基于生成对抗网络的人脸识别对抗攻击

GAN-based Adversarial Attacks on Face Recognition

人脸识别正在逐渐成为一种监视工具,对人们的隐私产生了巨大威胁。为此,本文提出一种基于生成对抗网络的语义对抗攻击(SGAN-AA),它可以修改图像的显著面部特征,通过使用余弦相似度或可能性评分来预测最显著属性,在白盒和黑盒环境中使用一个或多个面部特征来进行假冒和躲闪攻击。实验结果表明,该方法可以生成多样化、逼真的对抗人脸图像,同时避免影响人类对人脸识别的感知,SGAN-AA对黑盒模型的攻击成功率为80.5%,在假冒攻击下比常用方法高35.5个百分点。预测最显著属性会提升对抗攻击在白盒和黑盒环境中的成功率,并可以增强生成的对抗样本的可转移性。

Face recognition is gradually becoming a monitoring tool which posed enormous threats to human privacy.For this rea-son,the paper proposes a semantic adversarial attack based on generative adversarial networks called SGAN-AA that modifies the significant facial features for images.It predicts the most significant attributes by using cosine similarity or probability score,and uses one or more facial features in white-box and black-box settings for impersonation and dodging attacks.The experimen-tal results show that the method can generate diverse and realistic adversarial facial images while avoiding affecting human per-ception of facial recognition.The success rate of SGAN-AA's attack on black box models is 80.5%,which is 35.5 percentage points higher than common methods under impersonation attacks.Predicting the most significant attributes will improve the suc-cess rate of adversarial attacks in both white-box and black-box settings,and can enhance the transferability of the generated adversarial examples.