A Survey on Physical Adversarial Attacks towards Face Recognition

doi:10.11871/jfdc.issn.2096-742X.2023.03.005

Abstract

Abstract:

[Purpose] In recent years, adversarial attack methods against face recognition have emerged frequ-ently. Among them, physical adversarial attack methods can attack face recognition systems directly in the physical world, which has a higher research value compared with the digital adversarial attacks. [Methods] Firstly, the basic concepts and background knowledge of face recognition and adversarial attacks are introduced. Then, the optimization methods commonly used in physical adversarial attacks are organized and introduced from two aspects of enhancing the robustness and transferability of physical adversarial samples, respectively. Further, the existing physical adversarial attack methods for face recognition are analyzed and introduced. [Results] Taking the feasibility of face recognition adversarial attacks in the physical domain as a clue, the physical attack methods against face recognition are classified into three categories according to different forms of perturbation presentation: accessory-based, physical light-based, and sticker-based. Then the advantages and disadvantages of different categories are systematically analyzed in terms of both robustness and migration. [Conclusions] Though physical adversarial attacks against face recognition still have urgent problems to be solved, they play an important role in the development of face recognition and maintenance of public security.

Key words: physical adversarial attack, adversarial example, face recognition, robustness, transferability

CAO Can, SI Qiang, YOU Xuesong, DENG Qiyao, LI Qi, YAN Zhiyuan. A Survey on Physical Adversarial Attacks towards Face Recognition[J]. Frontiers of Data and Computing, 2023, 5(3): 49-65, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2023.03.005.

