Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Rethinking Impersonation and Dodging Attacks on Face Recognition Systems (2401.08903v4)

Published 17 Jan 2024 in cs.CV and cs.LG

Abstract: Face Recognition (FR) systems can be easily deceived by adversarial examples that manipulate benign face images through imperceptible perturbations. Adversarial attacks on FR encompass two types: impersonation (targeted) attacks and dodging (untargeted) attacks. Previous methods often achieve a successful impersonation attack on FR, however, it does not necessarily guarantee a successful dodging attack on FR in the black-box setting. In this paper, our key insight is that the generation of adversarial examples should perform both impersonation and dodging attacks simultaneously. To this end, we propose a novel attack method termed as Adversarial Pruning (Adv-Pruning), to fine-tune existing adversarial examples to enhance their dodging capabilities while preserving their impersonation capabilities. Adv-Pruning consists of Priming, Pruning, and Restoration stages. Concretely, we propose Adversarial Priority Quantification to measure the region-wise priority of original adversarial perturbations, identifying and releasing those with minimal impact on absolute model output variances. Then, Biased Gradient Adaptation is presented to adapt the adversarial examples to traverse the decision boundaries of both the attacker and victim by adding perturbations favoring dodging attacks on the vacated regions, preserving the prioritized features of the original perturbations while boosting dodging performance. As a result, we can maintain the impersonation capabilities of original adversarial examples while effectively enhancing dodging capabilities. Comprehensive experiments demonstrate the superiority of our method compared with state-of-the-art adversarial attack methods.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (40)
  1. Integrating structured biological data by kernel maximum mean discrepancy. In Proceedings 14th International Conference on Intelligent Systems for Molecular Biology, pp.  49–57, 2006.
  2. Mitigating evasion attacks to deep neural networks via region-based classification. Proceedings of the 33rd Annual Computer Security Applications Conference, 2017.
  3. Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition. In International Conference on Learning Representations, 2021.
  4. Arcface: Additive angular margin loss for deep face recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(10):5962–5979, 2022. doi: 10.1109/TPAMI.2021.3087709.
  5. Sparsegpt: Massive language models can be accurately pruned in one-shot. ArXiv, abs/2301.00774, 2023.
  6. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2015.
  7. Protecting facial privacy: Generating adversarial identity masks via style-robust makeup transfer. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  14994–15003, 2022.
  8. Labeled faces in the wild: A database for studying face recognition in unconstrained environments. Technical Report 07-49, University of Massachusetts, Amherst, October 2007.
  9. Improving face recognition from hard samples via distribution distillation loss. In European Conference on Computer Vision, 2020.
  10. Adv-attribute: Inconspicuous and transferable adversarial attack on face recognition. In NeurIPS, 2022. URL http://papers.nips.cc/paper_files/paper/2022/hash/dccbeb7a8df3065c4646928985edf435-Abstract-Conference.html.
  11. Progressive growing of gans for improved quality, stability, and variation. In International Conference on Learning Representation, 2018.
  12. Physical-world optical adversarial attacks on 3d face recognition. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023, Vancouver, BC, Canada, June 17-24, 2023, pp. 24699–24708. IEEE, 2023a. doi: 10.1109/CVPR52729.2023.02366. URL https://doi.org/10.1109/CVPR52729.2023.02366.
  13. Physical-world optical adversarial attacks on 3d face recognition. In 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp.  24699–24708, 2023b. doi: 10.1109/CVPR52729.2023.02366.
  14. Adversarial example does good: Preventing painting imitation from diffusion models via adversarial examples. In International Conference on Machine Learning, pp. 20763–20786. PMLR, 2023.
  15. Frequency domain model augmentation for adversarial attack. In European conference on computer vision, volume 13664, pp. 549–566, 2022.
  16. Set-level guidance attack: Boosting adversarial transferability of vision-language pre-training models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  102–111, 2023.
  17. Llm-pruner: On the structural pruning of large language models. ArXiv, abs/2305.11627, 2023.
  18. Boosting adversarial transferability using dynamic cues. In International Conference on Learning Representation, 2023.
  19. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XIV 16, pp.  19–37. Springer, 2020.
  20. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  815–823, 2015.
  21. Clip2protect: Protecting facial privacy using text-guided makeup via adversarial latent search. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  20595–20605, 2023.
  22. Intriguing properties of neural networks. In Bengio, Y. and LeCun, Y. (eds.), 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, April 14-16, 2014, Conference Track Proceedings, 2014. URL http://arxiv.org/abs/1312.6199.
  23. Cosface: Large margin cosine loss for deep face recognition. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018.
  24. Boosting adversarial transferability by block shuffle and rotation. arXiv preprint arXiv:2308.10299, 2023a.
  25. Enhancing the transferability of adversarial attacks through variance tuning. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  1924–1933, 2021.
  26. Structure invariant transformation for better adversarial transferability. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  4607–4619, 2023b.
  27. Unified adversarial patch for cross-modal attacks in the physical world. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  4445–4454, 2023.
  28. Beneficial perturbations network for defending adversarial examples. arXiv preprint arXiv:2009.12724. URL http://arxiv.org/abs/2009.12724.
  29. Improving transferability of adversarial patches on face recognition with generative models. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  11840–11849, 2021.
  30. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  2730–2739, 2019.
  31. Towards face encryption by generating adversarial identity masks. In Proceedings of the IEEE International Conference on Computer Vision, pp.  3877–3887, 2021.
  32. Towards effective adversarial textured 3d meshes on physical face recognition. In 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp.  4119–4128, 2023. doi: 10.1109/CVPR52729.2023.00401.
  33. Adv-makeup: A new imperceptible and transferable attack on face recognition. In International Joint Conference on Artificial Intelligence, pp.  1252–1258, 2021.
  34. Adaptive image transformations for transfer-based adversarial attack. In Avidan, S., Brostow, G. J., Cissé, M., Farinella, G. M., and Hassner, T. (eds.), European Conference on Computer Vision, pp. 1–17, 2022.
  35. Npcface: Negative-positive collaborative training for large-scale face recognition. 2020.
  36. Improving adversarial transferability via neuron attribution-based attacks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  14973–14982, 2022.
  37. Adversarial learning with margin-based triplet embedding regularization. In Proceedings of the IEEE International Conference on Computer Vision, pp.  6548–6557, 2019.
  38. Towards transferable adversarial attack against deep face recognition. IEEE Transactions on Information Forensics and Security, 16:1452–1466, 2021.
  39. Improving visual quality and transferability of adversarial attacks on face recognition simultaneously with adversarial restoration, 2023a.
  40. Improving the transferability of adversarial attacks on face recognition with beneficial perturbation feature augmentation. IEEE Transactions on Computational Social Systems, pp. 1–13, 2023b. doi: 10.1109/TCSS.2023.3291565.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets