sign Method to introduce perturbations to a facial image dataset and then test the output on a different classifier that we trained ourselves, to analyze transferability of this method. Next, we craft a variety of different black-box attack algorithms on a facial image dataset assuming minimal adversarial knowledge, to further assess the robustness of DNNs in facial recognition. While experimenting with different image distortion techniques, we focus on modifying single optimal pixels by a large amount, or modifying all pixels by a smaller amount, or combining these two attack approaches. While our single-pixel attacks achieved about a 15% average decrease in classifier confidence level for the actual class, the all-pixel attacks were more successful and achieved up to an 84% average decrease in confidence, along with an 81.6% misclassification rate, in the case of the attack that we tested with the highest levels of perturbation. Even with these high levels of perturbation, the face images remained identifiable to a human. Understanding how these noised and perturbed images baffle the classification algorithms can yield valuable advances in the training of DNNs against defense-aware adversarial attacks, as well as adaptive noise reduction techniques. We hope our research may help to advance the study of adversarial attacks on DNNs and defensive mechanisms to counteract them, particularly in the facial recognition domain.

Jiazhi Guan,Yi Zhao,Zhuoer Xu,Changhua Meng,Ke Xu,Youjian Zhao

DOI: https://doi.org/10.1609/aaai.v38i1.27762

2024-01-01

Abstract:The non-consensual exploitation of facial manipulation has emerged as a pressing societal concern. In tandem with the identification of such fake content, recent research endeavors have advocated countering manipulation techniques through proactive interventions, specifically the incorporation of adversarial noise to impede the manipulation in advance. Nevertheless, with insufficient consideration of robustness, we show that current methods falter in providing protection after simple perturbations, e.g., blur. In addition, traditional optimization-based methods face limitations in scalability as they struggle to accommodate the substantial expansion of data volume, a consequence of the time-intensive iterative pipeline. To solve these challenges, we propose a learning-based model, Adversarial Robust Safeguard (ARS), to generate desirable protection noise in a single forward process, concurrently exhibiting a heightened resistance against prevalent perturbations. Specifically, our method involves a two-way protection design, characterized by a basic protection component responsible for generating efficacious noise features, coupled with robust protection for further enhancement. In robust protection, we first fuse image features with spatially duplicated noise embedding, thereby accounting for inherent information redundancy. Subsequently, a combination comprising a differentiable perturbation module and an adversarial network is devised to simulate potential information degradation during the training process. To evaluate it, we conduct experiments on four manipulation methods and compare recent works comprehensively. The results of our method exhibit good visual effects with pronounced robustness against varied perturbations at different levels.

Meng Shen,Hao Yu,Liehuang Zhu,Ke Xu,Qi Li,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2021.3102492

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which potentially mislead DNN-based FR systems in the physical world. Existing attacks either generate perturbations working merely in the digital world, or rely on customized equipment to generate perturbations that are not robust in the ever-changing physical environment. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a convertor, where the former can craft several stickers with different shapes while the latter aims to digitally attach stickers to human faces and provide feedback to the generator to improve the effectiveness. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking three typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve the success rates of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

computer science, theory & methods,engineering, electrical & electronic

Shehzeen Hussain,Todd Huster,Chris Mesterharm,Paarth Neekhara,Kevin An,Malhar Jere,Harshvardhan Sikka,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2206.04783

2022-06-09

Computer Vision and Pattern Recognition

Abstract:Deep neural network based face recognition models have been shown to be vulnerable to adversarial examples. However, many of the past attacks require the adversary to solve an input-dependent optimization problem using gradient descent which makes the attack impractical in real-time. These adversarial examples are also tightly coupled to the attacked model and are not as successful in transferring to different models. In this work, we propose ReFace, a real-time, highly-transferable attack on face recognition models based on Adversarial Transformation Networks (ATNs). ATNs model adversarial example generation as a feed-forward neural network. We find that the white-box attack success rate of a pure U-Net ATN falls substantially short of gradient-based attacks like PGD on large face recognition datasets. We therefore propose a new architecture for ATNs that closes this gap while maintaining a 10000x speedup over PGD. Furthermore, we find that at a given perturbation magnitude, our ATN adversarial perturbations are more effective in transferring to new face recognition models than PGD. ReFace attacks can successfully deceive commercial face recognition services in a transfer attack setting and reduce face identification accuracy from 82% to 16.4% for AWS SearchFaces API and Azure face verification accuracy from 91% to 50.1%.

