Semantic Adversarial Attacks on Face Recognition through Significant Attributes

TL;DR

This paper introduces SAA-StarGAN, a semantic adversarial attack method that manipulates significant facial attributes to generate realistic, effective face recognition adversarial examples with high transferability and success rates.

Contribution

The paper proposes a novel semantic attack method that targets significant facial attributes, improving attack success and transferability over existing attribute-agnostic approaches.

Findings

Achieves 80.5% attack success rate against black-box models.

Outperforms existing methods by 35.5% in impersonation attacks.

Generates diverse, realistic adversarial face images without affecting human perception.

Abstract

Face recognition is known to be vulnerable to adversarial face images. Existing works craft face adversarial images by indiscriminately changing a single attribute without being aware of the intrinsic attributes of the images. To this end, we propose a new Semantic Adversarial Attack called SAA-StarGAN that tampers with the significant facial attributes for each image. We predict the most significant attributes by applying the cosine similarity or probability score. The probability score method is based on training a Face Verification model for an attribute prediction task to obtain a class probability score for each attribute. The prediction process will help craft adversarial face images more easily and efficiently, as well as improve the adversarial transferability. Then, we change the most significant facial attributes, with either one or more of the facial attributes for impersonation and dodging attacks in white-box and black-box settings. Experimental results show that our method could generate diverse and realistic adversarial face images meanwhile avoid affecting human perception of the face recognition. SAA-StarGAN achieves an 80.5% attack success rate against black-box models, outperforming existing methods by 35.5% under the impersonation attack. Concerning the black-box setting, SAA-StarGAN achieves high attack success rates on various models. The experiments confirm that predicting the most important attributes significantly affects the success of adversarial attacks in both white-box and black-box settings and could enhance the transferability of the crafted adversarial examples.