Rushirajsinh Parmar, M. Kuribayashi, Hiroto Takiwaki, M. Raval
{"title":"On Fooling Facial Recognition Systems using Adversarial Patches","authors":"Rushirajsinh Parmar, M. Kuribayashi, Hiroto Takiwaki, M. Raval","doi":"10.1109/IJCNN55064.2022.9892071","DOIUrl":null,"url":null,"abstract":"Researchers are increasingly interested to study novel attacks on machine learning models. The classifiers are fooled by making small perturbation to the input or by learning patches that can be applied to objects. In this paper we present an iterative approach to generate a patch that when digitally placed on the face can successfully fool the facial recognition system. We focus on dodging attack where a target face is misidentified as any other face. The proof of concept is show-cased using FGSM and FaceNet face recognition system under the white-box attack. The framework is generic and it can be extended to other noise model and recognition system. It has been evaluated for different - patch size, noise strength, patch location, number of patches and dataset. The experiments shows that the proposed approach can significantly lower the recognition accuracy. Compared to state of the art digital-world attacks, the proposed approach is simpler and can generate inconspicuous natural looking patch with comparable fool rate and smallest patch size.","PeriodicalId":106974,"journal":{"name":"2022 International Joint Conference on Neural Networks (IJCNN)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Joint Conference on Neural Networks (IJCNN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IJCNN55064.2022.9892071","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
Researchers are increasingly interested to study novel attacks on machine learning models. The classifiers are fooled by making small perturbation to the input or by learning patches that can be applied to objects. In this paper we present an iterative approach to generate a patch that when digitally placed on the face can successfully fool the facial recognition system. We focus on dodging attack where a target face is misidentified as any other face. The proof of concept is show-cased using FGSM and FaceNet face recognition system under the white-box attack. The framework is generic and it can be extended to other noise model and recognition system. It has been evaluated for different - patch size, noise strength, patch location, number of patches and dataset. The experiments shows that the proposed approach can significantly lower the recognition accuracy. Compared to state of the art digital-world attacks, the proposed approach is simpler and can generate inconspicuous natural looking patch with comparable fool rate and smallest patch size.