research-article

EAP: : An effective black-box impersonation adversarial patch attack method on face recognition in the physical world

Authors:

Changhai NieAuthors Info & Claims

Volume 580, Issue C

https://doi.org/10.1016/j.neucom.2024.127517

Published: 02 July 2024 Publication History

Abstract

Face recognition models and systems based on deep neural networks are vulnerable to adversarial examples. However, existing attacks on face recognition are either impractical or ineffective for black-box impersonation attacks in the physical world. In this paper, we propose EAP, an effective black-box impersonation attack method on face recognition in the physical world. EAP generates adversarial patches that can be printed by mobile and compact printers and attached to the source face to fool face recognition models and systems. To improve the transferability of adversarial patches, our approach incorporates random similarity transformations and image pyramid strategies, increasing input diversity. Furthermore, we introduce a meta-ensemble attack strategy that harnesses multiple pre-trained face models to extract common gradient features. We evaluate the effectiveness of EAP on two face datasets, using 16 state-of-the-art face recognition backbones, 9 heads, and 5 commercial systems. Moreover, we conduct physical experiments to substantiate its practicality. Our results demonstrate that EAP is capable of effectively executing impersonation attacks against state-of-the-art face recognition models and systems in both digital and physical environments.

References

[1]

M. Sharif, S. Bhagavatula, L. Bauer, M.K. Reiter, Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition, in: ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1528–1540.

[2]

Sharif M., Bhagavatula S., Bauer L., Reiter M.K., A general framework for adversarial examples with objectives, ACM Trans. Priv. Secur. 22 (3) (2019) 1–30.

[3]

D.-L. Nguyen, S.S. Arora, Y. Wu, H. Yang, Adversarial light projection attacks on face recognition systems: A feasibility study, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2020, pp. 814–815.

[4]

Komkov S., Petiushko A., AdvHat: Real-world adversarial attack on ArcFace face ID system, in: International Conference on Pattern Recognition, ICPR, IEEE Computer Society, 2021, pp. 819–826.

[5]

Y. Dong, H. Su, B. Wu, Z. Li, W. Liu, T. Zhang, J. Zhu, Efficient decision-based black-box adversarial attacks on face recognition, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019, pp. 7714–7722.

[6]

Zhong Y., Deng W., Towards transferable adversarial attack against deep face recognition, IEEE Trans. Inf. Forensics Secur. 16 (2020) 1452–1466.

[7]

Yang L., Song Q., Wu Y., Attacks on state-of-the-art face recognition using attentional adversarial attack generative network, Multimedia Tools Appl. 80 (1) (2021) 855–875.

[8]

Goodfellow I.J., Shlens J., Szegedy C., Explaining and harnessing adversarial examples, 2014, arXiv preprint arXiv:1412.6572.

[9]

A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu, Towards Deep Learning Models Resistant to Adversarial Attacks, in: International Conference on Learning Representations, ICLR, 2018.

[10]

Carlini N., Wagner D., Towards evaluating the robustness of neural networks, in: IEEE Symposium on Security and Privacy, SP, IEEE, 2017, pp. 39–57.

[11]

P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, C.-J. Hsieh, Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models, in: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, 2017, pp. 15–26.

[12]

Ilyas A., Engstrom L., Athalye A., Lin J., Black-box adversarial attacks with limited queries and information, in: Proceedings of International Conference on Machine Learning, ICML, PMLR, 2018, pp. 2137–2146.

[13]

Liu Y., Chen X., Liu C., Song D., Delving into transferable adversarial examples and black-box attacks, 2016, arXiv preprint arXiv:1611.02770.

[14]

Y. Dong, T. Pang, H. Su, J. Zhu, Evading defenses to transferable adversarial examples by translation-invariant attacks, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019, pp. 4312–4321.

[15]

Kos J., Fischer I., Song D., Adversarial examples for generative models, in: 2018 IEEE Security and Privacy Workshops, SPW, IEEE Computer Society, 2018, pp. 36–42.

[16]

Zolfi A., Avidan S., Elovici Y., Shabtai A., Adversarial mask: Real-world universal adversarial attack on face recognition models, in: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Springer, 2022, pp. 304–320.

[17]

B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, C. Liu, Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition, in: International Joint Conference on Artificial Intelligence, IJCAI, 2021.

[18]

Wei X., Guo Y., Yu J., Adversarial sticker: A stealthy attack method in the physical world, IEEE Trans. Pattern Anal. Mach. Intell. (2022).

