Defending Black Box Facial Recognition Classifiers Against Adversarial Attacks

Defending adversarial attacks is a critical step towards reliable deployment of deep learning empowered solutions for biometrics verification. Current approaches for defending Black box models use the classification accuracy of the Black box as a performance metric for validating their defense. However, classification accuracy by itself is not a reliable metric to determine if the resulting image is "adversarial-free". This is a serious problem for online biometrics verification applications where the ground-truth of the incoming image is not known and hence we cannot compute the accuracy of the classifier or know if the image is "adversarial-free" or not. This paper proposes a novel framework for defending Black box systems from adversarial attacks using an ensemble of iterative adversarial image purifiers whose performance is continuously validated in a loop using Bayesian uncertainties. The proposed approach is (i) model agnostic, (ii) can convert single step black box defenses into an iterative defense and (iii) has the ability to reject adversarial examples. This paper uses facial recognition as a test case for validating the defense and experimental results on the MS-Celeb dataset show that the proposed approach can consistently detect adversarial examples and purify/reject them against a variety of adversarial attacks with different ranges of perturbations.

[1]  James Philbin,et al.  FaceNet: A unified embedding for face recognition and clustering , 2015, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[2]  Dirk Van,et al.  Ensemble Methods: Foundations and Algorithms , 2012 .

[3]  Tribhuvanesh Orekondy,et al.  Knockoff Nets: Stealing Functionality of Black-Box Models , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[4]  Parham Aarabi,et al.  Adversarial Attacks on Face Detectors Using Neural Net Based Constrained Optimization , 2018, 2018 IEEE 20th International Workshop on Multimedia Signal Processing (MMSP).

[5]  Dale Schuurmans,et al.  Learning with a Strong Adversary , 2015, ArXiv.

[6]  Bir Bhanu,et al.  Iris Liveness Detection by Relative Distance Comparisons , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[7]  Xing Ji,et al.  CosFace: Large Margin Cosine Loss for Deep Face Recognition , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[8]  Yanjun Qi,et al.  Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks , 2017, NDSS.

[9]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[10]  Yu Qiao,et al.  A Discriminative Feature Learning Approach for Deep Face Recognition , 2016, ECCV.

[11]  Roberto de Alencar Lotufo,et al.  Fingerprint Liveness Detection Using Convolutional Neural Networks , 2016, IEEE Transactions on Information Forensics and Security.

[12]  Toon Goedemé,et al.  Fooling Automated Surveillance Cameras: Adversarial Patches to Attack Person Detection , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[13]  Richa Singh,et al.  Detecting and Mitigating Adversarial Perturbations for Robust Face Recognition , 2019, International Journal of Computer Vision.

[14]  Bir Bhanu,et al.  ShieldNets: Defending Against Adversarial Attacks Using Probabilistic Adversarial Robustness , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[15]  Bin Dong,et al.  You Only Propagate Once: Painless Adversarial Training Using Maximal Principle , 2019 .

[16]  Kumar Shridhar,et al.  Uncertainty Estimations by Softplus normalization in Bayesian Convolutional Neural Networks with Variational Inference , 2018 .

[17]  Fei-Fei Li,et al.  Large-Scale Video Classification with Convolutional Neural Networks , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[18]  Zoubin Ghahramani,et al.  Dropout as a Bayesian Approximation: Representing Model Uncertainty in Deep Learning , 2015, ICML.

[19]  Xiaolin Hu,et al.  Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[20]  Alan L. Yuille,et al.  Feature Denoising for Improving Adversarial Robustness , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[21]  Moustapha Cissé,et al.  Countering Adversarial Images using Input Transformations , 2018, ICLR.

[22]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[23]  David A. Forsyth,et al.  SafetyNet: Detecting and Rejecting Adversarial Examples Robustly , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[24]  Richa Singh,et al.  Unravelling Robustness of Deep Learning based Face Recognition Against Adversarial Attacks , 2018, AAAI.

[25]  Patrick D. McDaniel,et al.  On the (Statistical) Detection of Adversarial Examples , 2017, ArXiv.

[26]  Bir Bhanu,et al.  On the accuracy and robustness of deep triplet embedding for fingerprint liveness detection , 2017, 2017 IEEE International Conference on Image Processing (ICIP).

[27]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  Jiajun Lu,et al.  Adversarial Examples that Fool Detectors , 2017, ArXiv.

[29]  Yong Dou,et al.  A Community Detection Approach to Cleaning Extremely Large Face Database , 2018, Comput. Intell. Neurosci..

[30]  Jiwen Lu,et al.  Attention-Aware Deep Reinforcement Learning for Video Face Recognition , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[31]  Bhiksha Raj,et al.  SphereFace: Deep Hypersphere Embedding for Face Recognition , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[32]  Yang Song,et al.  PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples , 2017, ICLR.

