GAN-based Adversarial Attacks on Face Recognition

doi:10.3969/j.issn.1006-2475.2023.10.017

Abstract

Abstract: Face recognition is gradually becoming a monitoring tool which posed enormous threats to human privacy. For this reason， the paper proposes a semantic adversarial attack based on generative adversarial networks called SGAN-AA that modifies the significant facial features for images. It predicts the most significant attributes by using cosine similarity or probability score， and uses one or more facial features in white-box and black-box settings for impersonation and dodging attacks. The experimental results show that the method can generate diverse and realistic adversarial facial images while avoiding affecting human perception of facial recognition. The success rate of SGAN-AA's attack on black box models is 80.5%， which is 35.5 percentage points higher than common methods under impersonation attacks. Predicting the most significant attributes will improve the success rate of adversarial attacks in both white-box and black-box settings， and can enhance the transferability of the generated adversarial examples.

Key words: Key words: face recognition, adversarial attack, generative adversarial networks, adversarial example, transferability

CLC Number:

TP391

WANG Xin, XIAO Tao-rui. GAN-based Adversarial Attacks on Face Recognition[J]. Computer and Modernization, 2023, 0(10): 115-120.

References ［27］

［1］	HOU J W， WANG Z H， LI Y G. A network for makeup face verification based upon deep learning［C］// Proceedings of the 2020 IEEE 5th International Conference on Image， Vision and Computing （ICIVC）. 2020:123-127.
［2］	MINAEE S， ABDOLRASHIDI A， SU H， et al. Biometrics recognition using deep learning: A survey［J］. Artificial Intelligence Review， 2023，56（8）:8647-8695.
［3］	BALDA E R， BEHBOODI A， MATHAR R. Adversarial examples in deep neural networks: An overview［M］// Deep Lear-
	ning: Algorithms and Applications. Springer， 2020:31-65.
［4］	SABLAYROLLES A， DOUZE M， SCHMID C， et al. White-box vs black-box: Bayes optimal strategies for membership inference［C］// Proceedings of the 36th International Conference on Machine Learning. 2019:5558-5567.
［5］	CHOI Y， CHOI M， KIM M， et al. StarGAN: Unified generative adversarial networks for multi-domain image-to-image translation［C］// Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition. 2018:8789-8797.
［6］	LIU M， DING Y K， XIA M， et al. STGAN: A unified selective transfer network for arbitrary image attribute editing［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019:3673-3682.
［7］	HE Z L， ZUO W M， KAN M N， et al. AttGAN: Facial attribute editing by only changing what you want［J］. IEEE Transactions on Image Processing， 2019，28（11）:5464-5478.
［8］	KAKIZAKI K， MIYAGAWA T， SINGH I， et al. Toward practical adversarial attacks on face verification systems［C］// Proceedings of the 2021 International Conference of the Biometrics Special Interest Group （BIOSIG）. 2021. DOI: 10.1109/BIOSIG52210.2021.9548310.
［9］	XIA P P， ZHANG L， LI F Z. Learning similarity with cosine similarity ensemble［J］. Information Sciences， 2015，307:39-52.
［10］	BROCKER J. Evaluating raw ensembles with the continuous ranked probability score［J］. Quarterly Journal of the Royal Meteorological Society， 2012，138（667）:1611-1617.
［11］	DAI Y M， GIESEKE F， OEHMCKE S， et al. Attentional feature fusion［C］// Proceedings of the 2021 IEEE/CVF Winter Conference on Applications of Computer Vision. 2021:3559-3568.
［12］	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572， 2014.
［13］	KURAKIN A， GOODFELLOW I， BENGIO S. Adversarial examples in the physical world［M］// Artificial Intelligence Safety and Security. Chapman and Hall/CRC， 2018:99-112.
［14］	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks［J］. arXiv preprint arXiv:1706.06083， 2017.
［15］	DEB D， ZHANG J B， JAIN A K. AdvFaces: Adversarial face synthesis［C］// Proceedings of the 2020 IEEE International Joint Conference on Biometrics （IJCB）. 2020. DOI: 10.1109/IJCB48548.2020.9304898.
［16］	QIU H R， XIAO C W， YANG L， et al. SemanticAdv: Generating adversarial examples via attribute-conditioned image editing［C］// Proceedings of the 2020 16th European Conference on Computer Vision. 2020:19-37.
［17］	REN H L， HUANG T， YAN H Y. Adversarial examples: Attacks and defenses in the physical world［J］. International Journal of Machine Learning and Cybernetics， 2021，12（11）:3325-3336.
［18］	AKHTAR N， MIAN A. Threat of adversarial attacks on deep learning in computer vision: A survey［J］. IEEE Access， 2018，6:14410-14430.
［19］	DENG J K， GUO J， XUE N N， et al. ArcFace: Additive angular margin loss for deep face recognition［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019:4685-4694.
［20］	LIU Z W， LUO P， WANG X G， et al. Large-scale celebfaces attributes （celebA） dataset［DB/OL］. ［2023-05-20］. https://mmlab.ie.cuhk.edu.hk/projects/CelebA.html.
［21］	SCHROFF F， KALENICHENKO D， PHILBIN J. FaceNet: A unified embedding for face recognition and clustering［C］// Proceedings of the IEEE 2015 Conference on Computer Vision and Pattern Recognition. 2015:815-823.
［22］	LIU W Y， WEN Y D， YU Z D， et al. SphereFace: Deep hypersphere embedding for face recognition［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. 2017:6738-6746.
［23］	WANG H， WANG Y T， ZHOU Z， et al. CosFace: Large margin cosine loss for deep face recognition［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018:5265-5274.
［24］	TARG S， ALMEIDA D， LYMAN K. Resnet in resnet: Generalizing residual architectures［J］. arXiv preprint arXiv:1603.08029， 2016.
［25］	CHINAEV N， CHIGORIN A， LAPTEV I. MobileFace: 3D face reconstruction with efficient CNN regression［J］. arXiv preprint arXiv:1809.08809， 2018.
［26］	WEI X X， GUO Y， YU J. Adversarial sticker: A stealthy attack method in the physical world［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2023，45（3）:2711-2725.
［27］	ZOLFI A， AVIDAN S， ELOVICI Y， et al. Adversarial mask: Real-world universal adversarial attack on face recognition models［C］// Proceedings of the 2022 Joint European Conference on Machine Learning and Knowledge Discovery in Databases. 2022:304-320.

