基于生成对抗网络的人脸识别对抗攻击

doi:10.3969/j.issn.1006-2475.2023.10.017

摘要/Abstract

摘要： 人脸识别正在逐渐成为一种监视工具，对人们的隐私产生了巨大威胁。为此，本文提出一种基于生成对抗网络的语义对抗攻击（SGAN-AA），它可以修改图像的显著面部特征，通过使用余弦相似度或可能性评分来预测最显著属性，在白盒和黑盒环境中使用一个或多个面部特征来进行假冒和躲闪攻击。实验结果表明，该方法可以生成多样化、逼真的对抗人脸图像，同时避免影响人类对人脸识别的感知，SGAN-AA对黑盒模型的攻击成功率为80.5%，在假冒攻击下比常用方法高35.5个百分点。预测最显著属性会提升对抗攻击在白盒和黑盒环境中的成功率，并可以增强生成的对抗样本的可转移性。

关键词: 关键词：人脸识别, 对抗攻击, 生成对抗网络, 对抗样本, 可转移性

Abstract: Face recognition is gradually becoming a monitoring tool which posed enormous threats to human privacy. For this reason， the paper proposes a semantic adversarial attack based on generative adversarial networks called SGAN-AA that modifies the significant facial features for images. It predicts the most significant attributes by using cosine similarity or probability score， and uses one or more facial features in white-box and black-box settings for impersonation and dodging attacks. The experimental results show that the method can generate diverse and realistic adversarial facial images while avoiding affecting human perception of facial recognition. The success rate of SGAN-AA's attack on black box models is 80.5%， which is 35.5 percentage points higher than common methods under impersonation attacks. Predicting the most significant attributes will improve the success rate of adversarial attacks in both white-box and black-box settings， and can enhance the transferability of the generated adversarial examples.

Key words: Key words: face recognition, adversarial attack, generative adversarial networks, adversarial example, transferability

中图分类号:

TP391

王鑫, 肖韬睿. 基于生成对抗网络的人脸识别对抗攻击[J]. 计算机与现代化, 2023, 0(10): 115-120.

WANG Xin, XIAO Tao-rui. GAN-based Adversarial Attacks on Face Recognition[J]. Computer and Modernization, 2023, 0(10): 115-120.

参考文献

［1］ HOU J W， WANG Z H， LI Y G. A network for makeup face verification based upon deep learning［C］// Proceedings of the 2020 IEEE 5th International Conference on Image， Vision and Computing （ICIVC）. 2020:123-127.
［2］ MINAEE S， ABDOLRASHIDI A， SU H， et al. Biometrics recognition using deep learning: A survey［J］. Artificial Intelligence Review， 2023，56（8）:8647-8695.
［3］ BALDA E R， BEHBOODI A， MATHAR R. Adversarial examples in deep neural networks: An overview［M］// Deep Lear-
ning: Algorithms and Applications. Springer， 2020:31-65.
［4］ SABLAYROLLES A， DOUZE M， SCHMID C， et al. White-box vs black-box: Bayes optimal strategies for membership inference［C］// Proceedings of the 36th International Conference on Machine Learning. 2019:5558-5567.
［5］ CHOI Y， CHOI M， KIM M， et al. StarGAN: Unified generative adversarial networks for multi-domain image-to-image translation［C］// Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition. 2018:8789-8797.
［6］ LIU M， DING Y K， XIA M， et al. STGAN: A unified selective transfer network for arbitrary image attribute editing［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019:3673-3682.
［7］ HE Z L， ZUO W M， KAN M N， et al. AttGAN: Facial attribute editing by only changing what you want［J］. IEEE Transactions on Image Processing， 2019，28（11）:5464-5478.
［8］ KAKIZAKI K， MIYAGAWA T， SINGH I， et al. Toward practical adversarial attacks on face verification systems［C］// Proceedings of the 2021 International Conference of the Biometrics Special Interest Group （BIOSIG）. 2021. DOI: 10.1109/BIOSIG52210.2021.9548310.
［9］ XIA P P， ZHANG L， LI F Z. Learning similarity with cosine similarity ensemble［J］. Information Sciences， 2015，307:39-52.
［10］ BROCKER J. Evaluating raw ensembles with the continuous ranked probability score［J］. Quarterly Journal of the Royal Meteorological Society， 2012，138（667）:1611-1617.
［11］ DAI Y M， GIESEKE F， OEHMCKE S， et al. Attentional feature fusion［C］// Proceedings of the 2021 IEEE/CVF Winter Conference on Applications of Computer Vision. 2021:3559-3568.
［12］ GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572， 2014.
［13］ KURAKIN A， GOODFELLOW I， BENGIO S. Adversarial examples in the physical world［M］// Artificial Intelligence Safety and Security. Chapman and Hall/CRC， 2018:99-112.
［14］ MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks［J］. arXiv preprint arXiv:1706.06083， 2017.
［15］ DEB D， ZHANG J B， JAIN A K. AdvFaces: Adversarial face synthesis［C］// Proceedings of the 2020 IEEE International Joint Conference on Biometrics （IJCB）. 2020. DOI: 10.1109/IJCB48548.2020.9304898.
［16］ QIU H R， XIAO C W， YANG L， et al. SemanticAdv: Generating adversarial examples via attribute-conditioned image editing［C］// Proceedings of the 2020 16th European Conference on Computer Vision. 2020:19-37.
［17］ REN H L， HUANG T， YAN H Y. Adversarial examples: Attacks and defenses in the physical world［J］. International Journal of Machine Learning and Cybernetics， 2021，12（11）:3325-3336.
［18］ AKHTAR N， MIAN A. Threat of adversarial attacks on deep learning in computer vision: A survey［J］. IEEE Access， 2018，6:14410-14430.
［19］ DENG J K， GUO J， XUE N N， et al. ArcFace: Additive angular margin loss for deep face recognition［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019:4685-4694.
［20］ LIU Z W， LUO P， WANG X G， et al. Large-scale celebfaces attributes （celebA） dataset［DB/OL］. ［2023-05-20］. https://mmlab.ie.cuhk.edu.hk/projects/CelebA.html.
［21］ SCHROFF F， KALENICHENKO D， PHILBIN J. FaceNet: A unified embedding for face recognition and clustering［C］// Proceedings of the IEEE 2015 Conference on Computer Vision and Pattern Recognition. 2015:815-823.
［22］ LIU W Y， WEN Y D， YU Z D， et al. SphereFace: Deep hypersphere embedding for face recognition［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. 2017:6738-6746.
［23］ WANG H， WANG Y T， ZHOU Z， et al. CosFace: Large margin cosine loss for deep face recognition［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018:5265-5274.
［24］ TARG S， ALMEIDA D， LYMAN K. Resnet in resnet: Generalizing residual architectures［J］. arXiv preprint arXiv:1603.08029， 2016.
［25］ CHINAEV N， CHIGORIN A， LAPTEV I. MobileFace: 3D face reconstruction with efficient CNN regression［J］. arXiv preprint arXiv:1809.08809， 2018.
［26］ WEI X X， GUO Y， YU J. Adversarial sticker: A stealthy attack method in the physical world［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2023，45（3）:2711-2725.
［27］ ZOLFI A， AVIDAN S， ELOVICI Y， et al. Adversarial mask: Real-world universal adversarial attack on face recognition models［C］// Proceedings of the 2022 Joint European Conference on Machine Learning and Knowledge Discovery in Databases. 2022:304-320.

