Research On Adversarial Samples For Black-box Attack Of Face Recognition Models

In recent years,with the emergence of adversarial samples that can threatened the performance of deep neural networks,the research on its attack and defense methods has become an extremely important topic in the field of deep learning.The existence of adversarial samples not only affects the development of academic research,but also causes immeasurable losses in all aspects of people’s production and life.For example,face recognition for online payment in the financial market related to people’s livelihood,may bring huge security risks to both parties of a transaction because of adversarial samples.In this paper,the attack and transferability of adversarial samples on the face recognition models will be deeply studied.The whole paper consists of the following two groups of research points:1.From the point of view of face image representations,an algorithm that can generate face adversarial samples with stronger migration capability is constructed.In this paper,a black-box attack method based on deep image prior for face recognition,called DIP-Fawkes,is proposed.Both latent coding and generator network are innovatively used to express face images in this algorithm,and parameters on representation of faces are transferred to generator network in the optimization.With the further expansion of the search space,the number of parameters is increased from 25,000 to 2 million,which is great helpful for obtaining the optimal solution.Experimental results show that when DIP-Fawkes attacks Face Net and Arcface on the LFW dataset,compared with Fawkes,attack accuracy is improved by 6% and 5% respectively,and face verification rate on Face Net and Arcface remains at about 28% and 30% respectively.It has significant advantages in objective evaluation index,and significantly improves the migration capability of adversarial samples in the face recognition.2.From the point of view of loss optimizations,how to further improve the migration capability of face adversarial samples based on DIP-Fawkes is discussed.In this paper,two transferability enhancement operations,target feature and visual mask,are introduced in the optimization,and the improved methods are denoted as DIP-Fawkes-T and DIP-Fawkes-TM respectively.Experimental results show that the target feature can effectively guide the selection of the feature direction of the face adversarial samples,and it can indeed improve the transferability of the face adversarial samples.Compared with DIP-Fawkes,attack accuracy of DIP-Fawkes-T in Face Net and Arcface is improved by about 1 %.In addition,the visual mask can also play a positive role in the transferability of face adversarial samples.Compared with DIP-Fawkes-T,DIP-Fawkes-TM improves the attack accuracy by about 2% in Arcface models.