Abstract
Face recognition is known to be vulnerable to adversarial face images. Existing works craft face adversarial images by indiscriminately changing a single attribute without being aware of the intrinsic attributes of the images. To this end, we propose a new Semantic Adversarial Attack called SAA-StarGAN that tampers with the significant facial attributes for each image. We predict the most significant attributes by applying the cosine similarity or probability score. The probability score method is based on training a Face Verification model for an attribute prediction task to obtain a class probability score for each attribute. The prediction process will help craft adversarial face images more easily and efficiently, as well as improve the adversarial transferability. Then, we change the most significant facial attributes, with either one or more of the facial attributes for impersonation and dodging attacks in white-box and black-box settings. Experimental results show that our method could generate diverse and realistic adversarial face images meanwhile avoid affecting human perception of the face recognition. SAA-StarGAN achieves an 80.5% attack success rate against black-box models, outperforming existing methods by 35.5% under the impersonation attack. Concerning the black-box setting, SAA-StarGAN achieves high attack success rates on various models. The experiments confirm that predicting the most important attributes significantly affects the success of adversarial attacks in both white-box and black-box settings and could enhance the transferability of the crafted adversarial examples.
Abstract (translated)
人脸识别已知容易受到dversarial face images的攻击。现有的工作通过随机改变一个属性而不会意识到图像固有的属性,从而制造了dversarial face images。为此,我们提出了一种新的语义dversarial攻击,称为SAA-StarGAN,它对每个图像的重要面部属性进行操纵。我们应用了cos内积或概率得分来预测最重要的属性。概率得分方法基于训练一个面部验证模型来进行属性预测任务,以获得每个属性的类概率得分。预测过程将有助于更容易、更高效地制造dversarial face images,并提高dversarial的可转移性。然后,我们改变最重要的面部属性,用任何一个或多个面部属性进行仿冒攻击和躲避攻击。实验结果显示,我们的方法可以生成各种具有多样性和真实的dversarial face images,同时避免影响人脸识别人类感知。SAA-StarGAN在黑色盒模型中取得了80.5%的攻击成功率,在仿冒攻击下比现有的方法高出35.5%。关于黑色盒设置,SAA-StarGAN在多种模型上取得了高攻击成功率。实验证实,预测最重要的属性对白色盒和黑色盒设置中的dversarial攻击成功性有显著影响,并可以提高制造的攻击示例的可转移性。
URL
https://arxiv.org/abs/2301.12046
