LOTS about Attacking Deep Features

TL;DR

This paper introduces LOTS, a technique for generating adversarial examples targeting deep features in biometric systems, revealing that systems using deep features are more vulnerable than end-to-end neural networks.

Contribution

The paper presents LOTS, a novel and efficient method for creating adversarial examples for deep features, and compares the robustness of different biometric systems against these attacks.

Findings

Systems using deep features are easier to attack than end-to-end networks.

Iterative LOTS effectively generates adversarial examples.

Deep feature-based systems show lower robustness to adversarial attacks.

Abstract

Deep neural networks provide state-of-the-art performance on various tasks and are, therefore, widely used in real world applications. DNNs are becoming frequently utilized in biometrics for extracting deep features, which can be used in recognition systems for enrolling and recognizing new individuals. It was revealed that deep neural networks suffer from a fundamental problem, namely, they can unexpectedly misclassify examples formed by slightly perturbing correctly recognized inputs. Various approaches have been developed for generating these so-called adversarial examples, but they aim at attacking end-to-end networks. For biometrics, it is natural to ask whether systems using deep features are immune to or, at least, more resilient to attacks than end-to-end networks. In this paper, we introduce a general technique called the layerwise origin-target synthesis (LOTS) that can be efficiently used to form adversarial examples that mimic the deep features of the target. We analyze and compare the adversarial robustness of the end-to-end VGG Face network with systems that use Euclidean or cosine distance between gallery templates and extracted deep features. We demonstrate that iterative LOTS is very effective and show that systems utilizing deep features are easier to attack than the end-to-end network.