Black-box attacks on face recognition via affine-invariant training

被引:0
|
作者
Sun, Bowen [1 ]
Su, Hang [2 ]
Zheng, Shibao [1 ]
机构
[1] Shanghai Jiao Tong Univ, Dept Elect Engn, Shanghai 200240, Peoples R China
[2] Tsinghua Univ, Dept Comp Sci & Technol, Beijing 100084, Peoples R China
来源
NEURAL COMPUTING & APPLICATIONS | 2024年 / 36卷 / 15期
基金
中国国家自然科学基金;
关键词
Face recognition; Black-box attack; Affine-invariant training; AI-block; EIGENFACES;
D O I
10.1007/s00521-024-09543-y
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Deep neural network (DNN)-based face recognition has shown impressive performance in verification; however, recent studies reveal a vulnerability in deep face recognition algorithms, making them susceptible to adversarial attacks. Specifically, these attacks can be executed in a black-box manner with limited knowledge about the target network. While this characteristic is practically significant due to hidden model details in reality, it presents challenges such as high query budgets and low success rates. To improve the performance of attacks, we establish the whole framework through affine-invariant training, serving as a substitute for inefficient sampling. We also propose AI-block-a novel module that enhances transferability by introducing generalized priors. Generalization is achieved by creating priors with stable features when sampled over affine transformations. These priors guide attacks, improving efficiency and performance in black-box scenarios. The conversion via AI-block enables the transfer gradients of a surrogate model to be used as effective priors for estimating the gradients of a black-box model. Our method leverages this enhanced transferability to boost both transfer-based and query-based attacks. Extensive experiments conducted on 5 commonly utilized databases and 7 widely employed face recognition models demonstrate a significant improvement of up to 11.9 percentage points in success rates while maintaining comparable or even reduced query times.
引用
收藏
页码:8549 / 8564
页数:16
相关论文
共 50 条
  • [31] Black-Box Data Poisoning Attacks on Crowdsourcing
    Chen, Pengpeng
    Yang, Yongqiang
    Yang, Dingqi
    Sun, Hailong
    Chen, Zhijun
    Lin, Peng
    PROCEEDINGS OF THE THIRTY-SECOND INTERNATIONAL JOINT CONFERENCE ON ARTIFICIAL INTELLIGENCE, IJCAI 2023, 2023, : 2975 - 2983
  • [32] Toward Visual Distortion in Black-Box Attacks
    Li, Nannan
    Chen, Zhenzhong
    IEEE TRANSACTIONS ON IMAGE PROCESSING, 2021, 30 : 6156 - 6167
  • [33] Resiliency of SNN on Black-Box Adversarial Attacks
    Paudel, Bijay Raj
    Itani, Aashish
    Tragoudas, Spyros
    20TH IEEE INTERNATIONAL CONFERENCE ON MACHINE LEARNING AND APPLICATIONS (ICMLA 2021), 2021, : 799 - 806
  • [34] SoK: Pitfalls in Evaluating Black-Box Attacks
    Suya, Fnu
    Suri, Anshuman
    Zhang, Tingwei
    Hong, Jingtao
    Tian, Yuan
    Evans, David
    IEEE CONFERENCE ON SAFE AND TRUSTWORTHY MACHINE LEARNING, SATML 2024, 2024, : 387 - 407
  • [35] Beating White-Box Defenses with Black-Box Attacks
    Kumova, Vera
    Pilat, Martin
    2021 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN), 2021,
  • [36] Model Inversion Attack against a Face Recognition System in a Black-Box Setting
    Yoshimura, Shunsuke
    Nakamura, Kazuaki
    Nitta, Naoko
    Babaguchi, Noboru
    2021 ASIA-PACIFIC SIGNAL AND INFORMATION PROCESSING ASSOCIATION ANNUAL SUMMIT AND CONFERENCE (APSIPA ASC), 2021, : 1800 - 1807
  • [37] Affine-invariant contours recognition using an incremental hybrid learning approach
    Bandera, A.
    Marfil, R.
    Antunez, E.
    PATTERN RECOGNITION LETTERS, 2009, 30 (14) : 1310 - 1320
  • [38] Black-Box Attacks against Signed Graph Analysis via Balance Poisoning
    Zhou, Jialong
    Lai, Yuni
    Ren, Jian
    Zhou, Kai
    2024 INTERNATIONAL CONFERENCE ON COMPUTING, NETWORKING AND COMMUNICATIONS, ICNC, 2024, : 530 - 535
  • [39] Affine-invariant objects recognition method employing features in frequency domain
    National Key Laboratory of Integrated Information System Technology, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
    不详
    Jisuanji Yanjiu yu Fazhan, 2009, 3 (478-484): : 478 - 484
  • [40] Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems
    Xie, Shangyu
    Wang, Han
    Kong, Yu
    Hong, Yuan
    43RD IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2022), 2022, : 1390 - 1407