Non-Adaptive Adversarial Face Generation

TL;DR

This paper introduces a novel non-adaptive method for generating adversarial face images that can impersonate target identities with high success rates, using minimal queries and leveraging the structure of face recognition feature spaces.

Contribution

The paper proposes a non-adaptive adversarial face generation technique that does not rely on transferability or surrogate models, achieving high success with only a single query.

Findings

Over 93% success rate against AWS API

Requires only one non-adaptive query of 100 images

Can produce targeted impersonations with high attribute control

Abstract

Adversarial attacks on face recognition systems (FRSs) pose serious security and privacy threats, especially when these systems are used for identity verification. In this paper, we propose a novel method for generating adversarial faces-synthetic facial images that are visually distinct yet recognized as a target identity by the FRS. Unlike iterative optimization-based approaches (e.g., gradient descent or other iterative solvers), our method leverages the structural characteristics of the FRS feature space. We figure out that individuals sharing the same attribute (e.g., gender or race) form an attributed subsphere. By utilizing such subspheres, our method achieves both non-adaptiveness and a remarkably small number of queries. This eliminates the need for relying on transferability and open-source surrogate models, which have been a typical strategy when repeated adaptive queries to commercial FRSs are impossible. Despite requiring only a single non-adaptive query consisting of 100 face images, our method achieves a high success rate of over 93% against AWS's CompareFaces API at its default threshold. Furthermore, unlike many existing attacks that perturb a given image, our method can deliberately produce adversarial faces that impersonate the target identity while exhibiting high-level attributes chosen by the adversary.