Top

Neural Computing and Applications

Published in:

25-02-2024 | Original Article

Black-box attacks on face recognition via affine-invariant training

Authors: Bowen Sun, Hang Su, Shibao Zheng

Published in: Neural Computing and Applications | Issue 15/2024

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Deep neural network (DNN)-based face recognition has shown impressive performance in verification; however, recent studies reveal a vulnerability in deep face recognition algorithms, making them susceptible to adversarial attacks. Specifically, these attacks can be executed in a black-box manner with limited knowledge about the target network. While this characteristic is practically significant due to hidden model details in reality, it presents challenges such as high query budgets and low success rates. To improve the performance of attacks, we establish the whole framework through affine-invariant training, serving as a substitute for inefficient sampling. We also propose AI-block—a novel module that enhances transferability by introducing generalized priors. Generalization is achieved by creating priors with stable features when sampled over affine transformations. These priors guide attacks, improving efficiency and performance in black-box scenarios. The conversion via AI-block enables the transfer gradients of a surrogate model to be used as effective priors for estimating the gradients of a black-box model. Our method leverages this enhanced transferability to boost both transfer-based and query-based attacks. Extensive experiments conducted on 5 commonly utilized databases and 7 widely employed face recognition models demonstrate a significant improvement of up to 11.9 percentage points in success rates while maintaining comparable or even reduced query times.

previous article MSAT: biologically inspired multistage adaptive threshold for conversion of spiking neural networks

next article A seq2seq learning method for microscopic emission estimation of on-road vehicles

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

https://github.com/deepinsight/insightface/wiki/Dataset-Zoo

Liu W, Wen Y, Yu Z, Li M, Raj B, Song L (2017) Sphereface: deep hypersphere embedding for face recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 212–220

Biggio B, Corona I, Maiorca D, Nelson B, Šrndić N, Laskov P, Giacinto G, Roli F (2013) Evasion attacks against machine learning at test time. In: Joint European conference on machine learning and knowledge discovery in databases, pp 387–402. Springer

Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199

Carlini N, Wagner D (2017) Toward evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (sp), pp 39–57. IEEE

Wang B, Chen W, Pei H, Xie C, Kang M, Zhang C, Xu C, Xiong Z, Dutta R, Schaeffer R, et al (2023) Decodingtrust: a comprehensive assessment of trustworthiness in gpt models. arXiv preprint arXiv:2306.11698

Wei A, Haghtalab N, Steinhardt J (2023) Jailbroken: how does llm safety training fail? arXiv preprint arXiv:2307.02483

Chen P-Y, Zhang H, Sharma Y, Yi J, Hsieh C-J (2017) Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM workshop on artificial intelligence and security, pp 15–26

Cheng M, Le T, Chen P-Y, Yi J, Zhang H, Hsieh C-J (2018) Query-efficient hard-label black-box attack: An optimization-based approach. arXiv preprint arXiv:1807.04457

Bhagoji AN, He W, Li B, Song D (2018) Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Proceedings of the European conference on computer vision (ECCV), pp 154–169

10.

Narodytska N, Kasiviswanathan SP (2016) Simple black-box adversarial perturbations for deep networks. arXiv preprint arXiv:1612.06299

11.

Brendel W, Rauber J, Bethge M (2017) Decision-based adversarial attacks: reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248

12.

Alzantot M, Sharma Y, Chakraborty S, Zhang H, Hsieh C-J, Srivastava MB (2019) Genattack: practical black-box attacks with gradient-free optimization. In: Proceedings of the genetic and evolutionary computation conference, pp 1111–1119

13.

Guo C, Gardner J, You Y, Wilson AG, Weinberger K (2019) Simple black-box adversarial attacks. In: International conference on machine learning, pp 2484–2493. PMLR

14.

Cheng S, Dong Y, Pang T, Su H, Zhu J (2019) Improving black-box adversarial attacks with a transfer-based prior. arXiv preprint arXiv:1906.06919

15.

Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Swami A (2017) Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, pp 506–519

16.

Dong Y, Pang T, Su H, Zhu J (2019) Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 4312–4321

17.

Turk M, Pentland A (1991) Eigenfaces for recognition. J Cogn Neurosci 3(1):71–86CrossRef

18.

Belhumeur PN, Hespanha JP, Kriegman DJ (1997) Eigenfaces vs. fisherfaces: recognition using class specific linear projection. IEEE Trans Pattern Anal Mach Intell 19(7):711–720CrossRef

19.

Ruichek Y et al (2018) Local concave-and-convex micro-structure patterns for texture classification. Pattern Recogn 76:303–322CrossRef

20.

Najafi Khanbebin S, Mehrdad V (2021) Local improvement approach and linear discriminant analysis-based local binary pattern for face recognition. Neural Comput Appl 33:7691–7707CrossRef

21.

Krizhevsky A, Sutskever I, Hinton GE (2017) Imagenet classification with deep convolutional neural networks. Commun ACM 60(6):84–90CrossRef

22.

Deng J, Dong W, Socher R, Li L-J, Li K, Fei-Fei L (2009) Imagenet: a large-scale hierarchical image database. In: 2009 IEEE conference on computer vision and pattern recognition, pp 248–255. IEEE

23.

He K, Zhang X, Ren S, Sun J (2016) Identity mappings in deep residual networks. In: European conference on computer vision, pp 630–645. Springer

24.

