Adversarial Attacks on Convolutional Neural Networks in Facial
Recognition Domain
- URL: http://arxiv.org/abs/2001.11137v3
- Date: Mon, 8 Feb 2021 07:43:45 GMT
- Title: Adversarial Attacks on Convolutional Neural Networks in Facial
Recognition Domain
- Authors: Yigit Alparslan, Ken Alparslan, Jeremy Keim-Shenk, Shweta Khade,
Rachel Greenstadt
- Abstract summary: Adversarial attacks that render Deep Neural Network (DNN) classifiers vulnerable in real life represent a serious threat in autonomous vehicles, malware filters, or biometric authentication systems.
We apply Fast Gradient Sign Method to introduce perturbations to a facial image dataset and then test the output on a different classifier.
We craft a variety of different black-box attack algorithms on a facial image dataset assuming minimal adversarial knowledge.
- Score: 2.4704085162861693
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Numerous recent studies have demonstrated how Deep Neural Network (DNN)
classifiers can be fooled by adversarial examples, in which an attacker adds
perturbations to an original sample, causing the classifier to misclassify the
sample. Adversarial attacks that render DNNs vulnerable in real life represent
a serious threat in autonomous vehicles, malware filters, or biometric
authentication systems. In this paper, we apply Fast Gradient Sign Method to
introduce perturbations to a facial image dataset and then test the output on a
different classifier that we trained ourselves, to analyze transferability of
this method. Next, we craft a variety of different black-box attack algorithms
on a facial image dataset assuming minimal adversarial knowledge, to further
assess the robustness of DNNs in facial recognition. While experimenting with
different image distortion techniques, we focus on modifying single optimal
pixels by a large amount, or modifying all pixels by a smaller amount, or
combining these two attack approaches. While our single-pixel attacks achieved
about a 15% average decrease in classifier confidence level for the actual
class, the all-pixel attacks were more successful and achieved up to an 84%
average decrease in confidence, along with an 81.6% misclassification rate, in
the case of the attack that we tested with the highest levels of perturbation.
Even with these high levels of perturbation, the face images remained
identifiable to a human. Understanding how these noised and perturbed images
baffle the classification algorithms can yield valuable advances in the
training of DNNs against defense-aware adversarial attacks, as well as adaptive
noise reduction techniques. We hope our research may help to advance the study
of adversarial attacks on DNNs and defensive mechanisms to counteract them,
particularly in the facial recognition domain.
Related papers
- Undermining Image and Text Classification Algorithms Using Adversarial Attacks [0.0]
Our study addresses the gap by training various machine learning models and using GANs and SMOTE to generate additional data points aimed at attacking text classification models.
Our experiments reveal a significant vulnerability in classification models. Specifically, we observe a 20 % decrease in accuracy for the top-performing text classification models post-attack, along with a 30 % decrease in facial recognition accuracy.
arXiv Detail & Related papers (2024-11-03T18:44:28Z) - Exploring Decision-based Black-box Attacks on Face Forgery Detection [53.181920529225906]
Face forgery generation technologies generate vivid faces, which have raised public concerns about security and privacy.
Although face forgery detection has successfully distinguished fake faces, recent studies have demonstrated that face forgery detectors are very vulnerable to adversarial examples.
arXiv Detail & Related papers (2023-10-18T14:49:54Z) - Dual Adversarial Resilience for Collaborating Robust Underwater Image
Enhancement and Perception [54.672052775549]
In this work, we introduce a collaborative adversarial resilience network, dubbed CARNet, for underwater image enhancement and subsequent detection tasks.
We propose a synchronized attack training strategy with both visual-driven and perception-driven attacks enabling the network to discern and remove various types of attacks.
Experiments demonstrate that the proposed method outputs visually appealing enhancement images and perform averagely 6.71% higher detection mAP than state-of-the-art methods.
arXiv Detail & Related papers (2023-09-03T06:52:05Z) - Robust Sensible Adversarial Learning of Deep Neural Networks for Image
Classification [6.594522185216161]
We introduce sensible adversarial learning and demonstrate the synergistic effect between pursuits of standard natural accuracy and robustness.
Specifically, we define a sensible adversary which is useful for learning a robust model while keeping high natural accuracy.
We propose a novel and efficient algorithm that trains a robust model using implicit loss truncation.
arXiv Detail & Related papers (2022-05-20T22:57:44Z) - Deep Bayesian Image Set Classification: A Defence Approach against
Adversarial Attacks [32.48820298978333]
Deep neural networks (DNNs) are susceptible to be fooled with nearly high confidence by an adversary.
In practice, the vulnerability of deep learning systems against carefully perturbed images, known as adversarial examples, poses a dire security threat in the physical world applications.
We propose a robust deep Bayesian image set classification as a defence framework against a broad range of adversarial attacks.
arXiv Detail & Related papers (2021-08-23T14:52:44Z) - Deep neural network loses attention to adversarial images [11.650381752104296]
Adversarial algorithms have shown to be effective against neural networks for a variety of tasks.
We show that in the case of Pixel Attack, perturbed pixels call the network attention to themselves or divert the attention from them.
We also show that both attacks affect the saliency map and activation maps differently.
arXiv Detail & Related papers (2021-06-10T11:06:17Z) - Towards Adversarial Patch Analysis and Certified Defense against Crowd
Counting [61.99564267735242]
Crowd counting has drawn much attention due to its importance in safety-critical surveillance systems.
Recent studies have demonstrated that deep neural network (DNN) methods are vulnerable to adversarial attacks.
We propose a robust attack strategy called Adversarial Patch Attack with Momentum to evaluate the robustness of crowd counting models.
arXiv Detail & Related papers (2021-04-22T05:10:55Z) - Error Diffusion Halftoning Against Adversarial Examples [85.11649974840758]
Adversarial examples contain carefully crafted perturbations that can fool deep neural networks into making wrong predictions.
We propose a new image transformation defense based on error diffusion halftoning, and combine it with adversarial training to defend against adversarial examples.
arXiv Detail & Related papers (2021-01-23T07:55:02Z) - Evading Deepfake-Image Detectors with White- and Black-Box Attacks [75.13740810603686]
We show that a popular forensic approach trains a neural network to distinguish real from synthetic content.
We develop five attack case studies on a state-of-the-art classifier that achieves an area under the ROC curve (AUC) of 0.95 on almost all existing image generators.
We also develop a black-box attack that, with no access to the target classifier, reduces the AUC to 0.22.
arXiv Detail & Related papers (2020-04-01T17:59:59Z) - Towards Achieving Adversarial Robustness by Enforcing Feature
Consistency Across Bit Planes [51.31334977346847]
We train networks to form coarse impressions based on the information in higher bit planes, and use the lower bit planes only to refine their prediction.
We demonstrate that, by imposing consistency on the representations learned across differently quantized images, the adversarial robustness of networks improves significantly.
arXiv Detail & Related papers (2020-04-01T09:31:10Z) - TensorShield: Tensor-based Defense Against Adversarial Attacks on Images [7.080154188969453]
Recent studies have demonstrated that machine learning approaches like deep neural networks (DNNs) are easily fooled by adversarial attacks.
In this paper, we utilize tensor decomposition techniques as a preprocessing step to find a low-rank approximation of images which can significantly discard high-frequency perturbations.
arXiv Detail & Related papers (2020-02-18T00:39:49Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.