Low-Mid Adversarial Perturbation against Unauthorized Face Recognition System

TL;DR

This paper introduces low-mid frequency adversarial perturbations (LMFAP) to effectively disrupt unauthorized face recognition systems, demonstrating robustness against JPEG compression and transferability issues through adversarial training and extensive testing.

Contribution

It proposes a novel low-mid frequency adversarial perturbation method (LMFAP) that enhances attack robustness and transferability against unauthorized facial recognition systems, including real-world black-box APIs.

Findings

LMFAP outperforms existing methods in resisting JPEG compression effects.

The approach demonstrates high transferability across different models and datasets.

Empirical validation on commercial API confirms its effectiveness.

Abstract

In light of the growing concerns regarding the unauthorized use of facial recognition systems and its implications on individual privacy, the exploration of adversarial perturbations as a potential countermeasure has gained traction. However, challenges arise in effectively deploying this approach against unauthorized facial recognition systems due to the effects of JPEG compression on image distribution across the internet, which ultimately diminishes the efficacy of adversarial perturbations. Existing JPEG compression-resistant techniques struggle to strike a balance between resistance, transferability, and attack potency. To address these limitations, we propose a novel solution referred to as \emph{low frequency adversarial perturbation} (LFAP). This method conditions the source model to leverage low-frequency characteristics through adversarial training. To further enhance the performance, we introduce an improved \emph{low-mid frequency adversarial perturbation} (LMFAP) that incorporates mid-frequency components for an additive benefit. Our study encompasses a range of settings to replicate genuine application scenarios, including cross backbones, supervisory heads, training datasets, and testing datasets. Moreover, we evaluated our approaches on a commercial black-box API, \texttt{Face++}. The empirical results validate the cutting-edge performance achieved by our proposed solutions.