TY - GEN
T1 - On Fooling Facial Recognition Systems using Adversarial Patches
AU - Parmar, Rushirajsinh
AU - Kuribayashi, Minoru
AU - Takiwaki, Hiroto
AU - Raval, Mehul S.
N1 - Funding Information:
This research was supported by the JSPS KAKENHI Grant Number 19K22846, JST SICORP Grant Number JP-MJSC20C3, Japan.
Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Researchers are increasingly interested to study novel attacks on machine learning models. The classifiers are fooled by making small perturbation to the input or by learning patches that can be applied to objects. In this paper we present an iterative approach to generate a patch that when digitally placed on the face can successfully fool the facial recognition system. We focus on dodging attack where a target face is misidentified as any other face. The proof of concept is show-cased using FGSM and FaceNet face recognition system under the white-box attack. The framework is generic and it can be extended to other noise model and recognition system. It has been evaluated for different - patch size, noise strength, patch location, number of patches and dataset. The experiments shows that the proposed approach can significantly lower the recognition accuracy. Compared to state of the art digital-world attacks, the proposed approach is simpler and can generate inconspicuous natural looking patch with comparable fool rate and smallest patch size.
AB - Researchers are increasingly interested to study novel attacks on machine learning models. The classifiers are fooled by making small perturbation to the input or by learning patches that can be applied to objects. In this paper we present an iterative approach to generate a patch that when digitally placed on the face can successfully fool the facial recognition system. We focus on dodging attack where a target face is misidentified as any other face. The proof of concept is show-cased using FGSM and FaceNet face recognition system under the white-box attack. The framework is generic and it can be extended to other noise model and recognition system. It has been evaluated for different - patch size, noise strength, patch location, number of patches and dataset. The experiments shows that the proposed approach can significantly lower the recognition accuracy. Compared to state of the art digital-world attacks, the proposed approach is simpler and can generate inconspicuous natural looking patch with comparable fool rate and smallest patch size.
KW - Adversarial example
KW - convolutional neural network
KW - dodging attack
KW - face recognition
UR - http://www.scopus.com/inward/record.url?scp=85140734890&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85140734890&partnerID=8YFLogxK
U2 - 10.1109/IJCNN55064.2022.9892071
DO - 10.1109/IJCNN55064.2022.9892071
M3 - Conference contribution
AN - SCOPUS:85140734890
T3 - Proceedings of the International Joint Conference on Neural Networks
BT - 2022 International Joint Conference on Neural Networks, IJCNN 2022 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2022 International Joint Conference on Neural Networks, IJCNN 2022
Y2 - 18 July 2022 through 23 July 2022
ER -