Investigating Adversarial Robustness against Preprocessing used in Blackbox Face Recognition

TL;DR

This paper investigates how different face preprocessing techniques affect the success of adversarial attacks on blackbox face recognition systems, revealing that preprocessing choices significantly influence attack transferability and proposing a preprocessing-invariant defense.

Contribution

It systematically analyzes the impact of face preprocessing on adversarial attack transferability and introduces a method to improve attack robustness against preprocessing variations.

Findings

Face detection model choice can reduce attack success by up to 78%.

Interpolation method during downsampling has minimal impact on attack success.

Preprocessing can degrade attack strength in whitebox settings due to interaction with face detection models.

Abstract

Face Recognition (FR) models have been shown to be vulnerable to adversarial examples that subtly alter benign facial images, exposing blind spots in these systems, as well as protecting user privacy. End-to-end FR systems first obtain preprocessed faces from diverse facial imagery prior to computing the similarity of the deep feature embeddings. Whilst face preprocessing is a critical component of FR systems, and hence adversarial attacks against them, we observe that this preprocessing is often overlooked in blackbox settings. Our study seeks to investigate the transferability of several out-of-the-box state-of-the-art adversarial attacks against FR when applied against different preprocessing techniques used in a blackbox setting. We observe that the choice of face detection model can degrade the attack success rate by up to 78%, whereas choice of interpolation method during downsampling has relatively minimal impacts. Furthermore, we find that the requirement for facial preprocessing even degrades attack strength in a whitebox setting, due to the unintended interaction of produced noise vectors against face detection models. Based on these findings, we propose a preprocessing-invariant method using input transformations that improves the transferability of the studied attacks by up to 27%. Our findings highlight the importance of preprocessing in FR systems, and the need for its consideration towards improving the adversarial generalisation of facial adversarial examples.