Unravelling Robustness of Deep Learning based Face Recognition Against Adversarial Attacks

TL;DR

This paper investigates the vulnerabilities of deep learning face recognition systems to real-world distortions and adversarial attacks, proposing detection methods and countermeasures to enhance robustness.

Contribution

It assesses deep architectures' vulnerabilities, characterizes abnormal responses in hidden layers, and introduces countermeasures to improve face recognition robustness against attacks.

Findings

Deep networks are vulnerable to real-world distortions and adversarial attacks.

Detection of attacks using hidden layer responses achieves high accuracy.

Countermeasures significantly improve robustness of face recognition systems.

Abstract

Deep neural network (DNN) architecture based models have high expressive power and learning capacity. However, they are essentially a black box method since it is not easy to mathematically formulate the functions that are learned within its many layers of representation. Realizing this, many researchers have started to design methods to exploit the drawbacks of deep learning based algorithms questioning their robustness and exposing their singularities. In this paper, we attempt to unravel three aspects related to the robustness of DNNs for face recognition: (i) assessing the impact of deep architectures for face recognition in terms of vulnerabilities to attacks inspired by commonly observed distortions in the real world that are well handled by shallow learning methods along with learning based adversaries; (ii) detecting the singularities by characterizing abnormal filter response behavior in the hidden layers of deep networks; and (iii) making corrections to the processing pipeline to alleviate the problem. Our experimental evaluation using multiple open-source DNN-based face recognition networks, including OpenFace and VGG-Face, and two publicly available databases (MEDS and PaSC) demonstrates that the performance of deep learning based face recognition algorithms can suffer greatly in the presence of such distortions. The proposed method is also compared with existing detection algorithms and the results show that it is able to detect the attacks with very high accuracy by suitably designing a classifier using the response of the hidden layers in the network. Finally, we present several effective countermeasures to mitigate the impact of adversarial attacks and improve the overall robustness of DNN-based face recognition.