Chih-Yang Lin,Feng-Jie Chen,Hui-Fuang Ng,Wei-Yang Lin

DOI: https://doi.org/10.1109/access.2023.3279488

IF: 3.9

2023-01-01

IEEE Access

Abstract:Deep learning technology has grown rapidly in recent years and achieved tremendous success in the field of computer vision. At present, many deep learning technologies have been applied in daily life, such as face recognition systems. However, as human life increasingly relies on deep neural networks, the potential harms of neural networks are being revealed, particularly in terms of deep neural network security. More and more studies have shown that existing deep learning-based face recognition models are vulnerable to attacks by adversarial samples, resulting in misjudgments that could have serious consequences. However, existing adversarial face images are rather easy to identify with the naked eye, so it is difficult for attackers to carry out attacks on face recognition systems in practice. This paper proposes a method for generating adversarial face images that are indistinguishable from the source images based on facial landmark detection and superpixel segmentation. First, the eyebrows, eyes, nose, and mouth regions are extracted from the face image using a facial landmark detection algorithm. Next, the superpixel segmentation algorithm is used to include the pixels neighboring the extracted facial landmarks with similar pixel values. Lastly, the segmented regions are used as masks to guide existing attack methods to insert adversarial noise within the masked areas. Experimental results show that our method can generate adversarial samples with high Structural Similarity Index Measure (SSIM) values at the cost of a small percentage of attack success rate. In addition, to simulate real-time physical attacks, printouts of the adversarial images generated by the proposed method are presented to the face recognition system via a camera and are still able to fool the face recognition model. Experimental results indicated that the proposed method can successfully perform adversarial attacks on face recognition systems in real-world scenarios.

Jiaming Zhang,Qi Yi,Dongyuan Lu,Jitao Sang

2023-09-03

Abstract:In light of the growing concerns regarding the unauthorized use of facial recognition systems and its implications on individual privacy, the exploration of adversarial perturbations as a potential countermeasure has gained traction. However, challenges arise in effectively deploying this approach against unauthorized facial recognition systems due to the effects of JPEG compression on image distribution across the internet, which ultimately diminishes the efficacy of adversarial perturbations. Existing JPEG compression-resistant techniques struggle to strike a balance between resistance, transferability, and attack potency. To address these limitations, we propose a novel solution referred to as \emph{low frequency adversarial perturbation} (LFAP). This method conditions the source model to leverage low-frequency characteristics through adversarial training. To further enhance the performance, we introduce an improved \emph{low-mid frequency adversarial perturbation} (LMFAP) that incorporates mid-frequency components for an additive benefit. Our study encompasses a range of settings to replicate genuine application scenarios, including cross backbones, supervisory heads, training datasets, and testing datasets. Moreover, we evaluated our approaches on a commercial black-box API, \texttt{Face++}. The empirical results validate the cutting-edge performance achieved by our proposed solutions.

Computer Vision and Pattern Recognition,Image and Video Processing

Ying Xu,Kiran Raja,Raghavendra Ramachandra,Christoph Busch

DOI: https://doi.org/10.1007/978-3-030-87664-7_7

2022-01-01

Abstract:Abstract Face recognition has been widely used for identity verification both in supervised and unsupervised access control applications. The advancement in deep neural networks has opened up the possibility of scaling it to multiple applications. Despite the improvement in performance, deep network-based Face Recognition Systems (FRS) are not well prepared against adversarial attacks at the deployment level. The output performance of such FRS can be drastically impacted simply by changing the trained parameters, for instance, by changing the number of layers, subnetworks, loss and activation functions. This chapter will first demonstrate the impact on biometric performance using a publicly available face dataset. Further to this, this chapter will also present some strategies to defend against such attacks by incorporating defense mechanisms at the training level to mitigate the performance degradation. With the empirical evaluation of the deep FRS with and without a defense mechanism, we demonstrate the impact on biometric performance for the completeness of the chapter.

Fahad Shamshad,Koushik Srivatsan,Karthik Nandakumar

2023-06-23

Abstract:The ability of generative models to produce highly realistic synthetic face images has raised security and ethical concerns. As a first line of defense against such fake faces, deep learning based forensic classifiers have been developed. While these forensic models can detect whether a face image is synthetic or real with high accuracy, they are also vulnerable to adversarial attacks. Although such attacks can be highly successful in evading detection by forensic classifiers, they introduce visible noise patterns that are detectable through careful human scrutiny. Additionally, these attacks assume access to the target model(s) which may not always be true. Attempts have been made to directly perturb the latent space of GANs to produce adversarial fake faces that can circumvent forensic classifiers. In this work, we go one step further and show that it is possible to successfully generate adversarial fake faces with a specified set of attributes (e.g., hair color, eye size, race, gender, etc.). To achieve this goal, we leverage the state-of-the-art generative model StyleGAN with disentangled representations, which enables a range of modifications without leaving the manifold of natural images. We propose a framework to search for adversarial latent codes within the feature space of StyleGAN, where the search can be guided either by a text prompt or a reference image. We also propose a meta-learning based optimization strategy to achieve transferable performance on unknown target models. Extensive experiments demonstrate that the proposed approach can produce semantically manipulated adversarial fake faces, which are true to the specified attribute set and can successfully fool forensic face classifiers, while remaining undetectable by humans. Code: <a class="link-external link-https" href="https://github.com/koushiksrivats/face_attribute_attack" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Trilokesh Ranjan Sarkar,Nilanjan Das,Pralay Sankar Maitra,Bijoy Some,Ritwik Saha,Orijita Adhikary,Bishal Bose,Jaydip Sen