[19]

Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, J. Zhu, Improving transferability of adversarial patches on face recognition with generative models, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 11845–11854.

[20]

Jin H., Liao S., Shao L., Pixel-in-pixel net: Towards efficient facial landmark detection in the wild, Int. J. Comput. Vis. (IJCV) (2021),.

Digital Library

[21]

Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, J. Li, Boosting adversarial attacks with momentum, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2018, pp. 9185–9193.

[22]

C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, A.L. Yuille, Improving transferability of adversarial examples with input diversity, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019, pp. 2730–2739.

[23]

Dietterich T.G., Ensemble methods in machine learning, in: International Workshop on Multiple Classifier Systems, Springer, 2000, pp. 1–15.

[24]

Seni G., Elder J.F., Ensemble methods in data mining: improving accuracy through combining predictions, Synth. Lect. Data Min. Knowl. Discov. 2 (1) (2010) 1–126.

[25]

Finn C., Abbeel P., Levine S., Model-agnostic meta-learning for fast adaptation of deep networks, in: Proceedings of International Conference on Machine Learning, ICML, PMLR, 2017, pp. 1126–1135.

[26]

Q. Sun, Y. Liu, T.-S. Chua, B. Schiele, Meta-transfer learning for few-shot learning, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019, pp. 403–412.

[27]

M.A. Jamal, G.-J. Qi, Task agnostic meta-learning for few-shot learning, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019.

[28]

T. Karras, T. Aila, S. Laine, J. Lehtinen, Progressive Growing of GANs for Improved Quality, Stability, and Variation, in: International Conference on Learning Representations, ICLR, 2018.

[29]

G.B. Huang, M. Mattar, T. Berg, E. Learned-Miller, Labeled faces in the wild: A database forstudying face recognition in unconstrained environments, in: Workshop on Faces in ‘Real-Life’ Images: Detection, Alignment, and Recognition, 2008.

[30]

Z. Liu, Y. Lin, Y. Cao, H. Hu, Y. Wei, Z. Zhang, S. Lin, B. Guo, Swin transformer: Hierarchical vision transformer using shifted windows, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 10012–10022.

[31]

Tan M., Le Q., Efficientnet: Rethinking model scaling for convolutional neural networks, in: International Conference on Machine Learning, PMLR, 2019, pp. 6105–6114.

[32]

K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.

[33]

J. Hu, L. Shen, G. Sun, Squeeze-and-excitation networks, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 7132–7141.

[34]

Hu Y., Wu X., He R., Tf-nas: Rethinking three search freedoms of latency-constrained differentiable neural architecture search, in: European Conference on Computer Vision, Springer, 2020, pp. 123–139.

[35]

D. Han, S. Yun, B. Heo, Y. Yoo, Rethinking channel dimensions for efficient model design, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 732–741.

[36]

H. Zhang, C. Wu, Z. Zhang, Y. Zhu, H. Lin, Z. Zhang, Y. Sun, T. He, J. Mueller, R. Manmatha, et al., Resnest: Split-attention networks, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 2736–2746.

[37]

X. Ding, X. Zhang, N. Ma, J. Han, G. Ding, J. Sun, Repvgg: Making vgg-style convnets great again, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 13733–13742.

[38]

Chen S., Liu Y., Gao X., Han Z., MobileFaceNets: Efficient CNNs for accurate real-time face verification on mobile devices, Biometric Recognition: 13th Chinese Conference, CCBR 2018, Urumqi, China, August 11-12, 2018, Proceedings, vol. 10996, Springer, 2018, p. 428.

[39]

Wu X., He R., Sun Z., Tan T., A light CNN for deep face representation with noisy labels, IEEE Trans. Inf. Forensics Secur. 13 (11) (2018) 2884–2896.

[40]

Wang J., Sun K., Cheng T., Jiang B., Deng C., Zhao Y., Liu D., Mu Y., Tan M., Wang X., et al., Deep high-resolution representation learning for visual recognition, IEEE Trans. Pattern Anal. Mach. Intell. 43 (10) (2021) 3349–3364.

[41]

K. Han, Y. Wang, Q. Tian, J. Guo, C. Xu, C. Xu, Ghostnet: More features from cheap operations, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 1580–1589.

[42]

F. Wang, M. Jiang, C. Qian, S. Yang, C. Li, H. Zhang, X. Wang, X. Tang, Residual attention network for image classification, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017, pp. 3156–3164.

