Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (8): 280-285.doi: 10.11896/jsjkx.221100124

• Information Security • Previous Articles     Next Articles

Facial Physical Adversarial Example Performance Prediction Algorithm Based on Multi-modal Feature Fusion

ZHOU Fengfan1, LING Hefei1, ZHANG Jinyuan2, XIA Ziwei1, SHI Yuxuan1, LI Ping1   

  1. 1 School of Computer Science and Technology,Huazhong University of Science and Technology,Wuhan 430074,China
    2 Software Development Center,Industrial and Commercial Bank of China,Zhuhai,Guangdong 519080,China
  • Received:2022-11-15 Revised:2023-03-04 Online:2023-08-15 Published:2023-08-02
  • About author:ZHOU Fengfan,born in 1998,Ph.D.His main research interest is adversarial attacks on face recognition.
    LING Hefei,born in 1976,Ph.D supervisor.His main research interest is computer vision.
  • Supported by:
    Natural Natural Science Foundation of China(61972169),National Key Research and Development Program of China(2019QY(Y)0202,2022YFB2601802),Major Scientific and Technological Project of Hubei Province(2022BAA046,2022BAA042),Research Programme on Applied Fundamentals and Frontier Technologies of Wuhan(2020010601012182) and China Postdoctoral Science Foundation(2022M711251).

PDF (PC)

298

Abstract: Facial physical adversarial attack(FPAA) refers to a method that an attacker pasting or wearing physical adversary examples,such as printed glasses,paper,to make the face recognition system to recognize his face as the face of a specific target,or make the face recognition system unable to recognize his face under the camera.The existing performance evaluation process of the FPAA can be affected by multiple environmental factors and require multiple manual operations,resulting in very low efficiency of performance evaluation.In order to reduce the workload of evaluating the performance of facial physical adversarial examples,combined with the multimodality between digital images and environmental factors,a multimodal feature fusion prediction algorithm(MFFP) is proposed.Specifically,different networks are used to extract the features of attacker's face images,victim's face images and facial digital adversarialexample images,and the proposed environmental feature extraction network is used to extract the features of environmental factors.A multimodal feature fusion network is proposed to fuse these features.The output of the multimodal feature fusion network is the cosine similarity performance between the predicted facial physical adversarial example image and the victim image.MFFP algorithm achieves a regression mean square error of 0.003 under the experimental scenario of unknown environment and unknown FPAA,which is better than the performance of the baseline.It verifies the accuracy of MFFP algorithm for predicting of the performance of FPAA.Moreover,it verifies that MFFP can quickly evaluate the performance of FPAA,while greatly reduce the workload of manual operation.

Key words: Artificial intelligence security, Adversarial example, Facial physical adversarial attack, Performance prediction, Multimodal feature fusion

CLC Number: 

