azrealwang / SGADV

1 stars 0 forks source link

Similarity-based Gray-box Adversarial Attack Against Deep Face Recognition

Hanrui Wang, Shuo Wang, Zhe Jin, Yandan Wang, Cunjian Chen, Massimo Tistarelli

PDF

The majority of adversarial attack techniques perform well against deep face recognition when the full knowledge of the system is revealed (white-box). However, such techniques act unsuccessfully in the gray-box setting where the face templates are unknown to the attackers. In this work, we propose a similarity-based gray-box adversarial attack (SGADV) technique.

This is a single-task attack. We have a new Multi-task version, which targets more challenging scenarios.

scenario

Contents

Main Requirements

Data Preparation

Source image name must satisfy 00000_0.jpg. 00000 and _0 indicates the image id and user id/class/label, respectively. The image id must be unique and auto-increment from 00000. .jpg can be any image file format.

20 source samples have been prepared for the demo.

Pretrained Models

Usage

Run attack:

python SGADV.py

Objective function: foolbox/attacks/gradient_descent_base.py

New developed tools: foolbox/utils.py

Filter objects of CelebA: tools/fetch_celebAhq.py

Feature embeddings and save to .mat: tools/feature_embedding.py

Results

Attack Success Rate (ASR)

Dataset EER (%) ASR - White box(%) ASR - Gray box(%)
FaceNet 1.2 100 98.74
InsightFace 6.23 100 93.23

Citation

If using this project in your research, please cite our paper.

@inproceedings{wang2021similarity,
  title={Similarity-based Gray-box Adversarial Attack Against Deep Face Recognition},
  author={Wang, Hanrui and Wang, Shuo and Jin, Zhe and Wang, Yandan and Chen, Cunjian and Tistarelli, Massimo},
  booktitle={2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021)},
  pages={1--8},
  year={2021},
}

Acknowledgement

Contact

If you have any questions about our work, please do not hesitate to contact us by email.

Hanrui Wang: hanrui_wang@nii.ac.jp