In the classic party game “Who Am I?” players ask yes or no questions in an attempt to guess which celebrity name is written on a card stuck to their forehead. It’s a good bit of fun, but these days many people are more concerned that advanced public surveillance systems might identify them just as easily as if they were displaying such a name card. Now, researchers from Lomonosov Moscow State University and Huawei Moscow Research Center have introduced a wearable card designed to perform the opposite function — concealing a person’s identity from facial recognition systems.
In their paper AdvHat: Real-World Adversarial Attack on ArcFace Face ID system the white hat researchers propose a novel technique called “AdvHat,” which employs stickers produced by a regular color printer and affixed to hat. The method fools the state-of-the-art public facial identification system ArcFace in real-world environments.
The idea behind adversarial attacks is to slightly change the input to an image classifier so the recognized class will shift from correct to some other class. This is done through the introduction of adversarial examples. Although the approach has already proven successful in the digital domain, its efficiency in the physical world remains relatively unexplored.
The potential of real-world adversarial attacks was introduced in 2015 by generative adversarial networks (GAN) pioneer Ian Goodfellow, along with Alexey Kurakin and Samy Bengio, the brother of Turing Award honoree Yoshua Bengio. The researchers used adversarial images printed on paper to fool classification networks. In their paper Adversarial Examples in the Physical World they explain: “Up to now, all previous work have assumed a threat model in which the adversary can feed data directly into the machine learning classifier. This is not always the case for systems operating in the physical world… This paper shows that even in such physical world scenarios, machine learning systems are vulnerable to adversarial examples.”
The AdvHat researchers realized that not every captured person in their real-world scenarios would be known by the face recognition system. Thus the predicted similarity with the top-1 class should exceed some predefined threshold to treat the face as recognized. Researchers created a rectangular image that could be attached to a human’s forehead or hat to decrease similarity to the ground-truth class below the decision threshold to prompt a failure to recognize.
The researchers designed their adversarial sticker to blend somewhat with real face features such as eyebrows, an important classification point corresponding with the part of the face where the sticker is worn. They discovered for example that placing the sticker as close as possible to the top of the eye line had the effect of “raising” the eyebrows and achieved the best attack results.
The team first tested their stickers using full-face photos under fixed and uniform lighting conditions, and later with different viewpoints, facial rotation, and lighting conditions. They then explored the transferability of prepared attacks to other models.
Facial recognition has been a controversial technology since its inception. San Francisco has banned the tech, and Principal Researcher at Microsoft Research Kate Crawford recently opined on the issue in a Nature World View column, “Scholars have been pointing to the technical and social risks of facial recognition for years. Greater accuracy is not the point.”
For better or worse, academic and commercial face recognition research continues to evolve, and at a brisk pace. The successful AdvHat real-world adversarial attack on today’s top face recognition system could help with future research in this field, whether for the development of more robust systems, or to identify measures that can be used against them.
AdvHat: Real-World Adversarial Attack on ArcFace Face ID system is available on arXiv.
Journalist: Fangyu Cai | Editor: Michael Sarazen