Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation
Abstract Most deep learning‐based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among mod...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2022-09-01
|
| Series: | IET Biometrics |
| Subjects: | |
| Online Access: | https://doi.org/10.1049/bme2.12082 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832546667589533696 |
|---|---|
| author | Zohra Rezgui Amina Bassit Raymond Veldhuis |
| author_facet | Zohra Rezgui Amina Bassit Raymond Veldhuis |
| author_sort | Zohra Rezgui |
| collection | DOAJ |
| description | Abstract Most deep learning‐based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16‐based and ResNet50‐based biometric classifiers. The authors investigate the impact of two white‐box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre‐trained face recognition classifier is attacked in a black‐box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors’ results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non‐transferability in a pixel‐guided denoiser attack setting. The interpretation of this non‐transferability can support the use of fast and train‐free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility. |
| format | Article |
| id | doaj-art-6cb3ccf0081846d488b882018f1b3d39 |
| institution | Kabale University |
| issn | 2047-4938 2047-4946 |
| language | English |
| publishDate | 2022-09-01 |
| publisher | Wiley |
| record_format | Article |
| series | IET Biometrics |
| spelling | doaj-art-6cb3ccf0081846d488b882018f1b3d392025-02-03T06:47:36ZengWileyIET Biometrics2047-49382047-49462022-09-0111540741910.1049/bme2.12082Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbationZohra Rezgui0Amina Bassit1Raymond Veldhuis2EEMCS Faculty Data Management & Biometrics Group University of Twente Enschede The NetherlandsEEMCS Faculty Data Management & Biometrics Group University of Twente Enschede The NetherlandsEEMCS Faculty Data Management & Biometrics Group University of Twente Enschede The NetherlandsAbstract Most deep learning‐based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16‐based and ResNet50‐based biometric classifiers. The authors investigate the impact of two white‐box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre‐trained face recognition classifier is attacked in a black‐box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors’ results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non‐transferability in a pixel‐guided denoiser attack setting. The interpretation of this non‐transferability can support the use of fast and train‐free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility.https://doi.org/10.1049/bme2.12082adversarial attacksface recognitiongender classificationprivacy protection |
| spellingShingle | Zohra Rezgui Amina Bassit Raymond Veldhuis Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation IET Biometrics adversarial attacks face recognition gender classification privacy protection |
| title | Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation |
| title_full | Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation |
| title_fullStr | Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation |
| title_full_unstemmed | Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation |
| title_short | Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation |
| title_sort | transferability analysis of adversarial attacks on gender classification to face recognition fixed and variable attack perturbation |
| topic | adversarial attacks face recognition gender classification privacy protection |
| url | https://doi.org/10.1049/bme2.12082 |
| work_keys_str_mv | AT zohrarezgui transferabilityanalysisofadversarialattacksongenderclassificationtofacerecognitionfixedandvariableattackperturbation AT aminabassit transferabilityanalysisofadversarialattacksongenderclassificationtofacerecognitionfixedandvariableattackperturbation AT raymondveldhuis transferabilityanalysisofadversarialattacksongenderclassificationtofacerecognitionfixedandvariableattackperturbation |