A hard challenge in developing practical face recognition (FR) attacks is due to the black-box nature of the target FR model, i.e., inaccessible gradient and parameter information to attackers. While recent research took an important step towards attacking black-box FR models through leveraging transferability, their performance is still limited, especially against online commercial FR systems that can be pessimistic (e.g., a less than 50% ASR--attack success rate on average). Motivated by this, we present Sibling-Attack, a new FR attack technique for the first time explores a novel multi-task perspective (i.e., leveraging extra information from multi-correlated tasks to boost attacking transferability). Intuitively, Sibling-Attack selects a set of tasks correlated with FR and picks the Attribute Recognition (AR) task as the task used in Sibling-Attack based on theoretical and quantitative analysis. Sibling-Attack then develops an optimization framework that fuses adversarial gradient information through (1) constraining the cross-task features to be under the same space, (2) a joint-task meta optimization framework that enhances the gradient compatibility among tasks, and (3) a cross-task gradient stabilization method which mitigates the oscillation effect during attacking. Extensive experiments demonstrate that Sibling-Attack outperforms state-of-the-art FR attack techniques by a non-trivial margin, boosting ASR by 12.61% and 55.77% on average on state-of-the-art pre-trained FR models and two well-known, widely used commercial FR systems.
翻译:黑箱人脸识别模型的不可及梯度和参数信息是开发实际人脸识别攻击的难点。最近的研究通过利用可转移性向黑箱人脸识别模型攻击迈出了重要一步,但是它们的性能仍然受限,尤其是针对可能悲观的在线商业人脸识别系统(例如平均低于50%的攻击成功率)。受此启发,我们首次提出了Sibling-Attack,一种新的人脸识别攻击技术,通过探索新的多任务视角(即利用与人脸识别高度相关的多个附加任务来提高攻击可转移性),从而提高攻击性能。直观地,Sibling-Attack选择一组与人脸识别相关的任务,并基于理论和定量分析选择属性识别(AR)任务作为Sibling-Attack中使用的任务。然后,Sibling-Attack开发了一个优化框架,通过(1)将跨任务特征限制在同一空间内,(2)共同任务元优化框架增强任务之间的梯度兼容性,以及(3)跨任务梯度稳定方法来融合对抗性梯度信息。广泛的实验表明,Sibling-Attack优于现有的人脸识别攻击技术,提高了预先训练的人脸识别模型和两个知名的广泛使用的商业人脸识别系统的平均成功率。其中在预先训练的人脸识别模型上,平均提高了12.61%,在两个知名的广泛使用的商业人脸识别系统上,平均提高了55.77%。