RAF: Recursive Adversarial Attacks on Face Recognition Using Extremely Limited Queries

TL;DR

This paper introduces RAF, a recursive adversarial attack method on face recognition that uses limited queries by applying targeted face warping, demonstrating effectiveness in black-box settings.

Contribution

It presents a novel recursive attack leveraging automatic face warping on specific facial regions, reducing query requirements for fooling face recognition systems.

Findings

Effective in decision-based black-box attack scenarios

Requires extremely limited number of queries

Targets specific facial regions for perturbation

Abstract

Recent successful adversarial attacks on face recognition show that, despite the remarkable progress of face recognition models, they are still far behind the human intelligence for perception and recognition. It reveals the vulnerability of deep convolutional neural networks (CNNs) as state-of-the-art building block for face recognition models against adversarial examples, which can cause certain consequences for secure systems. Gradient-based adversarial attacks are widely studied before and proved to be successful against face recognition models. However, finding the optimized perturbation per each face needs to submitting the significant number of queries to the target model. In this paper, we propose recursive adversarial attack on face recognition using automatic face warping which needs extremely limited number of queries to fool the target model. Instead of a random face warping procedure, the warping functions are applied on specific detected regions of face like eyebrows, nose, lips, etc. We evaluate the robustness of proposed method in the decision-based black-box attack setting, where the attackers have no access to the model parameters and gradients, but hard-label predictions and confidence scores are provided by the target model.