Adversarial Watermarking for Face Recognition

TL;DR

This paper investigates how combining watermarking with adversarial perturbations can create stealthy attacks that significantly impair face recognition accuracy, revealing a new vulnerability in biometric security systems.

Contribution

It introduces the concept of adversarial watermarking attacks, demonstrating their effectiveness and stealthiness in degrading face recognition performance.

Findings

Adversarial watermarking can reduce face recognition accuracy by over 67%.

Combined watermarking and perturbations can cause recognition failures while remaining stealthy.

The proposed attack achieves up to 95.9% accuracy reduction with minimal perturbation.

Abstract

Watermarking is an essential technique for embedding an identifier (i.e., watermark message) within digital images to assert ownership and monitor unauthorized alterations. In face recognition systems, watermarking plays a pivotal role in ensuring data integrity and security. However, an adversary could potentially interfere with the watermarking process, significantly impairing recognition performance. We explore the interaction between watermarking and adversarial attacks on face recognition models. Our findings reveal that while watermarking or input-level perturbation alone may have a negligible effect on recognition accuracy, the combined effect of watermarking and perturbation can result in an adversarial watermarking attack, significantly degrading recognition performance. Specifically, we introduce a novel threat model, the adversarial watermarking attack, which remains stealthy in the absence of watermarking, allowing images to be correctly recognized initially. However, once watermarking is applied, the attack is activated, causing recognition failures. Our study reveals a previously unrecognized vulnerability: adversarial perturbations can exploit the watermark message to evade face recognition systems. Evaluated on the CASIA-WebFace dataset, our proposed adversarial watermarking attack reduces face matching accuracy by 67.2% with an $\ell_\infty$ norm-measured perturbation strength of ${2}/{255}$ and by 95.9% with a strength of ${4}/{255}$.