Mahmood Sharif
Lujo Bauer
Michael K. Reiter
ABSTRACT
Machine learning is enabling a myriad innovations, including new algorithms for cancer diagnosis and self-driving cars. The broad use of machine learning makes it important to understand the extent to which machine-learning algorithms are subject to attack, particularly when used in applications where physical security or safety is at risk.
In this paper, we focus on facial biometric systems, which are widely used in surveillance and access control. We define and investigate a novel class of attacks: attacks that are physically realizable and inconspicuous, and allow an attacker to evade recognition or impersonate another individual. We develop a systematic method to automatically generate such attacks, which are realized through printing a pair of eyeglass frames. When worn by the attacker whose image is supplied to a state-of-the-art face-recognition algorithm, the eyeglasses allow her to evade being recognized or to impersonate another individual. Our investigation focuses on white-box face-recognition systems, but we also demonstrate how similar techniques can be used in black-box scenarios, as well as to avoid face detection.
- P. N. Belhumeur, J. P. Hespanha, and D. J. Kriegman. Eigenfaces vs. fisherfaces: Recognition using class specific linear projection. IEEE Trans. Pattern Analysis and Machine Intelligence, 19(7), 1997. Google Scholar
Digital Library
- A. D. Bethke. Genetic Algorithms As Function Optimizers. PhD thesis, University of Michigan, 1980. Google ScholarDigital Library
- A. J. Booker, J. Dennis Jr, P. D. Frank, D. B. Serafini, V. Torczon, and M. W. Trosset. A rigorous framework for optimization of expensive functions by surrogates. Structural optimization, 17(1):1--13, 1999.Google ScholarCross Ref
- L. Bottou. Large-scale machine learning with stochastic gradient descent. In Proc. COMPSTAT, 2010.Google ScholarCross Ref
- N. Carlini, P. Mishra, T. Vaidya, Y. Zhang, M. Sherr, C. Shields, D. Wagner, and W. Zhou. Hidden voice commands. In Proc. USENIX Security, 2016.Google Scholar
- R. Eberhart and J. Kennedy. A new optimizer using particle swarm theory. In Proc. MHS, 1995.Google ScholarCross Ref
- N. Erdogmus and S. Marcel. Spoofing in 2d face recognition with 3d masks and anti-spoofing with kinect. In Proc. IEEE BTAS, 2013.Google ScholarCross Ref
- H. Fan, Z. Cao, Y. Jiang, Q. Yin, and C. Doudou. Learning deep face representation. arXiv preprint arXiv:1403.2802, 2014.Google Scholar
- A. Fawzi, O. Fawzi, and P. Frossard. Fundamental limits on adversarial robustness. In Proc. ICML, Workshop on Deep Learning, 2015.Google Scholar
- R. Feng and B. Prabhakaran. Facilitating fashion camouflage art. In ACM MM, 2013. Google ScholarDigital Library
- M. Fredrikson, S. Jha, and T. Ristenpart. Model inversion attacks that exploit confidence information and basic countermeasures. In Proc. ACM CCS, 2015. Google ScholarDigital Library
- J. Galbally, C. McCool, J. Fierrez, S. Marcel, and J. Ortega-Garcia. On the vulnerability of face verification systems to hill-climbing attacks. Pattern Recognition, 43(3):1027--1038, 2010. Google ScholarDigital Library
- I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. In ICLR, 2015.Google Scholar
- A. Harvey. CV Dazzle: Camouflage from face detection. Master's thesis, New York University, 2010. Available at: http://cvdazzle.com.Google Scholar
- R. Hassan, B. Cohanim, O. De Weck, and G. Venter. A comparison of particle swarm optimization and the genetic algorithm. In Proc. MDO, 2005.Google ScholarCross Ref
- G. E. Hinton, S. Osindero, and Y. W. Teh. A fast learning algorithm for deep belief nets. Neural Computation, 18(7):1527--1554, 2006. Google ScholarDigital Library
- G. B. Huang, M. Ramesh, T. Berg, and E. Learned-Miller. Labeled faces in the wild: A database for studying face recognition in unconstrained environments. Technical Report 07--49, University of Massachusetts, Amherst, October 2007.Google Scholar
- L. Introna and H. Nissenbaum. Facial recognition technology: A survey of policy and implementation issues. 2010. https://goo.gl/eIrldb.Google Scholar
- Itseez. OpenCV: Open Source Computer Vision. http://opencv.org/.Google Scholar
- N. Koren. Color management and color science. http://www.normankoren.com/color_management.html.Google Scholar
- N. Kumar, A. C. Berg, P. N. Belhumeur, and S. K. Nayar. Attribute and simile classifiers for face verification. In Proc. ICCV, 2009.Google ScholarCross Ref
- Y. Li, K. Xu, Q. Yan, Y. Li, and R. H. Deng. Understanding OSN-based facial disclosure against face authentication systems. In Proc. AsiaCCS, 2014. Google ScholarDigital Library
- B. Liang, M. Su, W. You, W. Shi, and G. Yang. Cracking classifiers for evasion: A case study on the Google's phishing pages filter. In Proc.\ WWW, 2016. Google ScholarDigital Library
- A. Mahendran and A. Vedaldi. Understanding deep image representations by inverting them. In Proc. CVPR, 2015.Google ScholarCross Ref
- Megvii Inc. FaceGoogle Scholar
- . http://www.faceplusplus.com/.Google Scholar
- MobileSec. Mobilesec Android Authentication Framework. https://github.com/mobilesec/authentication-framework-module-face.Google Scholar
- NEC. Face recognition. http://www.nec.com/en/global/solutions/biometrics/technologies/face_recognition.html.Google Scholar
- NEURO Technology. SentiVeillance SDK. http://www.neurotechnology.com/sentiveillance.html.Google Scholar
- J. Nocedal. Updating quasi-newton matrices with limited storage. Mathematics of computation, 35(151):773--782, 1980.Google ScholarCross Ref
- OpenALPR. OpenALPR - Automatic License Plate Recognition. http://www.openalpr.com/.Google Scholar
- N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami. The limitations of deep learning in adversarial settings. In Proc. IEEE Euro S&P, 2015.Google Scholar
- N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In Proc. IEEE S&P, 2016.Google ScholarCross Ref
- O. M. Parkhi, A. Vedaldi, and A. Zisserman. Deep face recognition. In Proc. BMVC, 2015.Google ScholarCross Ref
- L. M. Rios and N. V. Sahinidis. Derivative-free optimization: a review of algorithms and comparison of software implementations. Journal of Global Optimization, 56(3):1247--1293, 2013.Google ScholarCross Ref
- N. Rndic and P. Laskov. Practical evasion of a learning-based classifier: A case study. In Proc. IEEE S&P, 2014. Google ScholarDigital Library
- P. Robinette, W. Li, R. Allen, A. M. Howard, and A. R. Wagner. Overtrust of robots in emergency evacuation scenarios. In Proc. HRI, 2016. Google ScholarDigital Library
- D. E. Rumelhart, G. E. Hinton, and R. J. Williams. Learning internal representations by error propagation. Technical report, DTIC Document, 1985.Google Scholar
- F. Schroff, D. Kalenichenko, and J. Philbin. Facenet: A unified embedding for face recognition and clustering. In Proc.\ CVPR, 2015.Google ScholarCross Ref
- C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus. Intriguing properties of neural networks. In Proc. ICLR, 2014.Google Scholar
- M. Turk and A. Pentland. Eigenfaces for recognition. Journal of cognitive neuroscience, 3(1):71--86, 1991. Google ScholarDigital Library
- A. Vedaldi and K. Lenc. MatConvNet -- Convolutional neural networks for MATLAB. In Proc. ACM MM, 2015. Google ScholarDigital Library
- P. Viola and M. Jones. Rapid object detection using a boosted cascade of simple features. In Proc. CVPR, 2001.Google ScholarCross Ref
- G. L. Wittel and S. F. Wu. On attacking statistical spam filters. In Proc.\ CEAS, 2004.Google Scholar
- T. Yamada, S. Gohshi, and I. Echizen. Privacy visor: Method based on light absorbing and reflecting properties for preventing face image detection. In Proc.\ SMC, 2013. Google ScholarDigital Library
- J. Yosinski, J. Clune, Y. Bengio, and H. Lipson. How transferable are features in deep neural networks? In Proc. NIPS, 2014. Google ScholarDigital Library
- E. Zhou, Z. Cao, and Q. Yin. Naive-deep face recognition: Touching the limit of LFW benchmark or not? arXiv preprint arXiv:1501.04690, 2015.Google Scholar
Index Terms
- Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition
Recommendations
A New Hybrid Approach Using PCA for Pose Invariant Face Recognition
In this paper a new hybrid approach using PCA for pose invariant face recognition is proposed. In this proposed approach three algorithms are combined to make a new hybrid approach. The first step is to detect face and its part. It is done by well known ...
A procedure for face detection & recognition
MOAS'07: Proceedings of the 18th conference on Proceedings of the 18th IASTED International Conference: modelling and simulationThis paper presents a procedure for face detection and recognition. Then face detection is done based on the theory of high correlation of face images at low resolutions. The face detected is called the mug shot. Generalized Regression based Neural ...
A procedure for face detection & recognition
MS '07: The 18th IASTED International Conference on Modelling and SimulationThis paper presents a procedure for face detection and recognition. Then face detection is done based on the theory of high correlation of face images at low resolutions. The face detected is called the mug shot. Generalized Regression based Neural ...
Comments