Geometrically Adaptive Dictionary Attack on Face Recognition

TL;DR

This paper introduces GADA, a novel, query-efficient black-box attack method on face recognition systems that leverages 3D face alignment and UV texture mapping to improve attack efficiency and evade detection.

Contribution

The paper proposes GADA, a new attack strategy that enhances query efficiency and robustness against detection by exploiting face geometry and previous perturbations.

Findings

GADA significantly reduces the number of queries needed for successful attacks.

It improves attack success rates on LFW and CPLFW datasets.

GADA can bypass query similarity-based detection methods.

Abstract

CNN-based face recognition models have brought remarkable performance improvement, but they are vulnerable to adversarial perturbations. Recent studies have shown that adversaries can fool the models even if they can only access the models' hard-label output. However, since many queries are needed to find imperceptible adversarial noise, reducing the number of queries is crucial for these attacks. In this paper, we point out two limitations of existing decision-based black-box attacks. We observe that they waste queries for background noise optimization, and they do not take advantage of adversarial perturbations generated for other images. We exploit 3D face alignment to overcome these limitations and propose a general strategy for query-efficient black-box attacks on face recognition named Geometrically Adaptive Dictionary Attack (GADA). Our core idea is to create an adversarial perturbation in the UV texture map and project it onto the face in the image. It greatly improves query efficiency by limiting the perturbation search space to the facial area and effectively recycling previous perturbations. We apply the GADA strategy to two existing attack methods and show overwhelming performance improvement in the experiments on the LFW and CPLFW datasets. Furthermore, we also present a novel attack strategy that can circumvent query similarity-based stateful detection that identifies the process of query-based black-box attacks.