[1]	徐新爱, 李钢. 基于DCGAN的课堂表情图像生成方法[J]. 计算机与现代化, 2024, 0(08): 88-91.
[2]	王志强, 郑爽. 基于半监督学习的StyleGAN图像生成模型[J]. 计算机与现代化, 2024, 0(06): 14-18.
[3]	卢梓菡1, 张东1, 杨艳1, 杨双2. 基于生成对抗网络的乳腺癌免疫组化图像生成[J]. 计算机与现代化, 2024, 0(03): 92-96.
[4]	刘彦红, 杨秋翔. 改进生成对抗网络的图像去雾算法[J]. 计算机与现代化, 2024, 0(02): 56-63.
[5]	付鸿林, 张太红, 杨雅婷, 艾孜麦提·艾瓦尼尔, 马博. 基于生成对抗网络的维语场景文字修改网络[J]. 计算机与现代化, 2024, 0(01): 41-46.
[6]	黎世达, 项剑文. 一种提高图像识别模型鲁棒性的弱化强化方法[J]. 计算机与现代化, 2023, 0(10): 70-76.
[7]	江蕾, 唐建, 杨超越, 吕婷婷. 基于CWGAN-GP与CNN的轴承故障诊断方法[J]. 计算机与现代化, 2023, 0(07): 1-6.
[8]	李海涛, 胡泽涛, 张俊虎. 基于NS-StyleGAN2的鱼类图像扩充方法[J]. 计算机与现代化, 2023, 0(01): 13-17.
[9]	庄文华, 唐晓刚, 张斌权, 原光明. 基于生成对抗网络的高照度可见光图像生成[J]. 计算机与现代化, 2023, 0(01): 1-6.
[10]	李世宝, 王杰伟, 崔学荣, 刘建航, 黄庭培. 基于图像着色的无限制攻击[J]. 计算机与现代化, 2022, 0(11): 52-59.
[11]	彭鹏菲, 周琳茹. 加入奖励的GRU对抗网络文本生成模型[J]. 计算机与现代化, 2022, 0(07): 121-126.
[12]	翟慧聪, 张明, 邓星, 王利群. 基于生成对抗网络的图像动漫化[J]. 计算机与现代化, 2022, 0(07): 21-26.
[13]	秦鸣乐, 年梅, 张俊, . 基于深度生成对抗网络的恶意TLS流量识别[J]. 计算机与现代化, 2022, 0(04): 121-126.
[14]	陈云翔, 王巍, 宁娟, 陈怡丹, 赵永新, 周庆华. PSWGAN-GP:改进梯度惩罚的生成对抗网络[J]. 计算机与现代化, 2022, 0(04): 21-26.
[15]	李阳阳, 杨英光. 基于生成对抗网络的社交机器人检测[J]. 计算机与现代化, 2022, 0(03): 1-6.