  • TP391
[1]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[C]//International Conference on Learning Representations.2014:1-10.
[2]QIU H N,XIAO C W,YANG L,et al.SemanticAdv:Generating Adversarial Examples via Attribute-conditional Image Editing[C]//European Conference on Computer Vision.Springer.2020:19-37.
[3]SHEN M,YU H,ZHU L H,et al.Effective and Robust Physical-World Attacks on Deep Learning Face Recognition Systems [J].IEEE Transactions on Information Forensics and Security,2021,16:4063-4077.
[4]SATO T,SHEN J J,WANG N F,et al.Dirty Road Can Attack:Security of Deep Learning based Automated Lane Centering under Physical-World Attack[C]//USENIX Security Symposium.USENIX Association.2021:3309-3326.
[5]DUAN R J,MAO X F,QIN K.A,et al.Adversarial laser beam:Effective physical-world attack to DNNs in a blink[C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2021:16062-16071.
[6]DONG Y P,LIAO F Z,PANG T Y,et al.Boosting adversarial attacks with momentum[C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2018:9185-9193.
[7]XIE C H,ZHANG Z S,ZHOU Y Y,et al.Improving transfer-ability of adversarial examples with input diversity[C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2019:2730-2739.
[8]ZHONG Y Y,DENG W H.Towards transferable adversarial attack against deep face recognition [J].IEEE Transactions on Information Forensics and Security,2021,16:1452-1466.
[9]YANG X,DONG Y P,PANG T Y,et al.Towards face encryption by generating adversarial identity masks[C]//International Conference on Computer Vision.IEEE,2021:3897-3907.
[10]SHARIF M,BHAGAVATULA S,BAUER L,et al.Accessorize to a Crime:Real and Stealthy Attacks on State-of-the-Art Face Recognition[C]//{ACM} {SIGSAC} Conference on Computer and Communications Security.ACM,2016:1528-1540.
[11]KOMKOV S,PETIUSHKO A.AdvHat:Real-World Adversa-rial Attack on ArcFace Face {ID} System[C]//International Conference on Pattern Recognition.IEEE,2020:819-826.
[12]YIN B J,WANG W X.YAO T P,et al.Adv-Makeup:A New Imperceptible and Transferable Attack on Face Recognition[C]//International Joint Conference on Artificial Intelligence.2021:1252-1258
[13]DOSOVITSKIY A,BEYER L,KOLESNIKOV A,et al.Animage is worth 16x16 words:Transformers for image recognition at scale[C]//International Conference on Learning Representations.2021:1-21.
[14]TOLSTIKHIN I,HOULSBY N,KOLESNIKOV A,et al.Mlp-mixer:An all-mlp architecture for vision[C]//Advances in Neural Information Processing Systems.MIT Press,2021:24261-24272.
[15]DU L,GAO F,CHEN X,et al.TabularNet:A Neural Network Architecture for Understanding Semantic Structures of Tabular Data[C]//ACM SIGKDD Conference on Knowledge Discovery &Data Mining.ACM,2021:322-331.
[16]TANM X,QUOC V L E.Efficientnet:Rethinking model scaling for convolutional neural networks[C]//International Conference on Machine Learning.PMLR,2019:6105-6114.
[17]HORNIK K,STINCHCOMBE M,WHITE H.Multilayer feed-forward networks are universal approximators [J].Neural Networks,1989,2:359-366.
[1] WANG Yu, WANG Zuchao, PAN Rui. Survey of DGA Domain Name Detection Based on Character Feature [J]. Computer Science, 2023, 50(8): 251-259.
[2] LI Kun, GUO Wei, ZHANG Fan, DU Jiayu, YANG Meiyue. Adversarial Malware Generation Method Based on Genetic Algorithm [J]. Computer Science, 2023, 50(7): 325-331.
[3] BAI Zhixu, WANG Hengjun, GUO Kexiang. Adversarial Examples Generation Method Based on Image Color Random Transformation [J]. Computer Science, 2023, 50(4): 88-95.
[4] WANG Run-an, ZOU Zhao-nian. Query Performance Prediction Based on Physical Operation-level Models [J]. Computer Science, 2022, 49(8): 49-55.
[5] WU Zi-bin, YAN Qiao. Projected Gradient Descent Algorithm with Momentum [J]. Computer Science, 2022, 49(6A): 178-183.
[6] ZHAO Hang, TONG Shui-guang, ZHU Zheng-zhou. Prediction Method of Structural Static Performance Based on Data Learning [J]. Computer Science, 2022, 49(4): 140-143.
[7] LI Jian, GUO Yan-ming, YU Tian-yuan, WU Yu-lun, WANG Xiang-han, LAO Song-yang. Multi-target Category Adversarial Example Generating Algorithm Based on GAN [J]. Computer Science, 2022, 49(2): 83-91.
[8] CHEN Meng-xuan, ZHANG Zhen-yong, JI Shou-ling, WEI Gui-yi, SHAO Jun. Survey of Research Progress on Adversarial Examples in Images [J]. Computer Science, 2022, 49(2): 92-106.
[9] YANG Hao, YAN Qiao. Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm [J]. Computer Science, 2022, 49(11A): 211100074-5.
[10] XIE Chen-qi, ZHANG Bao-wen, YI Ping. Survey on Artificial Intelligence Model Watermarking [J]. Computer Science, 2021, 48(7): 9-16.
[11] JING Hui-yun, ZHOU Chuan, HE Xin. Security Evaluation Method for Risk of Adversarial Attack on Face Detection [J]. Computer Science, 2021, 48(7): 17-24.
[12] WANG Chao, WEI Xiang-lin, TIAN Qing, JIAO Xiang, WEI Nan, DUAN Qiang. Feature Gradient-based Adversarial Attack on Modulation Recognition-oriented Deep Neural Networks [J]. Computer Science, 2021, 48(7): 25-32.
[13] BAO Yu-xuan, LU Tian-liang, DU Yan-hui, SHI Da. Deepfake Videos Detection Method Based on i_ResNet34 Model and Data Augmentation [J]. Computer Science, 2021, 48(7): 77-85.
[14] TONG Xin, WANG Bin-jun, WANG Run-zheng, PAN Xiao-qin. Survey on Adversarial Sample of Deep Learning Towards Natural Language Processing [J]. Computer Science, 2021, 48(1): 258-267.
[15] ZHANG Bin-bin, WANG Juan, YUE Kun, WU Hao, HAO Jia. Performance Prediction and Configuration Optimization of Virtual Machines Based on Random Forest [J]. Computer Science, 2019, 46(9): 85-92.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.