对MTCNN人脸检测系统的物理世界对抗攻击

Physical World Adversarial Attack on MTCNN Face Detection System

多任务卷积神经网络可以同时执行人脸检测和人脸特征标记而成为研究热点.而现有研究表明任何基于神经网络的系统都容易遭受对抗攻击.因此,研究人员致力于发展更鲁棒的模型和更有效的防御策略,以提高模型在实际应用中的安全性和可靠性.然而,由于物理域存在环境变化使其比数字域攻击更具挑战性.所以,文章提出了一种对MTCNN物理域和数字域的人脸检测系统攻击方法.首先采用数据增强的思路将生成的补丁与原图叠加作为P-Net的输入,将人脸特征与补丁相融合,在训练对抗补丁时,在批处理的多个图像上最小化损失,减少不同大小补丁和不同亮度的图片损失;其次,采用投影变换的思路对补丁具有弯曲的边界进行近似,进一步增强补丁与人脸的融合;最后,通过检测最大贡献度尺度,降低人脸被检测的概率.实验在两个公开数据集与其他方法相比较.在两个公开数据集上,相比于现有方案攻击成功率分别平均提高了12.63%和14.47%.在物理域中实现了91%的攻击成功率.此外,还进行了多组参数分析,验证了所提方案对缩放步长、训练集大小和训练集数据质量并不敏感,在不同参数设置下都具有较好的攻击成功率.因此,所提方法可以实现对MTCNN在物理域和数字域的有效攻击.

Multi task convolutional neural network(MTCNN)had become a research hotspot due to its ability to simultaneously perform face detection and facial feature labeling.Existing research had shown that each neural network-based system was susceptible to adversarial attacks.Therefore,researchers were committed to developing more robust models and more effective defense strategies to improve the security and reliability of models in practical applications.However,due to environmental changes in the physical domain,it was more challenging than attacks in the digital domain.Therefore,the article proposed an attack method on face detection systems in both the physical and digital domains of MTCNN.Firstly,the data augmentation approach was adopted to overlay the generated patch with the original image as input to P-Net.Facial features were fused with the patch,and during the training of adversarial patches,the loss was minimized on multiple batch processed images,reducing the loss of images with different patch sizes and brightness;Secondly,the projection transformation approach was adopted to approximate the curved boundaries of the patch,further enhancing the fusion between the patch and the face;Finally,by detecting the maximum contribution scale,the probability of facial detection was reduced.The experiment was compared with other methods on two publicly available datasets.On two publicly available datasets,the attack success rates had increased by an average of 12.63%and 14.47%compared to existing schemes,respectively.A 91%attack success rate was achieved in the physical domain.In addition,multiple parameter analyses were conducted to verify that the proposed scheme was not sensitive to scaling step size,training set size,and training set data quality,and had a good attack success rate under different parameter settings.Therefore,the proposed method could effectively attack MTCNN in both physical and digital domains.