Efficient Decision-based Black-box Adversarial Attacks on Face Recognition (1904.04433v1)

Abstract: Face recognition has obtained remarkable progress in recent years due to the great improvement of deep convolutional neural networks (CNNs). However, deep CNNs are vulnerable to adversarial examples, which can cause fateful consequences in real-world face recognition applications with security-sensitive purposes. Adversarial attacks are widely studied as they can identify the vulnerability of the models before they are deployed. In this paper, we evaluate the robustness of state-of-the-art face recognition models in the decision-based black-box attack setting, where the attackers have no access to the model parameters and gradients, but can only acquire hard-label predictions by sending queries to the target model. This attack setting is more practical in real-world face recognition systems. To improve the efficiency of previous methods, we propose an evolutionary attack algorithm, which can model the local geometries of the search directions and reduce the dimension of the search space. Extensive experiments demonstrate the effectiveness of the proposed method that induces a minimum perturbation to an input face image with fewer queries. We also apply the proposed method to attack a real-world face recognition system successfully.

• The paper introduces an evolutionary attack algorithm that uses tailored covariance adaptation and stochastic coordinate selection to efficiently optimize adversarial perturbations.
• The method is rigorously validated on models like SphereFace, CosFace, and ArcFace using benchmarks such as LFW and MegaFace, outperforming existing approaches.
• The study reveals practical vulnerabilities in face recognition systems, emphasizing the need for more robust defensive strategies in real-world applications.

Overview of Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition

This paper presents a paper focused on the robustness evaluation of state-of-the-art face recognition models in the context of decision-based black-box adversarial attacks. These attacks are characterized by a scenario where the adversary lacks access to the model's parameters and gradients, relying solely on hard-label predictions obtained through queries. This methodological framework aligns with the practical challenges faced in real-world systems, where internal model details are often inaccessible.

The paper introduces a novel evolutionary attack algorithm aimed at enhancing the efficiency of such attacks. This algorithm is designed to model the local geometries of search directions and reduce the dimensionality of the search space, allowing for a more efficient generation of adversarial examples with minimal perturbations and a limited number of queries. The performance of this new approach is validated through comprehensive experiments.

Key Contributions and Results

• Algorithm Design: The authors propose an evolutionary strategy underpinned by a tailored covariance matrix adaptation mechanism. By learning the local geometries of search spaces, this strategy enhances the sampling efficiency for adversarial perturbations. Importantly, leveraging stochastic coordinate selection further accelerates the optimization process by focusing search efforts on promising dimensions.
• Benchmarking and Evaluation: The paper conducts extensive experiments across prominent face recognition models — SphereFace, CosFace, and ArcFace. Using datasets such as Labeled Face in the Wild (LFW) and MegaFace Challenge, the authors demonstrate improved performance of their proposed method over existing approaches like Boundary Attack and Optimization-based strategies.
• Practical Application: The authors extend their methodology to a real-world face recognition system, showing the attack's applicability in successfully fooling the system. This underlines the practical implications and potential risks associated with the out-of-the-box use of current face recognition technologies.

Implications

The research highlights several critical implications for the field of computer vision and AI security. Adversarial examples can severely degrade the performance of face recognition models in scenarios where robustness is paramount, such as security and identity verification. The findings assert the need for more robust defense mechanisms and enhanced adversarial training frameworks to mitigate these vulnerabilities.

Future Directions

Potential future avenues for research inspired by this work include:

1. Defense Mechanisms: Developing effective countermeasures against both white-box and black-box adversarial attacks remains an open challenge. Robust architecture designs or improved adversarial training could be explored as part of defensive strategies.
2. Transferability Assessments: Investigating the transferability of adversarial examples across different models and architectures is critical for understanding the nuances of adversarial robustness in heterogeneous environments.
3. Broader Applicability: While this work focuses on face recognition, extending the proposed method to other vision tasks, such as object recognition or anomaly detection, could offer new insights into universal adversarial vulnerabilities across AI applications.

In summary, this paper contributes to the ongoing dialogue in AI research regarding the susceptibility of deep learning models to adversarial manipulation and provides a methodologically sound approach to advancing the efficacy of such attacks in decision-based black-box settings.