Figures/Tables 9

Fig.1

Fig.2

Fig.3

Fig.4

Fig.5

Table 1

Fig.6

Fig.7

Fig.8

References 56

[1]	Szegedy C, Zaremba W, Sutskever I, et al. Intriguing pro-perties of neural networks[C]// Proceedings of the Intern-ational Conference on Learning Representations, 2014:1-10.
[2]	Dong Y, Su H, Wu B, et al. Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019:7706-7714.
[3]	Xiao Z, Gao X, Fu C, et al. Improving Transferability of Adversarial Patches on Face Recognition with Generative Models[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2021:11840-11849.
[4]	Sharif M, Bhagavatula S, Bauer L, et al. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition[C]// Proceedings of the ACM Confer-ence on Computer and Communications Security, 2016: 1528-1540.
[5]	Ryu G, Park H, Choi D. Adversarial attacks by attaching noise markers on the face against deep face recognition[J]. Journal of Information Security and Applications, 2021, 60(5): 1.
[6]	Goswami G, Ratha N, Agarwal A, et al. Unravelling Rob-ustness of Deep Learning Based Face Recognition Agai-nst Adversarial Attacks[C]// Proceedings of the AAAI Con-ference on Artificial Intelligence, 2018:68296836.
[7]	Schroff F, Kalenichenko D, Philbin J. FaceNet: A unified embedding for face recognition and clustering[C]// Proce-edings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015: 815-823.
[8]	Liu W, Wen Y, Yu Z, et al. SphereFace: Deep Hypersph-ere Embedding for Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017: 6738-6746.
[9]	Wang H, Wang Y, Zhou Z, et al. CosFace: Large Margin Cosine Loss for Deep Face Recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018: 5265-5274.
[10]	Simonyan K, Zisserman A. Very Deep Convolutional Networks for Large-Scale Image Recognition[C]// Pro-ceedings of the International Conference on Learning Representations, 2015:1-14.
[11]	Szegedy C, Liu W, Jia Y, et al. Going deeper with conv-olutions[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2015: 1-9.
[12]	He K, Zhang X, Ren S, et al. Deep Residual Learning for Image Recognition[C]// Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition, 2016:770-778.
[13]	Cao Q, Shen L, Xie W, et al. VGGFace2: A Dataset for Recognising Faces across Pose and Age[C]// Proceedings of the IEEE International Conference on Automatic Face & Gesture Recognition, 2018:67-74.
[14]	Deng J, Guo J, Yang J, et al. ArcFace: Additive Angular Margin Loss for Deep Face Recognition[C]// Proceedings of the IEEE International Conference on Computer Vis-ion Workshops (ICCVW), 2021:4685-4694.
[15]	Huang G B, Mattar M, Berg T, et al. Labeled Faces in the Wild: A Database for Studying Face Recognition in Unconstrained Environments[C]// Workshop on faces in’ Real-Life’Images: detection, alignment, and recognition, 2008:1-16.
[16]	Kemelmacher-Shlizerman I, Seitz S M, Miller D, et al. The MegaFace Benchmark: 1 Million Faces for Reco-gnition at Scale[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016:4873-4882.
[17]	Yi D, Lei Z, Liao S, et al. Learning Face Representation from Scratch[J]. arXiv preprint arXiv:1411.7923, 2014.
[18]	Klare B F, Klein B, Taborsky E, et al. Pushing the fron-tiers of unconstrained face detection and recognition: IA-RPA Janus Benchmark A[C]// Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Reco-gnition, 2015: 1931-1939.
[19]	Whitelam C, Taborsky E, Blanton A, et al. IARPA Janus Benchmark-B Face Dataset[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops(CVPRW), 2017: 592-600.
[20]	Maze B, Adams J, Duncan J A, et al. IARPA Janus Ben-chmark-C: Face Dataset and Protocol[C]// Proceedings of the International Conference on Biometrics, 2018:158-165.
[21]	Wolf L, Hassner T, Maoz I. Face recognition in uncon-strained videos with matched background similarity[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2011: 529-534.
[22]	Goodfellow I J, Shlens J, Szegedy C. Explaining and Harnessing Adversarial Examples[C]// Proceedings of the International Conference on Learning Representations, 2015: 1-11.
[23]	Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks[C]// Proceedings of the International Conference on Learning Representations, 2018:1.
[24]	Zhou Z, Tang D, Wang X, et al. Invisible Mask: Practical Attacks on Face Recognition with Infrared[J]. arXiv preprint arXiv: 1803.04683, 2018.
[25]	Shen M, Liao Z, Zhu L, et al. VLA: A Practical Visible Light-based Attack on Face Recognition Systems in Phy-sical World[J]. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Techn-ologies, 2019, 3(103): 1-19.
[26]	Komkov S, Petiushko A. AdvHat: Real-World Adver-sarial Attack on ArcFace Face ID System[C]// Proceedi-ngs of the International Conference on Pattern Recognit-ion, 2020:819-826.
[27]	Pautov M, Melnikov G, Kaziakhmedov E, et al. On Adversarial Patches: Real-World Attack on ArcFace-100 Face Recognition System[C]// Proceedings of the Inter-national Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), 2019: 0391-0396.
[28]	Shen M, Yu H, Zhu L, et al. Robust Attacks on Deep Lea-rning Face Recognition in the Physical World[J]. arXiv preprint arXiv:2011.13526, 2020.
[29]	ZOLFI A, AVIDAN S, ELOVICI Y, et al. Adversarial Mask: Real-World Adversarial Attack Against Face Recogni-tion Models[J]. arXiv preprint arXiv 2111.10759, 2021.
[30]	Liu Y, Chen X, Liu C, et al. Delving into Transferable Adversarial Examples and Black-box Attacks[C]// Proc-eedings of the International Conference on Learning Rep-resentations, 2017:1-14.
