Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition
About
Deep neural networks, particularly face recognition models, have been shown to be vulnerable to both digital and physical adversarial examples. However, existing adversarial examples against face recognition systems either lack transferability to black-box models, or fail to be implemented in practice. In this paper, we propose a unified adversarial face generation method - Adv-Makeup, which can realize imperceptible and transferable attack under black-box setting. Adv-Makeup develops a task-driven makeup generation method with the blending module to synthesize imperceptible eye shadow over the orbital region on faces. And to achieve transferability, Adv-Makeup implements a fine-grained meta-learning adversarial attack strategy to learn more general attack features from various models. Compared to existing techniques, sufficient visualization results demonstrate that Adv-Makeup is capable to generate much more imperceptible attacks under both digital and physical scenarios. Meanwhile, extensive quantitative experiments show that Adv-Makeup can significantly improve the attack success rate under black-box setting, even attacking commercial systems.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Face Verification | FFHQ | ASR (IR152)10.03 | 42 | |
| Black-box Attack | CelebA-HQ | IRSE50 Score21.95 | 32 | |
| Face Verification | CelebA-HQ | ASR (IR152)0.1268 | 19 | |
| Image Quality Evaluation | CelebA-HQ | FID4.2282 | 16 | |
| Facial Privacy Protection | FFHQ and CelebA-HQ | FID4.2282 | 10 | |
| Black-box Attack | LADN-Dataset | IRSE5029.64 | 9 | |
| Face Verification | CelebA-HQ | PSR (IRSE50)21.95 | 9 | |
| Face Verification | LADN-Dataset | PSR (IRSE50)29.64 | 9 | |
| Face Recognition Attack | LADN (test) | IR15210.03 | 7 | |
| Face Recognition Attack | FACESCRUB (test) | IR152 Score15.54 | 7 |