Amora: Black-box Adversarial Morphing Attack

TL;DR

This paper introduces Amora, a novel black-box adversarial attack on face recognition systems that manipulates facial content at the semantic level through morphing, demonstrating effectiveness against popular FR systems.

Contribution

It presents a new adversarial attack method using semantic facial morphing with a joint dictionary learning pipeline for black-box scenarios, differing from traditional noise-based attacks.

Findings

Effective against two popular face recognition systems

Works at various morphing intensities and expressions

Different from additive noise attacks

Abstract

Nowadays, digital facial content manipulation has become ubiquitous and realistic with the success of generative adversarial networks (GANs), making face recognition (FR) systems suffer from unprecedented security concerns. In this paper, we investigate and introduce a new type of adversarial attack to evade FR systems by manipulating facial content, called \textbf{\underline{a}dversarial \underline{mor}phing \underline{a}ttack} (a.k.a. Amora). In contrast to adversarial noise attack that perturbs pixel intensity values by adding human-imperceptible noise, our proposed adversarial morphing attack works at the semantic level that perturbs pixels spatially in a coherent manner. To tackle the black-box attack problem, we devise a simple yet effective joint dictionary learning pipeline to obtain a proprietary optical flow field for each attack. Our extensive evaluation on two popular FR systems demonstrates the effectiveness of our adversarial morphing attack at various levels of morphing intensity with smiling facial expression manipulations. Both open-set and closed-set experimental results indicate that a novel black-box adversarial attack based on local deformation is possible, and is vastly different from additive noise attacks. The findings of this work potentially pave a new research direction towards a more thorough understanding and investigation of image-based adversarial attacks and defenses.