Horizon CDT Research Highlights

Research Highlights

Adversarial Attacks on Face Recognition systems

  Ioanna Ntinou (2018 cohort)   www.linkedin.com/in/ioanna-ntinou-96a162126


Machine learning algorithms and especially deep learning methods have shown impressive advances in several domains ranging from image classification [1], object detection [2] and semantic segmentation [3]. Despite their remarkable performance in challenging tasks, they are still vulnerable to small perturbations at the input domain - known as adversarial attacks. These attacks, which are often imperceptible to people, can transform natural examples to adversarial examples that are capable of manipulating machine agents into acting upon their will. This vulnerability is exceptionally worrisome due to people's growing reliance on machine learning algorithms. Some characteristic examples are, spam detection, credit card fraud detection, medical diagnosis, speech understanding and customer segmentation.

The aforementioned heavy usage of machine learning algorithms as well as the security critical application of them has raised an increasing interest towards understanding their vulnerabilities and, if possible, developing algorithms impervious to attacks. Two main research lines rise from studying adversarial attacks. One of them focuses on the development of adversarial attacks that can deceive Deep Neural Networks with high success rate, i.e on manipulating the model to make it generate an arbitrary target different from the original one [4, 5]. The other line of research focuses on proposing ways to detect and mitigate these threats [6, 7, 8].

While this topic is heavily studied in the field of machine learning, its application/impact in the domain of facial recognition is yet to be explored. In this domain, adversarial attacks are depicted in an scenario where a network receives an image that looks genuine by a human eye but in reality intends to deceive the network into identifying a specific person (impersonation attack) or any another arbitrary person (dodging attack). To date, very few works have investigated the vulnerability of facial recognition systems. Some early works [9] explored the generation of accessories in the form of eyeglasses that when used in the digital domain can effectively violate face recognition systems. However, embedding crafted eyeglasses is an overt attack that can be easily identified by a human even if it is capable of successfully deceiving a face recognition system. Other methods [10, 11] use inconspicuous geometrical attacks by spatially transforming genuine (benign) facial images. In particular, an imperceptible to human eye transformation is applied at the face contour capable of deceiving face identification agents. However, this approach suffers from a critical limitation which is the fact that is computationally expensive.

Overall, this proposal aims at studying the impact of several groups of adversarial attacks at state-of the art face recognition models, so as to quantify their vulnerability and then, be able to develop safe face recognition systems.


[1] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, 2012.

[2] Ross Girshick. Fast R-CNN. In Proceedings of the IEEE international conference on computer vision, 2015.

[3] Jonathan Long, Evan Shelhamer, and Trevor Darrell. Fully convolutional networks for semantic segmentation. In Proceedings of the IEEE conference on computer vision and pattern recognition, 2015.

[4] Tom B Brown, Dandelion Mane, Aurko Roy, Martin Abadi, and Justin Gilmer. Adversarial patch. arXiv preprint, 2017.

[5] Jiawei Su, Danilo Vasconcellos Vargas, and Sakurai Kouichi. One pixel attack for fooling deep neural networks. In IEEE Transactions on Evolutionary Computation, 2017.

[6] Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Adversarial examples in the physical world. arXiv preprint, 2016.

[7] Florian Tramer, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. Ensemble adversarial training: Attacks and defenses. In International Conference on Learning Representations, 2017.

[8] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016.

[9] Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K Reiter. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016.

[10] Ali Dabouei, Sobhan Soleymani, Jeremy Dawson, and Nasser M Nasrabadi. Fast geometrically-perturbed adversarial faces. arXiv preprint, 2018.

[11] Chaowei Xiao, Jun-Yan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. Spatially transformed adversarial examples. arXiv preprint, 2018.

This author is supported by the Horizon Centre for Doctoral Training at the University of Nottingham (RCUK Grant No. EP/L015463/1) and DSTL.