CNN-based face recognition models have brought remarkable performance improvement, but they are vulnerable to adversarial perturbations. Recent studies have shown that adversaries can fool the models even if they can only access the models' hard-label output. However, since many queries are needed to find imperceptible adversarial noise, reducing the number of queries is crucial for these attacks. In this paper, we point out two limitations of existing decision-based black-box attacks. We observe that they waste queries for background noise optimization, and they do not take advantage of adversarial perturbations generated for other images. We exploit 3D face alignment to overcome these limitations and propose a general strategy for query-efficient black-box attacks on face recognition named Geometrically Adaptive Dictionary Attack (GADA). Our core idea is to create an adversarial perturbation in the UV texture map and project it onto the face in the image. It greatly improves query efficiency by limiting the perturbation search space to the facial area and effectively recycling previous perturbations. We apply the GADA strategy to two existing attack methods and show overwhelming performance improvement in the experiments on the LFW and CPLFW datasets. Furthermore, we also present a novel attack strategy that can circumvent query similarity-based stateful detection that identifies the process of query-based black-box attacks.
翻译:有线电视新闻网基于CNN的面部识别模型带来了显著的绩效改进,但它们很容易受到对抗性干扰。最近的研究显示,对手可以愚弄模型,即使他们只能访问模型的硬标签输出。然而,由于需要许多查询才能找到无法察觉的对立噪音,减少询问数量对于这些袭击至关重要。在本文中,我们指出现有基于决策的黑箱袭击的两种局限性。我们发现,它们浪费了背景噪音优化查询,它们没有利用为其他图像产生的对抗性扰动。我们利用3D面部调整战略来克服这些限制,并提出了对面部识别进行高效的黑箱袭击的总体战略,名为几何调调式对词攻击(GADAD ) 。我们的核心想法是在紫外线图中制造一种对抗性干扰,并将它投放到图像中。我们通过将扰动性搜索空间限制在面部,并有效地回收先前的触动性图像。我们将GADADAD战略应用于两种现有的攻击方法,并展示了对以查询为压倒力的对面攻击性效果的改进。我们目前对LF-CP的探测战略的升级。
相关内容
微信扫码咨询专知VIP会员