[31]	Dong Y, Liao F, Pang T, et al. Boosting Adversarial Att-acks with Momentum[C]// Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition. Salt Lake City, UT, USA, 2018: 9185-9193.
[32]	Chen P, Zhang H, Sharma Y, et al. Zoo: Zeroth order optimization based black-box attacks to deep neural net-works without training substitute models[C]// Proceedin-gs of the 10th ACM workshop on artificial intelligence and security, 2017: 15-26.
[33]	Moosavi-Dezfooli S M, Fawzi A, Frossard P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Net-works[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2016:2574-2582.
[34]	Su J, Vargas D V, Sakurai K. One Pixel Attack for Foo-ling Deep Neural Networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841. doi: 10.1109/TEVC.4235
[35]	Kurakin A, Goodfellow I J, Bengio S. Adversarial exam-ples in the physical world[M]// Artificial intelligence saf-ety and security, 2018: 99-112.
[36]	Athalye A, Engstrom L, Ilyas A, et al. Synthesizing Ro-bust Adversarial Examples[C]// Proceedings of the Inter-national Conference on Machine Learning, 2018: 284-293.
[37]	Zheng X, Fan Y, Wu B, et al. Robust Physical-World Att-acks on Face Recognition[J]. Pattern Recognition, 2023, 133: 109009. doi: 10.1016/j.patcog.2022.109009
[38]	Mahendran A, Vedaldi A. Understanding deep image representations by inverting them[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Reco-gnition, 2015:5188-5196.
[39]	Singh I, Araki T, Kakizaki K. Powerful Physical Adver-sarial Examples Against Practical Face Recognition Sy-stems[C]// Proceedings of the IEEE Winter Conference on Applications of Computer Vision Workshops, 2022: 301-310.
[40]	Wei X, Guo Y, Yu J. Adversarial Sticker: A Stealthy Att-ack Method in the Physical World[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022:1.
[41]	Song D, Eykholt K, Evtimov I, et al. Physical adversarial examples for object detectors[C]// Proceedings of the US-ENIX workshop on offensive technologies (WOOT 18), 2018:1-10.
[42]	Xie C, Zhang Z, Zhou Y, et al. Improving Transferability of Adversarial Examples With Input Diversity[C]// Proce-edings of the IEEE Conference on Computer Vision and Pattern Recognition, 2019:2725-2734.
[43]	Dong Y, Pang T, Su H, et al. Evading Defenses to Trans-ferable Adversarial Examples by Translation-Invariant Attacks[C]// Proceedings of the IEEE Conference on Com-puter Vision and Pattern Recognition, 2019:4307-4316.
[44]	Kurakin A, Goodfellow I J, Bengio S. Adversarial Mac-hine Learning at Scale[C]// Proceedings of the Internati-onal Conference on Learning Representations, 2017:1.
[45]	Sharif M, Bhagavatula S, Bauer L, et al. A General Fra-mework for Adversarial Examples with Objectives[J]. ACM Transactions on Privacy and Security (TOPS), 2019, 22(3): 1-30.
[46]	Yin B, Wang W, Yao T, et al. Adv-Makeup: A New Imp-erceptible and Transferable Attack on Face Recognition[C]// Proceedings of the International Joint Conference on Artificial Intelligence, 2021:1252-1258.
[47]	Nguyen D L, Arora S S, Wu Y, et al. Adversarial Light Projection Attacks on Face Recognition Systems: A Feas-ibility Study[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, 2020:3548-3556.
[48]	Goodfellow I J, Pouget-Abadie J, Mirza M, et al. Ge-nerative Adversarial Nets[C]// Advances in Neural Infor-mation Processing Systems, 2014:2672-2680.
[49]	Gu Q, Wang G, Chiu M, et al. LADN: Local Adversarial Disentangling Network for Facial Makeup and DeMak-eup[C]// Proceedings of the IEEE international Conf-erence on Computer Vision (ICCV), 2019 :10480-10489.
[50]	Feng Y, Wu F, Shao X, et al. Joint 3D Face Reconstr-uction and Dense Alignment with Position Map Regres-sion Network[C]// Proceedings of the European Confe-rence, 2018: 557-574.
[51]	Duan R, Mao X, Qin A K, et al. Adversarial Laser Beam: Effective Physical-World Attack to DNNs in a Blink[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2021:16057-16066.
[52]	Gnanasambandam A, Sherman A M, Chan S H. Optical Adversarial Attack[C]// Proceedings of the IEEE Inte-rnational Conference on Computer Vision Workshops (ICCVW), 2021:92-101.
[53]	Tu J, Ren M, Manivasagam S, et al. Physically Realizable Adversarial Examples for Lidar Object Detection[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2020:13713-13722.
[54]	Sayles A, Hooda A, Gupta M, et al. Invisible Perturba-tions: Physical Adversarial Examples Exploiting the Rolling Shutter Effect[C] //Proceedings of the IEEE Con-ference on Computer Vision and Pattern Recognition, 2021: 14661-14670.
[55]	Jaderberg M, Simonyan K, Zisserman A, et al. Spatial Transformer Networks[C]// Advances in Neural Infor-mation Processing Systems, 2015:2017-2025.
[56]	Tong L, Chen Z, Ni J, et al. FaceSec: A Fine-grained Robustness Evaluation Framework for Face Recognition Systems[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2021: 13249-13258.

形式	样本生成方法		类型	创新点
基于配件	[4]	迭代镜框颜色	白盒	为物理可实现引入NPS、TV损失
	[45]	AGNs框架生成镜框	白盒	利用GAN生成更真实的镜框
	[46]	眼影贴纸	白盒	混合模块实现攻击的不可察觉性和迁移性
	[29]	口罩	白盒	利用3D人脸重建技术生成通用攻击口罩
基于光线	[24]	红外线斑点	白盒	利用相机和人眼的成像差异
	[25]	可见光混频投影	黑盒	混频投影光线提供实时性攻击
	[47]	投影光	白盒	引用平移不变性增强迁移性
基于贴纸	[26]	AdvHat帽子贴纸	白盒	平面转换算法保持对抗性
	[27]	黑白贴纸	白盒	在人脸特征区域覆盖
	[28]	GAN生成的不同形状贴纸	白盒	使用3D人脸建模技术模拟环境变化
	[40]	日常贴纸的位置、旋转参数	黑盒	基于区域的启发式差分算法搜索到位置和旋转参数
	[5]	面部像素噪声标记	白盒	最大限度减少噪声标记的颜色差异和位置差异