Fast Geometrically-Perturbed Adversarial Faces

TL;DR

This paper demonstrates that face recognition systems are highly vulnerable to fast, geometrically-perturbed adversarial attacks, achieving over 99% success rates and surpassing previous methods in speed and effectiveness.

Contribution

It introduces a novel, rapid landmark manipulation attack for generating natural-looking adversarial faces with high success rates, significantly improving attack speed over prior geometric methods.

Findings

Achieves 99.86% success rate with the first attack.

Attains 99.96% success rate with the semantic-structure constrained attack.

Both attacks remain effective against advanced defense mechanisms.

Abstract

The state-of-the-art performance of deep learning algorithms has led to a considerable increase in the utilization of machine learning in security-sensitive and critical applications. However, it has recently been shown that a small and carefully crafted perturbation in the input space can completely fool a deep model. In this study, we explore the extent to which face recognition systems are vulnerable to geometrically-perturbed adversarial faces. We propose a fast landmark manipulation method for generating adversarial faces, which is approximately 200 times faster than the previous geometric attacks and obtains 99.86% success rate on the state-of-the-art face recognition models. To further force the generated samples to be natural, we introduce a second attack constrained on the semantic structure of the face which has the half speed of the first attack with the success rate of 99.96%. Both attacks are extremely robust against the state-of-the-art defense methods with the success rate of equal or greater than 53.59%. Code is available at https://github.com/alldbi/FLM