[43]

X. Zhang, R. Zhao, Y. Qiao, X. Wang, H. Li, Adacos: Adaptively scaling cosine logits for effectively learning deep face representations, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 10823–10832.

[44]

H. Liu, X. Zhu, Z. Lei, S.Z. Li, Adaptiveface: Adaptive margin and sampling for face recognition, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 11947–11956.

[45]

Wang F., Cheng J., Liu W., Liu H., Additive margin softmax for face verification, IEEE Signal Process. Lett. 25 (7) (2018).

[46]

J. Deng, J. Guo, N. Xue, S. Zafeiriou, Arcface: Additive angular margin loss for deep face recognition, in: IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2019, pp. 4690–4699.

[47]

Y. Sun, C. Cheng, Y. Zhang, C. Zhang, L. Zheng, Z. Wang, Y. Wei, Circle loss: A unified perspective of pair similarity optimization, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 6398–6407.

[48]

Y. Huang, Y. Wang, Y. Tai, X. Liu, P. Shen, S. Li, J. Li, F. Huang, Curricularface: adaptive curriculum learning loss for deep face recognition, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 5901–5910.

[49]

Q. Meng, S. Zhao, Z. Huang, F. Zhou, Magface: A universal representation for face recognition and quality assessment, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 14225–14234.

[50]

X. Wang, S. Zhang, S. Wang, T. Fu, H. Shi, T. Mei, Mis-classified vector guided softmax loss for face recognition, in: Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 34, No. 07, 2020, pp. 12241–12248.

[51]

Zeng D., Shi H., Du H., Wang J., Lei Z., Mei T., NPCFace: Negative-positive collaborative training for large-scale face recognition, 2020, arXiv preprint arXiv:2007.10172.

[52]

. Face++, 2022. https://www.faceplusplus.com. (Last Accessed on 11 February 2023).

[53]

. Baidu, 2023. https://ai.baidu.com/tech/face. (Last Accessed on 11 February 2023).

[54]

. Tencent, 2023. https://cloud.tencent.com/product/facerecognition. (Last Accessed on 11 February 2023).

[55]

. Microsoft, 2023. https://azure.microsoft.com/en-us/services/cognitive-services/face. (Last Accessed on 11 February 2023).

[56]

. Huawei, 2023. https://www.huaweicloud.com/product/face.html. (Last Accessed on 11 February 2023).

[57]

J. Wang, Y. Liu, Y. Hu, H. Shi, T. Mei, Facex-zoo: A pytorch toolbox for face recognition, in: Proceedings of the 29th ACM International Conference on Multimedia, 2021, pp. 3779–3782.

[58]

Brown T.B., Mané D., Roy A., Abadi M., Gilmer J., Adversarial patch, 2017, arXiv preprint arXiv:1712.09665.

[59]

D. Deb, J. Zhang, A.K. Jain, Advfaces: Adversarial face synthesis, in: IEEE International Joint Conference on Biometrics, IJCB, 2020.

[60]

Paszke A., Gross S., Massa F., Lerer A., Bradbury J., Chanan G., Killeen T., Lin Z., Gimelshein N., Antiga L., et al., Pytorch: An imperative style, high-performance deep learning library, Neural Inf. Process. Syst. (NeurIPS) 32 (2019).

Recommendations

Presentation Attack Detection Methods for Face Recognition Systems: A Comprehensive Survey

The vulnerability of face recognition systems to presentation attacks (also known as direct attacks or spoof attacks) has received a great deal of interest from the biometric community. The rapid evolution of face recognition systems into real-time ...
Face recognition under varying illumination using gradientfaces

In this correspondence, we propose a novel method to extract illumination insensitive features for face recognition under varying lighting called the Gradientfaces. Theoretical analysis shows Gradientfaces is an illumination insensitive measure, and ...
Age-Invariant Face Recognition

One of the challenges in automatic face recognition is to achieve temporal invariance. In other words, the goal is to come up with a representation and matching scheme that is robust to changes due to facial aging. Facial aging is a complex process that ...

Comments

Information & Contributors

Information

Published In

cover image Neurocomputing

Neurocomputing Volume 580, Issue C

May 2024

318 pages

Issue’s Table of Contents

Elsevier B.V.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 02 July 2024

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Sep 2024

Other Metrics

View Author Metrics

Citations

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents