针对人脸识别的物理对抗攻击研究综述

doi:10.11871/jfdc.issn.2096-742X.2023.03.005

数据与计算发展前沿 ›› 2023, Vol. 5 ›› Issue (3): 49-65.

CSTR: 32002.14.jfdc.CN10-1649/TP.2023.03.005

doi: 10.11871/jfdc.issn.2096-742X.2023.03.005

• 专刊：“人工智能&大数据”科研范式变革专刊（下） • 上一篇下一篇

针对人脸识别的物理对抗攻击研究综述

曹灿^1,²(),司强³,游雪松⁴,邓琪瑶²,李琦²,阎志远^5,^*()

1.湖南工业大学，计算机学院，湖南株洲 412008
2.中国科学院自动化研究所，智能感知与技术研究中心，北京 100190
3.中国科学院科技创新发展中心，北京 100190
4.中国国家铁路集团有限公司，北京 100844
5.中国铁道科学研究院集团有限公司，电子计算技术研究所，北京 100081

收稿日期:2022-12-08 出版日期:2023-06-20 发布日期:2023-06-21
通讯作者: *阎志远（E-mail: 13911406127@139.com）
作者简介:曹灿，湖南工业大学，硕士研究生，主要研究方向为对抗攻击。
本文中负责文献整理和论文撰写。
CAO Can is a graduate student at the Hu-nan University of Technology. Her main research interests include face image synthesis and adversarial attacks.
In this paper, she is responsible for literature collation and paper writing.
E-mail: can.cao@cripac.ia.ac.cn|阎志远，中国铁道科学研究院集团有限公司，研究员，主要研究方向为计算机科学与技术。
本文中负责指导与论文的修改、审定。
YAN Zhiyuan, is a researcher at the China Academy of Railway Sciences Corpo-ration Limited. His main research inter-ests include computer science and technology.
In this paper, he is responsible for the guidance and revision of this paper.
E-mail: 13911406127@139.com
基金资助:
中国国家铁路集团有限公司科技研究开发计划课题(N2021X026)

A Survey on Physical Adversarial Attacks towards Face Recognition

CAO Can^1,²(),SI Qiang³,YOU Xuesong⁴,DENG Qiyao²,LI Qi²,YAN Zhiyuan^5,^*()

1. College of Computer Science, Hunan University of Technology, Zhuzhou, Hunan 412008, China
2. Center for Research on Intelligent Perception and Computing, Institute of Automation, Chinese Academy of Sciences, Beijing 100190, China
3. Science and Technology Innovation and Development Center, CAS,Beijing 100190, China
4. China State Railway Group Co.,Ltd., Beijing 100844, China
5. Institute of Computing Technologies, China Academy of Railway Sciences Corporation Limited, Beijing 100081, China

Received:2022-12-08 Online:2023-06-20 Published:2023-06-21

摘要/Abstract

摘要：

【目的】 近年来，针对人脸识别的对抗攻击方法频出。其中，物理对抗攻击方法可直接在物理世界中攻击人脸识别系统，相比于数字对抗攻击有更高的研究价值。【方法】 首先对人脸识别与对抗攻击的基本概念与背景知识进行介绍；然后分别从增强物理对抗样本的鲁棒性以及迁移性两个角度，整理介绍物理对抗攻击中常用的优化方法；进一步，对现有的针对人脸识别的物理对抗攻击方法进行分析介绍。【结果】 以人脸识别对抗攻击在物理领域的可行性为线索，按照不同的扰动呈现形式将针对人脸识别的物理攻击方法分为三类：基于配件、基于物理光线和基于贴纸，然后从鲁棒性和迁移性两方面系统分析了不同类别的优劣。【结论】 针对人脸识别的物理对抗攻击仍然还存在亟待解决的问题，同时其在人脸识别的发展与公共安全的维护等方面具有重要的作用。

关键词: 物理对抗攻击, 对抗样本, 人脸识别, 鲁棒性, 迁移性

Abstract:

[Purpose] In recent years, adversarial attack methods against face recognition have emerged frequ-ently. Among them, physical adversarial attack methods can attack face recognition systems directly in the physical world, which has a higher research value compared with the digital adversarial attacks. [Methods] Firstly, the basic concepts and background knowledge of face recognition and adversarial attacks are introduced. Then, the optimization methods commonly used in physical adversarial attacks are organized and introduced from two aspects of enhancing the robustness and transferability of physical adversarial samples, respectively. Further, the existing physical adversarial attack methods for face recognition are analyzed and introduced. [Results] Taking the feasibility of face recognition adversarial attacks in the physical domain as a clue, the physical attack methods against face recognition are classified into three categories according to different forms of perturbation presentation: accessory-based, physical light-based, and sticker-based. Then the advantages and disadvantages of different categories are systematically analyzed in terms of both robustness and migration. [Conclusions] Though physical adversarial attacks against face recognition still have urgent problems to be solved, they play an important role in the development of face recognition and maintenance of public security.

Key words: physical adversarial attack, adversarial example, face recognition, robustness, transferability

曹灿, 司强, 游雪松, 邓琪瑶, 李琦, 阎志远. 针对人脸识别的物理对抗攻击研究综述[J]. 数据与计算发展前沿, 2023, 5(3): 49-65.

CAO Can, SI Qiang, YOU Xuesong, DENG Qiyao, LI Qi, YAN Zhiyuan. A Survey on Physical Adversarial Attacks towards Face Recognition[J]. Frontiers of Data and Computing, 2023, 5(3): 49-65, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2023.03.005.

图/表 9

图1

图2

图3

图4

图5

表1

图6

图7

图8

参考文献 56

[1]	Szegedy C, Zaremba W, Sutskever I, et al. Intriguing pro-perties of neural networks[C]// Proceedings of the Intern-ational Conference on Learning Representations, 2014:1-10.
[2]	Dong Y, Su H, Wu B, et al. Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019:7706-7714.
[3]	Xiao Z, Gao X, Fu C, et al. Improving Transferability of Adversarial Patches on Face Recognition with Generative Models[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2021:11840-11849.
[4]	Sharif M, Bhagavatula S, Bauer L, et al. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition[C]// Proceedings of the ACM Confer-ence on Computer and Communications Security, 2016: 1528-1540.
[5]	Ryu G, Park H, Choi D. Adversarial attacks by attaching noise markers on the face against deep face recognition[J]. Journal of Information Security and Applications, 2021, 60(5): 1.
[6]	Goswami G, Ratha N, Agarwal A, et al. Unravelling Rob-ustness of Deep Learning Based Face Recognition Agai-nst Adversarial Attacks[C]// Proceedings of the AAAI Con-ference on Artificial Intelligence, 2018:68296836.
[7]	Schroff F, Kalenichenko D, Philbin J. FaceNet: A unified embedding for face recognition and clustering[C]// Proce-edings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015: 815-823.
[8]	Liu W, Wen Y, Yu Z, et al. SphereFace: Deep Hypersph-ere Embedding for Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017: 6738-6746.
[9]	Wang H, Wang Y, Zhou Z, et al. CosFace: Large Margin Cosine Loss for Deep Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018: 5265-5274.
[10]	Simonyan K, Zisserman A. Very Deep Convolutional Networks for Large-Scale Image Recognition[C]// Pro-ceedings of the International Conference on Learning Representations, 2015:1-14.
[11]	Szegedy C, Liu W, Jia Y, et al. Going deeper with conv-olutions[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015: 1-9.
[12]	He K, Zhang X, Ren S, et al. Deep Residual Learning for Image Recognition[C]// Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition, 2016:770-778.
[13]	Cao Q, Shen L, Xie W, et al. VGGFace2: A Dataset for Recognising Faces across Pose and Age[C]// Proceedings of the IEEE International Conference on Automatic Face & Gesture Recognition, 2018:67-74.
[14]	Deng J, Guo J, Yang J, et al. ArcFace: Additive Angular Margin Loss for Deep Face Recognition[C]// Proceedings of the IEEE International Conference on Computer Vis-ion Workshops (ICCVW), 2021:4685-4694.
[15]	Huang G B, Mattar M, Berg T, et al. Labeled Faces in the Wild: A Database for Studying Face Recognition in Unconstrained Environments[C]// Workshop on faces in’ Real-Life’Images: detection, alignment, and recognition, 2008:1-16.
[16]	Kemelmacher-Shlizerman I, Seitz S M, Miller D, et al. The MegaFace Benchmark: 1 Million Faces for Reco-gnition at Scale[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016:4873-4882.
[17]	Yi D, Lei Z, Liao S, et al. Learning Face Representation from Scratch[J]. arXiv preprint arXiv:1411.7923, 2014.
[18]	Klare B F, Klein B, Taborsky E, et al. Pushing the fron-tiers of unconstrained face detection and recognition: IA-RPA Janus Benchmark A[C]// Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Reco-gnition, 2015: 1931-1939.
[19]	Whitelam C, Taborsky E, Blanton A, et al. IARPA Janus Benchmark-B Face Dataset[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops(CVPRW), 2017: 592-600.
[20]	Maze B, Adams J, Duncan J A, et al. IARPA Janus Ben-chmark-C: Face Dataset and Protocol[C]// Proceedings of the International Conference on Biometrics, 2018:158-165.
[21]	Wolf L, Hassner T, Maoz I. Face recognition in uncon-strained videos with matched background similarity[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2011: 529-534.
[22]	Goodfellow I J, Shlens J, Szegedy C. Explaining and Harnessing Adversarial Examples[C]// Proceedings of the International Conference on Learning Representations, 2015: 1-11.
[23]	Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks[C]// Proceedings of the International Conference on Learning Representations, 2018:1.
[24]	Zhou Z, Tang D, Wang X, et al. Invisible Mask: Practical Attacks on Face Recognition with Infrared[J]. arXiv preprint arXiv: 1803.04683, 2018.
[25]	Shen M, Liao Z, Zhu L, et al. VLA: A Practical Visible Light-based Attack on Face Recognition Systems in Phy-sical World[J]. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Techn-ologies, 2019, 3(103): 1-19.
[26]	Komkov S, Petiushko A. AdvHat: Real-World Adver-sarial Attack on ArcFace Face ID System[C]// Proceedi-ngs of the International Conference on Pattern Recognit-ion, 2020:819-826.
[27]	Pautov M, Melnikov G, Kaziakhmedov E, et al. On Adversarial Patches: Real-World Attack on ArcFace-100 Face Recognition System[C]// Proceedings of the Inter-national Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), 2019: 0391-0396.
[28]	Shen M, Yu H, Zhu L, et al. Robust Attacks on Deep Lea-rning Face Recognition in the Physical World[J]. arXiv preprint arXiv:2011.13526, 2020.
[29]	ZOLFI A, AVIDAN S, ELOVICI Y, et al. Adversarial Mask: Real-World Adversarial Attack Against Face Recogni-tion Models[J]. arXiv preprint arXiv 2111.10759, 2021.
[30]	Liu Y, Chen X, Liu C, et al. Delving into Transferable Adversarial Examples and Black-box Attacks[C]// Proc-eedings of the International Conference on Learning Rep-resentations, 2017:1-14.
[31]	Dong Y, Liao F, Pang T, et al. Boosting Adversarial Att-acks with Momentum[C]// Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition. Salt Lake City, UT, USA, 2018: 9185-9193.
[32]	Chen P, Zhang H, Sharma Y, et al. Zoo: Zeroth order optimization based black-box attacks to deep neural net-works without training substitute models[C]// Proceedin-gs of the 10th ACM workshop on artificial intelligence and security, 2017: 15-26.
[33]	Moosavi-Dezfooli S M, Fawzi A, Frossard P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Net-works[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2016:2574-2582.
[34]	Su J, Vargas D V, Sakurai K. One Pixel Attack for Foo-ling Deep Neural Networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841. doi: 10.1109/TEVC.4235
[35]	Kurakin A, Goodfellow I J, Bengio S. Adversarial exam-ples in the physical world[M]// Artificial intelligence saf-ety and security, 2018: 99-112.
[36]	Athalye A, Engstrom L, Ilyas A, et al. Synthesizing Ro-bust Adversarial Examples[C]// Proceedings of the Inter-national Conference on Machine Learning, 2018: 284-293.
[37]	Zheng X, Fan Y, Wu B, et al. Robust Physical-World Att-acks on Face Recognition[J]. Pattern Recognition, 2023, 133: 109009. doi: 10.1016/j.patcog.2022.109009
[38]	Mahendran A, Vedaldi A. Understanding deep image representations by inverting them[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Reco-gnition, 2015:5188-5196.
[39]	Singh I, Araki T, Kakizaki K. Powerful Physical Adver-sarial Examples Against Practical Face Recognition Sy-stems[C]// Proceedings of the IEEE Winter Conference on Applications of Computer Vision Workshops, 2022: 301-310.
[40]	Wei X, Guo Y, Yu J. Adversarial Sticker: A Stealthy Att-ack Method in the Physical World[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022:1.
[41]	Song D, Eykholt K, Evtimov I, et al. Physical adversarial examples for object detectors[C]// Proceedings of the US-ENIX workshop on offensive technologies (WOOT 18), 2018:1-10.
[42]	Xie C, Zhang Z, Zhou Y, et al. Improving Transferability of Adversarial Examples With Input Diversity[C]// Proce-edings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019:2725-2734.
[43]	Dong Y, Pang T, Su H, et al. Evading Defenses to Trans-ferable Adversarial Examples by Translation-Invariant Attacks[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2019:4307-4316.
[44]	Kurakin A, Goodfellow I J, Bengio S. Adversarial Mac-hine Learning at Scale[C]// Proceedings of the Internati-onal Conference on Learning Representations, 2017:1.
[45]	Sharif M, Bhagavatula S, Bauer L, et al. A General Fra-mework for Adversarial Examples with Objectives[J]. ACM Transactions on Privacy and Security (TOPS), 2019, 22(3): 1-30.
[46]	Yin B, Wang W, Yao T, et al. Adv-Makeup: A New Imp-erceptible and Transferable Attack on Face Recognition[C]// Proceedings of the International Joint Conference on Artificial Intelligence, 2021:1252-1258.
[47]	Nguyen D L, Arora S S, Wu Y, et al. Adversarial Light Projection Attacks on Face Recognition Systems: A Feas-ibility Study[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, 2020:3548-3556.
[48]	Goodfellow I J, Pouget-Abadie J, Mirza M, et al. Ge-nerative Adversarial Nets[C]// Advances in Neural Infor-mation Processing Systems, 2014:2672-2680.
[49]	Gu Q, Wang G, Chiu M, et al. LADN: Local Adversarial Disentangling Network for Facial Makeup and DeMak-eup[C]// Proceedings of the IEEE international Conf-erence on Computer Vision (ICCV), 2019 :10480-10489.
[50]	Feng Y, Wu F, Shao X, et al. Joint 3D Face Reconstr-uction and Dense Alignment with Position Map Regres-sion Network[C]// Proceedings of the European Confe-rence, 2018: 557-574.
[51]	Duan R, Mao X, Qin A K, et al. Adversarial Laser Beam: Effective Physical-World Attack to DNNs in a Blink[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2021:16057-16066.
[52]	Gnanasambandam A, Sherman A M, Chan S H. Optical Adversarial Attack[C]// Proceedings of the IEEE Inte-rnational Conference on Computer Vision Workshops (ICCVW), 2021:92-101.
[53]	Tu J, Ren M, Manivasagam S, et al. Physically Realizable Adversarial Examples for Lidar Object Detection[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2020:13713-13722.
[54]	Sayles A, Hooda A, Gupta M, et al. Invisible Perturba-tions: Physical Adversarial Examples Exploiting the Rolling Shutter Effect[C] //Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition, 2021: 14661-14670.
[55]	Jaderberg M, Simonyan K, Zisserman A, et al. Spatial Transformer Networks[C]// Advances in Neural Infor-mation Processing Systems, 2015:2017-2025.
[56]	Tong L, Chen Z, Ni J, et al. FaceSec: A Fine-grained Robustness Evaluation Framework for Face Recognition Systems[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2021: 13249-13258.

形式	样本生成方法		类型	创新点
基于配件	[4]	迭代镜框颜色	白盒	为物理可实现引入NPS、TV损失
	[45]	AGNs框架生成镜框	白盒	利用GAN生成更真实的镜框
	[46]	眼影贴纸	白盒	混合模块实现攻击的不可察觉性和迁移性
	[29]	口罩	白盒	利用3D人脸重建技术生成通用攻击口罩
基于光线	[24]	红外线斑点	白盒	利用相机和人眼的成像差异
	[25]	可见光混频投影	黑盒	混频投影光线提供实时性攻击
	[47]	投影光	白盒	引用平移不变性增强迁移性
基于贴纸	[26]	AdvHat帽子贴纸	白盒	平面转换算法保持对抗性
	[27]	黑白贴纸	白盒	在人脸特征区域覆盖
	[28]	GAN生成的不同形状贴纸	白盒	使用3D人脸建模技术模拟环境变化
	[40]	日常贴纸的位置、旋转参数	黑盒	基于区域的启发式差分算法搜索到位置和旋转参数
	[5]	面部像素噪声标记	白盒	最大限度减少噪声标记的颜色差异和位置差异

针对人脸识别的物理对抗攻击研究综述

A Survey on Physical Adversarial Attacks towards Face Recognition

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 56

相关文章 0

编辑推荐

Metrics

本文评价