The paper explores the relationship between impersonation attacks and dodging attacks on face recognition (FR) systems. It is observed that a successful impersonation attack does not necessarily guarantee a successful dodging attack due to the existence of multi-identity samples among adversarial face examples.
To address this issue, the authors propose a novel attack method called Pre-training Pruning Restoration Attack (PPR). The key steps are:
Pre-training stage: Craft adversarial face examples using a Lagrangian attack that optimizes both impersonation and dodging losses.
Pruning stage: Prune the adversarial perturbations based on their magnitudes, freeing up some regions for restoration.
Restoration stage: Introduce new adversarial perturbations in the pruned regions to enhance the dodging performance, while maintaining the impersonation performance.
Extensive experiments demonstrate that the proposed PPR method can significantly improve the dodging performance of adversarial face examples without compromising their impersonation performance, outperforming baseline attack methods. The method also shows effectiveness against adversarial robust FR models.
To Another Language
from source content
arxiv.org
Djupare frågor