22 research outputs found
Improving Visual Quality and Transferability of Adversarial Attacks on Face Recognition Simultaneously with Adversarial Restoration
Adversarial face examples possess two critical properties: Visual Quality and
Transferability. However, existing approaches rarely address these properties
simultaneously, leading to subpar results. To address this issue, we propose a
novel adversarial attack technique known as Adversarial Restoration
(AdvRestore), which enhances both visual quality and transferability of
adversarial face examples by leveraging a face restoration prior. In our
approach, we initially train a Restoration Latent Diffusion Model (RLDM)
designed for face restoration. Subsequently, we employ the inference process of
RLDM to generate adversarial face examples. The adversarial perturbations are
applied to the intermediate features of RLDM. Additionally, by treating RLDM
face restoration as a sibling task, the transferability of the generated
adversarial face examples is further improved. Our experimental results
validate the effectiveness of the proposed attack method.Comment: \copyright 2023 IEEE. Personal use of this material is permitted.
Permission from IEEE must be obtained for all other uses, in any current or
future media, including reprinting/republishing this material for advertising
or promotional purposes, creating new collective works, for resale or
redistribution to servers or lists, or reuse of any copyrighted component of
this work in other work
Efficient image copy detection using multi-scale fingerprints
Inspired by multi-resolution histogram, we propose
a multi-scale SIFT descriptor to improve the discriminability.
A series of SIFT descriptions with different scale are first
acquired by varying the actual size of each spatial bin. Then
principle component analysis (PCA) is employed to reduce them
to low dimensional vectors, which are further combined into one
128-dimension multi-scale SIFT description. Next, an entropy
maximization based binarization is employed to encode the
descriptions into binary codes called fingerprints for indexing
the local features. Furthermore, an efficient search architecture
consisting of lookup tables and inverted image ID list is designed
to improve the query speed. Since the fingerprint building is
of low-complexity, this method is very efficient and scalable to
very large databases. In addition, the multi-scale fingerprints
are very discriminative such that the copies can be effectively
distinguished from similar objects, which leads to an improved
performance in the detection of copies. The experimental evaluation shows that our approach outperforms the state of the art
methods.Inspired by multi-resolution histogram, we propose a multi-scale SIFT descriptor to improve the discriminability. A series of SIFT descriptions with different scale are first acquired by varying the actual size of each spatial bin. Then principle component analysis (PCA) is employed to reduce them to low dimensional vectors, which are further combined into one 128-dimension multi-scale SIFT description. Next, an entropy maximization based binarization is employed to encode the descriptions into binary codes called fingerprints for indexing the local features. Furthermore, an efficient search architecture consisting of lookup tables and inverted image ID list is designed to improve the query speed. Since the fingerprint building is of low-complexity, this method is very efficient and scalable to very large databases. In addition, the multi-scale fingerprints are very discriminative such that the copies can be effectively distinguished from similar objects, which leads to an improved performance in the detection of copies. The experimental evaluation shows that our approach outperforms the state of the art methods
Improving the Transferability of Adversarial Attacks on Face Recognition with Beneficial Perturbation Feature Augmentation
Face recognition (FR) models can be easily fooled by adversarial examples,
which are crafted by adding imperceptible perturbations on benign face images.
To improve the transferability of adversarial face examples, we propose a novel
attack method called Beneficial Perturbation Feature Augmentation Attack
(BPFA), which reduces the overfitting of adversarial examples to surrogate FR
models by constantly generating new models that have the similar effect of hard
samples to craft the adversarial examples. Specifically, in the
backpropagation, BPFA records the gradients on pre-selected features and uses
the gradient on the input image to craft the adversarial example. In the next
forward propagation, BPFA leverages the recorded gradients to add perturbations
(i.e., beneficial perturbations) that can be pitted against the adversarial
example on their corresponding features. The optimization process of the
adversarial example and the optimization process of the beneficial
perturbations added on the features correspond to a minimax two-player game.
Extensive experiments demonstrate that BPFA can significantly boost the
transferability of adversarial attacks on FR