Amora: Black-box adversarial morphing attack
Nowadays, digital facial content manipulation has become ubiquitous and realistic with the success of generative adversarial networks (GANs), making face recognition (FR) systems suffer from unprecedented security concerns. In this paper, we investigate and introduce a new type of adversarial attack...
Saved in:
Main Authors: | , , , , , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2020
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/7080 https://ink.library.smu.edu.sg/context/sis_research/article/8083/viewcontent/3394171.3413544.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-8083 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-80832022-04-07T08:05:16Z Amora: Black-box adversarial morphing attack WANG, Run JUEFEI-XU, Felix GUO, Qing HUANG, Yihao XIE, Xiaofei MA, Lei LIU, Yang Nowadays, digital facial content manipulation has become ubiquitous and realistic with the success of generative adversarial networks (GANs), making face recognition (FR) systems suffer from unprecedented security concerns. In this paper, we investigate and introduce a new type of adversarial attack to evade FR systems by manipulating facial content, called adversarial morphing attack (a.k.a. Amora). In contrast to adversarial noise attack that perturbs pixel intensity values by adding human-imperceptible noise, our proposed adversarial morphing attack works at the semantic level that perturbs pixels spatially in a coherent manner. To tackle the black-box attack problem, we devise a simple yet effective joint dictionary learning pipeline to obtain a proprietary optical flow field for each attack. Our extensive evaluation on two popular FR systems demonstrates the effectiveness of our adversarial morphing attack at various levels of morphing intensity with smiling facial expression manipulations. Both open-set and closed-set experimental results indicate that a novel black-box adversarial attack based on local deformation is possible, and is vastly different from additive noise attacks. The findings of this work potentially pave a new research direction towards a more thorough understanding and investigation of image-based adversarial attacks and defenses. 2020-10-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7080 info:doi/10.1145/3394171.3413544 https://ink.library.smu.edu.sg/context/sis_research/article/8083/viewcontent/3394171.3413544.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Black-box adversarial attack morphing face recognition OS and Networks Software Engineering |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
Black-box adversarial attack morphing face recognition OS and Networks Software Engineering |
spellingShingle |
Black-box adversarial attack morphing face recognition OS and Networks Software Engineering WANG, Run JUEFEI-XU, Felix GUO, Qing HUANG, Yihao XIE, Xiaofei MA, Lei LIU, Yang Amora: Black-box adversarial morphing attack |
description |
Nowadays, digital facial content manipulation has become ubiquitous and realistic with the success of generative adversarial networks (GANs), making face recognition (FR) systems suffer from unprecedented security concerns. In this paper, we investigate and introduce a new type of adversarial attack to evade FR systems by manipulating facial content, called adversarial morphing attack (a.k.a. Amora). In contrast to adversarial noise attack that perturbs pixel intensity values by adding human-imperceptible noise, our proposed adversarial morphing attack works at the semantic level that perturbs pixels spatially in a coherent manner. To tackle the black-box attack problem, we devise a simple yet effective joint dictionary learning pipeline to obtain a proprietary optical flow field for each attack. Our extensive evaluation on two popular FR systems demonstrates the effectiveness of our adversarial morphing attack at various levels of morphing intensity with smiling facial expression manipulations. Both open-set and closed-set experimental results indicate that a novel black-box adversarial attack based on local deformation is possible, and is vastly different from additive noise attacks. The findings of this work potentially pave a new research direction towards a more thorough understanding and investigation of image-based adversarial attacks and defenses. |
format |
text |
author |
WANG, Run JUEFEI-XU, Felix GUO, Qing HUANG, Yihao XIE, Xiaofei MA, Lei LIU, Yang |
author_facet |
WANG, Run JUEFEI-XU, Felix GUO, Qing HUANG, Yihao XIE, Xiaofei MA, Lei LIU, Yang |
author_sort |
WANG, Run |
title |
Amora: Black-box adversarial morphing attack |
title_short |
Amora: Black-box adversarial morphing attack |
title_full |
Amora: Black-box adversarial morphing attack |
title_fullStr |
Amora: Black-box adversarial morphing attack |
title_full_unstemmed |
Amora: Black-box adversarial morphing attack |
title_sort |
amora: black-box adversarial morphing attack |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2020 |
url |
https://ink.library.smu.edu.sg/sis_research/7080 https://ink.library.smu.edu.sg/context/sis_research/article/8083/viewcontent/3394171.3413544.pdf |
_version_ |
1770576208202825728 |