Huang G, Liu Z, Van Der Maaten L, Weinberger KQ (2017) Densely connected convolutional networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 4700–4708

25.

Wang H, Wang Y, Zhou Z, Ji X, Gong D, Zhou J, Li Z, Liu W (2018) Cosface: Large margin cosine loss for deep face recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 5265–5274

26.

Deng J, Guo J, Niannan X, Zafeiriou S (2019) Arcface: additive angular margin loss for deep face recognition. In: CVPR

27.

Howard AG, Zhu M, Chen B, Kalenichenko D, Wang W, Weyand T, Andreetto M, Adam H (2017) Mobilenets: efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861

28.

Chen S, Liu Y, Gao X, Han Z (2018) Mobilefacenets: Efficient cnns for accurate real-time face verification on mobile devices. In: Chinese conference on biometric recognition, pp 428–438. Springer

29.

Zhang X, Zhou X, Lin M, Sun J (2018) Shufflenet: An extremely efficient convolutional neural network for mobile devices. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 6848–6856

30.

Luo X, Xu Y, Yang J (2019) Multi-resolution dictionary learning for face recognition. Pattern Recogn 93:283–292CrossRef

31.

Lee Y-C, Chen J, Tseng CW, Lai S-H (2016) Accurate and robust face recognition from RGB-d images with a deep learning approach. BMVC 1:3

32.

Zulqarnain Gilani S, Mian A (2018) Learning from millions of 3d scans for large-scale 3d face recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 1896–1905

33.

Mu G, Huang D, Hu G, Sun J, Wang Y (2019) Led3d: a lightweight and efficient deep approach to recognizing low-quality 3d faces. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 5773–5782

34.

Kim M, Jain AK, Liu X (2022) Adaface: quality adaptive margin for face recognition. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 18750–18759

35.

Yang X, Yang D, Dong Y, Yu W, Su H, Zhu J (2020) Delving into the adversarial robustness on face recognition. arXiv preprint arXiv:2007.04118

36.

Dong Y, Su H, Wu B, Li Z, Liu W, Zhang T, Zhu J (2019) Efficient decision-based black-box adversarial attacks on face recognition. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 7714–7722

37.

Nesterov Y, Spokoiny V (2017) Random gradient-free minimization of convex functions. Found Comput Math 17(2):527–566MathSciNetCrossRef

38.

Ilyas A, Engstrom L, Athalye A, Lin J (2018) Black-box adversarial attacks with limited queries and information. In: International conference on machine learning, pp 2137–2146. PMLR

39.

Ilyas A, Engstrom L, Madry A (2018) Prior convictions: black-box adversarial attacks with bandits and priors. arXiv preprint arXiv:1807.07978

40.

Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572

41.

Kurakin A, Goodfellow I, Bengio S (2016) Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533

42.

Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2017) Toward deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083

43.

Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 9185–9193

44.

Gildenblat J, contributors (2021) PyTorch library for CAM methods. GitHub

45.

Worrall DE, Garbin SJ, Turmukhambetov D, Brostow GJ (2017) Harmonic networks: deep translation and rotation equivariance. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 5028–5037

46.

Kingma DP, Ba J (2014) Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980

47.

Nirkin Y, Masi I, Tuan AT, Hassner T, Medioni G (2018) On face segmentation, face swapping, and face perception. In: 2018 13th IEEE international conference on automatic face & gesture recognition (FG 2018), pp 98–105. IEEE

48.

Jaderberg M, Simonyan K, Zisserman A, et al (2015) Spatial transformer networks. In: Advances in neural information processing systems, pp 2017–2025

49.

Huang GB, Mattar M, Berg T, Learned-Miller E (2008) Labeled faces in the wild: a database for studying face recognition in unconstrained environments. In: In Workshop on faces in’Real-Life’Images: detection, alignment, and recognition

50.

Wolf L, Hassner T, Maoz I (2011) Face recognition in unconstrained videos with matched background similarity. In: CVPR 2011, pp 529–534. IEEE

51.

Moschoglou S, Papaioannou A, Sagonas C, Deng J, Kotsia I, Zafeiriou S (2017) Agedb: the first manually collected, in-the-wild age database. In: Proceedings of the IEEE conference on computer vision and pattern recognition workshops, pp 51–59

52.

Sengupta S, Chen J-C, Castillo C, Patel VM, Chellappa R, Jacobs DW (2016) Frontal to profile face verification in the wild. In: 2016 IEEE winter conference on applications of computer vision (WACV), pp 1–9. IEEE

Title: Black-box attacks on face recognition via affine-invariant training
Authors: Bowen Sun
Hang Su
Shibao Zheng
Publication date: 25-02-2024
Publisher: Springer London
Published in: Neural Computing and Applications / Issue 15/2024
Print ISSN: 0941-0643
Electronic ISSN: 1433-3058
DOI: https://doi.org/10.1007/s00521-024-09543-y

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 15/2024

Maximizing renewable energy integration with battery storage in distribution systems using a modified Bald Eagle Search Optimization Algorithm

A 3D-convolutional-autoencoder embedded Siamese-attention-network for classification of hyperspectral images

Application of BiLSTM-CRF model with different embeddings for product name extraction in unstructured Turkish text

Stacked dynamic memory-coattention network for answering why-questions in Arabic

HILP: hardware-in-loop pruning of convolutional neural networks towards inference acceleration

mXception and dynamic image for hand gesture recognition

Premium Partner