Improving Visual Quality and Transferability of Adversarial Attacks on Face Recognition Simultaneously with Adversarial Restoration

TL;DR

This paper introduces AdvRestore, a novel adversarial attack method that improves both visual quality and transferability of face recognition adversarial examples by leveraging a face restoration prior and a latent diffusion model.

Contribution

The paper proposes AdvRestore, a new adversarial attack technique that simultaneously enhances visual quality and transferability of face recognition adversarial examples using a face restoration prior.

Findings

AdvRestore significantly improves the visual quality of adversarial face examples.

The method enhances transferability across different face recognition models.

Experimental results validate the effectiveness of AdvRestore.

Abstract

Adversarial face examples possess two critical properties: Visual Quality and Transferability. However, existing approaches rarely address these properties simultaneously, leading to subpar results. To address this issue, we propose a novel adversarial attack technique known as Adversarial Restoration (AdvRestore), which enhances both visual quality and transferability of adversarial face examples by leveraging a face restoration prior. In our approach, we initially train a Restoration Latent Diffusion Model (RLDM) designed for face restoration. Subsequently, we employ the inference process of RLDM to generate adversarial face examples. The adversarial perturbations are applied to the intermediate features of RLDM. Additionally, by treating RLDM face restoration as a sibling task, the transferability of the generated adversarial face examples is further improved. Our experimental results validate the effectiveness of the proposed attack method.