Towards Assessing and Characterizing the Semantic Robustness of Face Recognition

TL;DR

This paper introduces a methodology to evaluate and characterize the semantic robustness of face recognition models against identity-preserving perturbations, using adversarial attacks in the StyleGAN latent space and providing theoretical guarantees.

Contribution

It presents a novel approach combining adversarial attacks, semantic perturbation modeling, and certification techniques to assess face recognition robustness.

Findings

Identifies how FRMs can be fooled by semantic modifications.

Provides statistical characterization of robustness vulnerabilities.

Offers theoretical guarantees on FRM performance.

Abstract

Deep Neural Networks (DNNs) lack robustness against imperceptible perturbations to their input. Face Recognition Models (FRMs) based on DNNs inherit this vulnerability. We propose a methodology for assessing and characterizing the robustness of FRMs against semantic perturbations to their input. Our methodology causes FRMs to malfunction by designing adversarial attacks that search for identity-preserving modifications to faces. In particular, given a face, our attacks find identity-preserving variants of the face such that an FRM fails to recognize the images belonging to the same identity. We model these identity-preserving semantic modifications via direction- and magnitude-constrained perturbations in the latent space of StyleGAN. We further propose to characterize the semantic robustness of an FRM by statistically describing the perturbations that induce the FRM to malfunction. Finally, we combine our methodology with a certification technique, thus providing (i) theoretical guarantees on the performance of an FRM, and (ii) a formal description of how an FRM may model the notion of face identity.