Real-world adversarial attack on MTCNN face detection system (1910.06261v2)

Abstract: Recent studies proved that deep learning approaches achieve remarkable results on face detection task. On the other hand, the advances gave rise to a new problem associated with the security of the deep convolutional neural network models unveiling potential risks of DCNNs based applications. Even minor input changes in the digital domain can result in the network being fooled. It was shown then that some deep learning-based face detectors are prone to adversarial attacks not only in a digital domain but also in the real world. In the paper, we investigate the security of the well-known cascade CNN face detection system - MTCNN and introduce an easily reproducible and a robust way to attack it. We propose different face attributes printed on an ordinary white and black printer and attached either to the medical face mask or to the face directly. Our approach is capable of breaking the MTCNN detector in a real-world scenario.

• The paper introduces a novel physical adversarial attack method targeting the MTCNN face detection network through printed perturbation patterns.
• The paper demonstrates how wearable adversarial patterns, such as printed masks, substantially degrade MTCNN's detection accuracy.
• The paper employs the Expectation-over-Transformation technique to ensure robust attack performance across varying real-world conditions.

Overview of "Real-world Adversarial Attack on MTCNN Face Detection System"

The paper "Real-world adversarial attack on MTCNN face detection system" by Edgar Kaziakhmedov et al. presents a thorough investigation into the vulnerabilities of the MTCNN (Multi-task Cascaded Convolutional Networks) face detection system when subjected to adversarial attacks in the physical domain. The work highlights the susceptibility of face detection systems, including MTCNN, to adversarial perturbations that can be reproduced in real-world settings, thus challenging the robustness and security of these systems.

Core Contributions

The authors make several significant contributions in the context of adversarial machine learning:

1. Attack Methodology on MTCNN: The paper proposes a robust adversarial attack specifically targeting MTCNN, which is a widely known face detection framework that uses a cascaded architecture. By focusing on the network's initial layers and exploiting its vulnerabilities, the authors devise an attack method that disrupts the face detection capabilities of MTCNN.
2. Physical Domain Attack Implementation: A notable aspect of this research is its focus on real-world adversarial attacks rather than purely digital simulations. The authors devise a method to print adversarial patterns using ordinary printers, which can be worn or affixed to the human face. Such methods include attaching patterns to facial accessories like medical masks, thereby fooling the MTCNN face detection model in a real-world scenario.
3. Expectation-over-Transformation (EoT) Technique: The Expectation-over-Transformation (EoT) framework is utilized to ensure the robustness of adversarial patches against real-world conditions such as variations in camera angles, lighting, and facial positions. This approach supports the transferability and practicality of the adversarial attacks outside of controlled digital environments.

Strong Numerical Results and Observations

The experimental results underscore the effectiveness of the proposed adversarial examples against MTCNN. By evaluating the misdetection rates across different environmental conditions and setup distances, the experiments reveal a substantial increase in the likelihood of detection failure for MTCNN when using the adversarial patterns. This misdetection probability is demonstrated across varied step scale factors, exhibiting the attack's consistency and effectiveness.

Implications and Future Work

The research poses critical implications for the practical deployment of face detection systems, especially those that operate in security-sensitive applications like surveillance and access control. As it demonstrates that even established systems like MTCNN can be compromised using relatively simple physical adversarial patterns, the paper calls for enhanced security mechanisms and defenses against such attacks.

Future work in this domain could involve developing countermeasures capable of detecting and mitigating adversarial attacks in the physical domain. Furthermore, extending the analysis to other face detection and recognition frameworks could offer broader insights into the generalizability of such adversarial techniques and the potential vulnerabilities of neural network architectures at large.

In summary, this paper offers a critical viewpoint on the vulnerability of advanced neural networks to real-world adversarial inputs, urging the necessity for continued research towards robust and secure AI systems.