2024-04-06

Abstract:This technical report delves into an in-depth exploration of adversarial attacks specifically targeted at Deep Neural Networks (DNNs) utilized for image classification. The study also investigates defense mechanisms aimed at bolstering the robustness of machine learning models. The research focuses on comprehending the ramifications of two prominent attack methodologies: the Fast Gradient Sign Method (FGSM) and the Carlini-Wagner (CW) approach. These attacks are examined concerning three pre-trained image classifiers: Resnext50_32x4d, DenseNet-201, and VGG-19, utilizing the Tiny-ImageNet dataset. Furthermore, the study proposes the robustness of defensive distillation as a defense mechanism to counter FGSM and CW attacks. This defense mechanism is evaluated using the CIFAR-10 dataset, where CNN models, specifically resnet101 and Resnext50_32x4d, serve as the teacher and student models, respectively. The proposed defensive distillation model exhibits effectiveness in thwarting attacks such as FGSM. However, it is noted to remain susceptible to more sophisticated techniques like the CW attack. The document presents a meticulous validation of the proposed scheme. It provides detailed and comprehensive results, elucidating the efficacy and limitations of the defense mechanisms employed. Through rigorous experimentation and analysis, the study offers insights into the dynamics of adversarial attacks on DNNs, as well as the effectiveness of defensive strategies in mitigating their impact.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Zhong-Han Niu,Yu-Bin Yang

DOI: https://doi.org/10.1016/j.patcog.2023.109382

IF: 8

2023-01-01

Pattern Recognition

Abstract:The increasing use of deep neural networks exposes themselves to adversarial attacks in the real world drawn from closed-set and open-set, which poses great threats to their application in safety-critical sys-tems. Since adversarial attacks tend to mislead an original model by adding small perturbations into clean images, an intuitive idea of defensing adversarial attacks is eliminating perturbations as much as possi-ble to mitigate attacking effects. However, such elimination-based strategies unfortunately fail to achieve satisfactory robustness. Aiming to investigate the intrinsic reasons for this phenomenon, systematic ex-periments are carried out in this paper to indicate that even a 20% residual perturbation can still preserve and exhibit attacking effects as strong as a full one. Our study also indicates that there are strong cor-relations between perturbations and legitimate images. Thus, breaking the correlation across multiple bands is more effective in mitigating attacking effects. Based on these findings, this paper proposes an efficient defense strategy called "Frequency-Adaptive Compression and rEconstruction (FACE)" to improve the robustness of the model to adversarial attacks. Specifically, low-frequency bands containing semantic information are compressed by a down-sampling operation, while the channel width of high-frequency bands is squeezed and further compressed by adding noise before the Tanh activating function. Mean-while, attachment spaces of perturbations are also squeezed to the extent as much as possible. Finally, a clean output is obtained by upsampling together with expanded reconstruction. Experiments are ex-tensively conducted on widely used datasets to demonstrate the effectiveness of the proposed method. For closed-set attacks, FACE outperforms the STOA elimination-based methods on ImageNet, achieving a 27.9% improvement. For the MNIST open-set attacks, it not only reduces the success rate of targeted at-tack by a large margin (from 100% to 24.7%), but also mitigates attacking effects with an FPR-95 value of 0.3.(c) 2023 Elsevier Ltd. All rights reserved.

Xin Zheng,Yanbo Fan,Baoyuan Wu,Yong Zhang,Jue Wang,Shirui Pan

DOI: https://doi.org/10.1016/j.patcog.2022.109009

IF: 8

2023-01-01

Pattern Recognition

Abstract:Face recognition has been greatly facilitated by the development of deep neural networks (DNNs) and has been widely applied to many safety-critical applications. However, recent studies have shown that DNNs are very vulnerable to adversarial examples, raising severe concerns on the security of real-world face recognition. In this work, we study sticker-based physical attacks on face recognition for better understanding its adversarial robustness. To this end, we first analyze in-depth the complicated physical-world conditions confronted by attacking face recognition, including the different variations of stickers, faces, and environmental conditions. Then, we propose a novel robust physical attack framework, dubbed PadvFace, to model these challenging variations specifically. Furthermore, we reveal that the attack complexities vary under different physical-world conditions and propose an efficient Curriculum Adversarial Attack (CAA) algorithm that gradually adapts adversarial stickers to environmental variations from easy to complex. Finally, we construct a standardized testing protocol to facilitate the fair evaluation of physical attacks on face recognition, and extensive experiments on both physical dodging and impersonation attacks demonstrate the superior performance of the proposed method.

computer science, artificial intelligence,engineering, electrical & electronic