Are Facial Attributes Adversarially Robust?

TL;DR

This paper investigates the robustness of deep neural networks for facial attribute classification against adversarial attacks, introduces a novel attack method, and explores the existence of natural adversarial samples, revealing varied robustness across attributes.

Contribution

It presents a new adversarial attack technique called fast flipping attribute (FFA), evaluates the robustness of DCNNs for different facial attributes, and introduces the concept of natural adversarial samples.

Findings

DCNNs for some attributes are robust to adversarial inputs.

FFA generates more adversarial examples than existing methods.

Natural adversarial samples are common and often persist despite additional training.

Abstract

Facial attributes are emerging soft biometrics that have the potential to reject non-matches, for example, based on mismatching gender. To be usable in stand-alone systems, facial attributes must be extracted from images automatically and reliably. In this paper, we propose a simple yet effective solution for automatic facial attribute extraction by training a deep convolutional neural network (DCNN) for each facial attribute separately, without using any pre-training or dataset augmentation, and we obtain new state-of-the-art facial attribute classification results on the CelebA benchmark. To test the stability of the networks, we generated adversarial images -- formed by adding imperceptible non-random perturbations to original inputs which result in classification errors -- via a novel fast flipping attribute (FFA) technique. We show that FFA generates more adversarial examples than other related algorithms, and that DCNNs for certain attributes are generally robust to adversarial inputs, while DCNNs for other attributes are not. This result is surprising because no DCNNs tested to date have exhibited robustness to adversarial images without explicit augmentation in the training procedure to account for adversarial examples. Finally, we introduce the concept of natural adversarial samples, i.e., images that are misclassified but can be easily turned into correctly classified images by applying small perturbations. We demonstrate that natural adversarial samples commonly occur, even within the training set, and show that many of these images remain misclassified even with additional training epochs. This phenomenon is surprising because correcting the misclassification, particularly when guided by training data, should require only a small adjustment to the DCNN parameters.