Adversarial Attacks on Face Detectors using Neural Net based Constrained Optimization

TL;DR

This paper introduces a fast, scalable adversarial attack method on face detectors using a neural network-based constrained optimization approach, significantly reducing detection rates even under JPEG compression defenses.

Contribution

It presents a novel neural network generator for adversarial attacks on face detectors that is both efficient and effective across multiple images without re-optimization.

Findings

Reduced detected faces to 0.5% of original on Faster R-CNN

Attack remains effective under JPEG compression at 75%

Generator can attack new images without retraining

Abstract

Adversarial attacks involve adding, small, often imperceptible, perturbations to inputs with the goal of getting a machine learning model to misclassifying them. While many different adversarial attack strategies have been proposed on image classification models, object detection pipelines have been much harder to break. In this paper, we propose a novel strategy to craft adversarial examples by solving a constrained optimization problem using an adversarial generator network. Our approach is fast and scalable, requiring only a forward pass through our trained generator network to craft an adversarial sample. Unlike in many attack strategies, we show that the same trained generator is capable of attacking new images without explicitly optimizing on them. We evaluate our attack on a trained Faster R-CNN face detector on the cropped 300-W face dataset where we manage to reduce the number of detected faces to $0.5\%$ of all originally detected faces. In a different experiment, also on 300-W, we demonstrate the robustness of our attack to a JPEG compression based defense typical JPEG compression level of $75\%$ reduces the effectiveness of our attack from only $0.5\%$ of detected faces to a modest $5.0\%$.