Fooling Face Recognition Systems Through Physical Adversarial Attack
摘要
Face recognition systems (FRS) are increasingly prevalent today worldwide. Their applications in the security sensitive fields such as verification and authorization, security, multimedia, and law enforcement are crucial and are ever on the rise. Most modern face recognition systems use convolutional neural networks (CNNs) as their backbone. This is because CNNs excel at feature extraction in images, and are also highly scalable and robust which makes them highly performant. However, these CNNs display some counterintuitive properties due to the linearities within the network. One such property enables an attacker to manipulate the predictions of the network by adding small, imperceptible, and appropriately calculated noise to the inputs of the neural networks. The fact that these kinds of attacks are stealthy and can be physically realizable, questions the reliability of systems using those networks. This paper proposes a physical attack technique against FRS using adversarial bandages/patches employing the iterative Fast Gradient Sign Method (FGSM). The results have been analysed using various sizes of adversarial patches. Furthermore, experiments have been performed considering both untargeted and targeted attacks with various target classes. The paper also proposes a way to select the best target class in targeted attacks, with justification behind such behaviour of targets. The physical realization of attacks through the generation of patches using FGSM has been performed using manually captured images. Finally, this paper completely explores the weaknesses and strengths of the model when being attacked by FGSM. This would motivate researchers to better defend their public CNNs and face recognition models, and improve their strategies for ethical and legal attacks of machine learning models.