[1]	FU Hong-lin, ZHANG Tai-hong, YANG Ya-ting, Aizimaiti Aiwanier, MA Bo. Scenes Text Modification Network for Uyghur Based on Generative Adversarial Network [J]. Computer and Modernization, 2024, 0(01): 41-46.
[2]	LI Shi-da, XIANG Jian-wen. A Weakened Joint Reinforcement Method to Improve Robustness of Image Recognition Models [J]. Computer and Modernization, 2023, 0(10): 70-76.
[3]	LI Hai-tao, HU Ze-tao, ZHANG Jun-hu. Method of Fish Image Expansion Based on NS-StyleGAN2 Network [J]. Computer and Modernization, 2023, 0(01): 13-17.
[4]	LI Shi-bao, WANG Jie-wei, CUI Xue-rong, LIU Jian-hang, HUANG Ting-pei. Unrestricted Attack Based on Colorization [J]. Computer and Modernization, 2022, 0(11): 52-59.
[5]	ZHAI Hui-cong, ZHANG Ming, DENG Xing, WANG Li-qun. Image Animation Based on Generative Adversarial Networks [J]. Computer and Modernization, 2022, 0(07): 21-26.
[6]	LI Yang-yang, YANG Ying-guang. Social Bots Detection Based on Generative Adversarial Networks [J]. Computer and Modernization, 2022, 0(03): 1-6.
[7]	LIU Yi-hao. A Method to Generate Features of Mimicry Honeypot Based on Generative Adversarial Networks [J]. Computer and Modernization, 2021, 0(07): 120-126.
[8]	LI Shi-bao, CAO Da-peng, LIU Jian-hang. CGAN-based Adversarial Example Defense Method [J]. Computer and Modernization, 2021, 0(07): 65-70.
[9]	CHEN Yuan-yuan, LIU Hui-yi. Damaged Old Photos Inpainting Based on Generative Adversarial Networks [J]. Computer and Modernization, 2021, 0(04): 42-47.
[10]	MA Yue. Smoke Removal Algorithm of Medical Operation Image Based on Conditional Generative Adversarial Network [J]. Computer and Modernization, 2021, 0(01): 50-55.
[11]	ZHOU Li1,2, SHEN Guo-wei1,2, ZHAO Wen-bo1,2, ZHOU Xue-mei1,2. A Heterogeneous Information Network Represention Learning Method Based on GAN [J]. Computer and Modernization, 2020, 0(05): 89-.
[12]	LI Hua-ying1, LIN Dao-yu2, ZHANG Jie1, LIU Bi-xin1 . Cloud Removal Algorithm of Remote Sensing Image Based on GANs [J]. Computer and Modernization, 2019, 0(11): 13-.