[33]  Martin Wistuba,et al.  Adversarial Phenomenon in the Eyes of Bayesian Deep Learning , 2017, ArXiv.

[34]  Ausif Mahmood,et al.  Deep face liveness detection based on nonlinear diffusion using convolution neural network , 2016, Signal, Image and Video Processing.

[35]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[36]  Yuxiao Hu,et al.  MS-Celeb-1M: A Dataset and Benchmark for Large-Scale Face Recognition , 2016, ECCV.

[37]  Li Chen,et al.  Keeping the Bad Guys Out: Protecting and Vaccinating Deep Learning with JPEG Compression , 2017, ArXiv.

[38]  Edward Raff,et al.  Barrage of Random Transforms for Adversarially Robust Defense , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[39]  Anil K. Jain,et al.  AdvFaces: Adversarial Face Synthesis , 2019, 2020 IEEE International Joint Conference on Biometrics (IJCB).

[40]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[41]  Tony X. Han,et al.  Learning Efficient Object Detection Models with Knowledge Distillation , 2017, NIPS.

[42]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[43]  Yuanyuan Zhang,et al.  Adaptive Convolutional Neural Network and Its Application in Face Recognition , 2016, Neural Processing Letters.

[44]  Neil Dhillon,et al.  Defending against attacks on biometrics-based authentication , 2018 .

[45]  Stefanos Zafeiriou,et al.  Marginal Loss for Deep Face Recognition , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[46]  Yoshua Bengio,et al.  Generative Adversarial Nets , 2014, NIPS.

[47]  Yoshua Bengio,et al.  Neural Machine Translation by Jointly Learning to Align and Translate , 2014, ICLR.

[48]  Julien Cornebise,et al.  Weight Uncertainty in Neural Networks , 2015, ArXiv.

[49]  Xiaofeng Wang,et al.  Invisible Mask: Practical Attacks on Face Recognition with Infrared , 2018, ArXiv.

[50]  Wei Liu,et al.  Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[51]  Richa Singh,et al.  Are Image-Agnostic Universal Adversarial Perturbations for Face Recognition Difficult to Detect? , 2018, 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[52]  Fei Wang,et al.  The Devil of Face Recognition is in the Noise , 2018, ECCV.

[53]  Holger Ulmer,et al.  Ensemble Methods as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2017, ArXiv.

[54]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[55]  Ryan P. Adams,et al.  Probabilistic Backpropagation for Scalable Learning of Bayesian Neural Networks , 2015, ICML.

[56]  Damon L. Woodard,et al.  Deep Learning for Biometrics , 2018, ACM Comput. Surv..

[57]  Logan Engstrom,et al.  Black-box Adversarial Attacks with Limited Queries and Information , 2018, ICML.

[58]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[59]  Quanfu Fan,et al.  Evading Real-Time Person Detectors by Adversarial T-shirt , 2019, ArXiv.

[60]  Tara N. Sainath,et al.  Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups , 2012, IEEE Signal Processing Magazine.

[61]  Colin Raffel,et al.  Thermometer Encoding: One Hot Way To Resist Adversarial Examples , 2018, ICLR.

[62]  Dan Boneh,et al.  Ensemble Adversarial Training: Attacks and Defenses , 2017, ICLR.

[63]  Mayank Vatsa,et al.  Deceiving Face Presentation Attack Detection via Image Transforms , 2019, 2019 IEEE Fifth International Conference on Multimedia Big Data (BigMM).

[64]  Moustapha Cissé,et al.  Houdini: Fooling Deep Structured Prediction Models , 2017, ArXiv.

[65]  Xiaogang Wang,et al.  Deep Learning Face Representation by Joint Identification-Verification , 2014, NIPS.

[66]  Richa Singh,et al.  Fusion of Handcrafted and Deep Learning Features for Large-Scale Multiple Iris Presentation Attack Detection , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[67]  Xiangyu Zhang,et al.  Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples , 2018, NeurIPS.

[68]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[69]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[70]  Hao Chen,et al.  MagNet: A Two-Pronged Defense against Adversarial Examples , 2017, CCS.

[71]  Zoubin Ghahramani,et al.  A study of the effect of JPG compression on adversarial images , 2016, ArXiv.

[72]  Md Ashraful Alam Milton Evaluation of Momentum Diverse Input Iterative Fast Gradient Sign Method (M-DI2-FGSM) Based Attack Method on MCS 2018 Adversarial Attacks on Black Box Face Recognition System , 2018, ArXiv.

[73]  Richa Singh,et al.  Face anti-spoofing using Haralick features , 2016, 2016 IEEE 8th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[74]  Santo Fortunato,et al.  Community detection in graphs , 2009, ArXiv.