218 research outputs found
Fast Geometrically-Perturbed Adversarial Faces
The state-of-the-art performance of deep learning algorithms has led to a
considerable increase in the utilization of machine learning in
security-sensitive and critical applications. However, it has recently been
shown that a small and carefully crafted perturbation in the input space can
completely fool a deep model. In this study, we explore the extent to which
face recognition systems are vulnerable to geometrically-perturbed adversarial
faces. We propose a fast landmark manipulation method for generating
adversarial faces, which is approximately 200 times faster than the previous
geometric attacks and obtains 99.86% success rate on the state-of-the-art face
recognition models. To further force the generated samples to be natural, we
introduce a second attack constrained on the semantic structure of the face
which has the half speed of the first attack with the success rate of 99.96%.
Both attacks are extremely robust against the state-of-the-art defense methods
with the success rate of equal or greater than 53.59%. Code is available at
https://github.com/alldbi/FL
Attacks on State-of-the-Art Face Recognition using Attentional Adversarial Attack Generative Network
With the broad use of face recognition, its weakness gradually emerges that
it is able to be attacked. So, it is important to study how face recognition
networks are subject to attacks. In this paper, we focus on a novel way to do
attacks against face recognition network that misleads the network to identify
someone as the target person not misclassify inconspicuously. Simultaneously,
for this purpose, we introduce a specific attentional adversarial attack
generative network to generate fake face images. For capturing the semantic
information of the target person, this work adds a conditional variational
autoencoder and attention modules to learn the instance-level correspondences
between faces. Unlike traditional two-player GAN, this work introduces face
recognition networks as the third player to participate in the competition
between generator and discriminator which allows the attacker to impersonate
the target person better. The generated faces which are hard to arouse the
notice of onlookers can evade recognition by state-of-the-art networks and most
of them are recognized as the target person
Adversarial Attacks against Face Recognition: A Comprehensive Study
Face recognition (FR) systems have demonstrated outstanding verification
performance, suggesting suitability for real-world applications ranging from
photo tagging in social media to automated border control (ABC). In an advanced
FR system with deep learning-based architecture, however, promoting the
recognition efficiency alone is not sufficient, and the system should also
withstand potential kinds of attacks designed to target its proficiency. Recent
studies show that (deep) FR systems exhibit an intriguing vulnerability to
imperceptible or perceptible but natural-looking adversarial input images that
drive the model to incorrect output predictions. In this article, we present a
comprehensive survey on adversarial attacks against FR systems and elaborate on
the competence of new countermeasures against them. Further, we propose a
taxonomy of existing attack and defense methods based on different criteria. We
compare attack methods on the orientation and attributes and defense approaches
on the category. Finally, we explore the challenges and potential research
direction
Semantic Adversarial Attacks: Parametric Transformations That Fool Deep Classifiers
Deep neural networks have been shown to exhibit an intriguing vulnerability
to adversarial input images corrupted with imperceptible perturbations.
However, the majority of adversarial attacks assume global, fine-grained
control over the image pixel space. In this paper, we consider a different
setting: what happens if the adversary could only alter specific attributes of
the input image? These would generate inputs that might be perceptibly
different, but still natural-looking and enough to fool a classifier. We
propose a novel approach to generate such `semantic' adversarial examples by
optimizing a particular adversarial loss over the range-space of a parametric
conditional generative model. We demonstrate implementations of our attacks on
binary classifiers trained on face images, and show that such natural-looking
semantic adversarial examples exist. We evaluate the effectiveness of our
attack on synthetic and real data, and present detailed comparisons with
existing attack methods. We supplement our empirical results with theoretical
bounds that demonstrate the existence of such parametric adversarial examples.Comment: Accepted to International Conference on Computer Vision, (ICCV) 201
Measurement-driven Security Analysis of Imperceptible Impersonation Attacks
The emergence of Internet of Things (IoT) brings about new security
challenges at the intersection of cyber and physical spaces. One prime example
is the vulnerability of Face Recognition (FR) based access control in IoT
systems. While previous research has shown that Deep Neural Network(DNN)-based
FR systems (FRS) are potentially susceptible to imperceptible impersonation
attacks, the potency of such attacks in a wide set of scenarios has not been
thoroughly investigated. In this paper, we present the first systematic,
wide-ranging measurement study of the exploitability of DNN-based FR systems
using a large scale dataset. We find that arbitrary impersonation attacks,
wherein an arbitrary attacker impersonates an arbitrary target, are hard if
imperceptibility is an auxiliary goal. Specifically, we show that factors such
as skin color, gender, and age, impact the ability to carry out an attack on a
specific target victim, to different extents. We also study the feasibility of
constructing universal attacks that are robust to different poses or views of
the attacker's face. Our results show that finding a universal perturbation is
a much harder problem from the attacker's perspective. Finally, we find that
the perturbed images do not generalize well across different DNN models. This
suggests security countermeasures that can dramatically reduce the
exploitability of DNN-based FR systems.Comment: accepted and appears in ICCCN 202
AdvFaces: Adversarial Face Synthesis
Face recognition systems have been shown to be vulnerable to adversarial
examples resulting from adding small perturbations to probe images. Such
adversarial images can lead state-of-the-art face recognition systems to
falsely reject a genuine subject (obfuscation attack) or falsely match to an
impostor (impersonation attack). Current approaches to crafting adversarial
face images lack perceptual quality and take an unreasonable amount of time to
generate them. We propose, AdvFaces, an automated adversarial face synthesis
method that learns to generate minimal perturbations in the salient facial
regions via Generative Adversarial Networks. Once AdvFaces is trained, it can
automatically generate imperceptible perturbations that can evade
state-of-the-art face matchers with attack success rates as high as 97.22% and
24.30% for obfuscation and impersonation attacks, respectively
Dex-Net 3.0: Computing Robust Robot Vacuum Suction Grasp Targets in Point Clouds using a New Analytic Model and Deep Learning
Vacuum-based end effectors are widely used in industry and are often
preferred over parallel-jaw and multifinger grippers due to their ability to
lift objects with a single point of contact. Suction grasp planners often
target planar surfaces on point clouds near the estimated centroid of an
object. In this paper, we propose a compliant suction contact model that
computes the quality of the seal between the suction cup and local target
surface and a measure of the ability of the suction grasp to resist an external
gravity wrench. To characterize grasps, we estimate robustness to perturbations
in end-effector and object pose, material properties, and external wrenches. We
analyze grasps across 1,500 3D object models to generate Dex-Net 3.0, a dataset
of 2.8 million point clouds, suction grasps, and grasp robustness labels. We
use Dex-Net 3.0 to train a Grasp Quality Convolutional Neural Network (GQ-CNN)
to classify robust suction targets in point clouds containing a single object.
We evaluate the resulting system in 350 physical trials on an ABB YuMi fitted
with a pneumatic suction gripper. When evaluated on novel objects that we
categorize as Basic (prismatic or cylindrical), Typical (more complex
geometry), and Adversarial (with few available suction-grasp points) Dex-Net
3.0 achieves success rates of 98, 82, and 58 respectively,
improving to 81 in the latter case when the training set includes only
adversarial objects. Code, datasets, and supplemental material can be found at
http://berkeleyautomation.github.io/dex-net .Comment: Accepted to ICRA 201
Robust Facial Landmark Detection via Aggregation on Geometrically Manipulated Faces
In this work, we present a practical approach to the problem of facial
landmark detection. The proposed method can deal with large shape and
appearance variations under the rich shape deformation. To handle the shape
variations we equip our method with the aggregation of manipulated face images.
The proposed framework generates different manipulated faces using only one
given face image. The approach utilizes the fact that small but carefully
crafted geometric manipulation in the input domain can fool deep face
recognition models. We propose three different approaches to generate
manipulated faces in which two of them perform the manipulations via
adversarial attacks and the other one uses known transformations. Aggregating
the manipulated faces provides a more robust landmark detection approach which
is able to capture more important deformations and variations of the face
shapes. Our approach is demonstrated its superiority compared to the
state-of-the-art method on benchmark datasets AFLW, 300-W, and COFW
Exploring Adversarial Robustness of Deep Metric Learning
Deep Metric Learning (DML), a widely-used technique, involves learning a
distance metric between pairs of samples. DML uses deep neural architectures to
learn semantic embeddings of the input, where the distance between similar
examples is small while dissimilar ones are far apart. Although the underlying
neural networks produce good accuracy on naturally occurring samples, they are
vulnerable to adversarially-perturbed samples that reduce performance. We take
a first step towards training robust DML models and tackle the primary
challenge of the metric losses being dependent on the samples in a mini-batch,
unlike standard losses that only depend on the specific input-output pair. We
analyze this dependence effect and contribute a robust optimization
formulation. Using experiments on three commonly-used DML datasets, we
demonstrate 5-76 fold increases in adversarial accuracy, and outperform an
existing DML model that sought out to be robust
Exploring Adversarial Robustness of Multi-Sensor Perception Systems in Self Driving
Modern self-driving perception systems have been shown to improve upon
processing complementary inputs such as LiDAR with images. In isolation, 2D
images have been found to be extremely vulnerable to adversarial attacks. Yet,
there have been limited studies on the adversarial robustness of multi-modal
models that fuse LiDAR features with image features. Furthermore, existing
works do not consider physically realizable perturbations that are consistent
across the input modalities. In this paper, we showcase practical
susceptibilities of multi-sensor detection by placing an adversarial object on
top of a host vehicle. We focus on physically realizable and input-agnostic
attacks as they are feasible to execute in practice, and show that a single
universal adversary can hide different host vehicles from state-of-the-art
multi-modal detectors. Our experiments demonstrate that successful attacks are
primarily caused by easily corrupted image features. Furthermore, we find that
in modern sensor fusion methods which project image features into 3D,
adversarial attacks can exploit the projection process to generate false
positives across distant regions in 3D. Towards more robust multi-modal
perception systems, we show that adversarial training with feature denoising
can boost robustness to such attacks significantly. However, we find that
standard adversarial defenses still struggle to prevent false positives which
are also caused by inaccurate associations between 3D LiDAR points and 2D
pixels
- …