Adv-Attribute: Inconspicuous and Transferable Adversarial Attack on Face Recognition

TL;DR

This paper introduces Adv-Attribute, a novel high-level semantic adversarial attack on face recognition that enhances transferability and stealthiness by perturbing attributes guided by recognition feature differences.

Contribution

It proposes a unified framework for inconspicuous, transferable face recognition attacks by perturbing attributes based on recognition features, improving over pixel-level methods.

Findings

Achieves state-of-the-art attack success rates.

Maintains better visual stealthiness.

Demonstrates robustness against defense models.

Abstract

Deep learning models have shown their vulnerability when dealing with adversarial attacks. Existing attacks almost perform on low-level instances, such as pixels and super-pixels, and rarely exploit semantic clues. For face recognition attacks, existing methods typically generate the l_p-norm perturbations on pixels, however, resulting in low attack transferability and high vulnerability to denoising defense models. In this work, instead of performing perturbations on the low-level pixels, we propose to generate attacks through perturbing on the high-level semantics to improve attack transferability. Specifically, a unified flexible framework, Adversarial Attributes (Adv-Attribute), is designed to generate inconspicuous and transferable attacks on face recognition, which crafts the adversarial noise and adds it into different attributes based on the guidance of the difference in face recognition features from the target. Moreover, the importance-aware attribute selection and the multi-objective optimization strategy are introduced to further ensure the balance of stealthiness and attacking strength. Extensive experiments on the FFHQ and CelebA-HQ datasets show that the proposed Adv-Attribute method achieves the state-of-the-art attacking success rates while maintaining better visual effects against recent attack methods.