RSTAM: An Effective Black-Box Impersonation Attack on Face Recognition using a Mobile and Compact Printer

Adversarial attacks fall into two broad categories: white-box attacks and black-box attacks. For white-box attack methods, they have full access to the target model and and the majority of them are gradient-based attacks, such as Fast Gradient Sign Method (FGSM) (Goodfellow et al., 2014b), Projected Gradient Descent (PGD) (Madry et al., 2018), and Carlini & Wagner’s method (C&W) (Carlini and Wagner, 2017). FGSM is a single-step gradient-based attack method that shows that linear features of deep neural networks in high-dimensional space are sufficient to generate adversarial examples. PGD is a multi-step extension of the FGSM attack that generates more powerful adversarial examples for white-box attacks. C&W is an optimization-based attack method that also happens to be a gradient-based attack method. However, in practice, what exists is more of a black-box scenario. White-box attack methods tend to lack transferability and fail to attack target models with unknown parameters and gradients. Therefore, more researchers have focused on black-box attack methods.

Black-box attack methods can be classified into three categories: transfer-based, score-based, and decision-based. The transfer-based attacks generate the adversarial examples with a source model and then transfer them to a target model to complete the attack, in which we do not need to know any parameters or gradients of the target model. MI-FGSM (Dong et al., 2018) suggests incorporating momentum into the attack process to stabilize the update direction and increase the transferability of the generated adversarial examples. DI²-FGSM (Xie et al., 2019) first proposes improving the transferability of the adversarial examples by increasing the diversity of the inputs. The translation-invariant attack method (TI-FGSM) (Dong et al., 2019a) and the affine-invariant attack method (AI-FGSM)  (Xiang et al., 2021) are used to further improve the transferability and robustness of adversarial examples. Score-based attacks can simply know the output score of the target model and estimate the gradient of the target model by querying the output score (Ilyas et al., 2018; Cheng et al., 2019; Li et al., 2019). Decision-based attacks assume that the attack is performed in a more challenging situation where only the output labels of the classifier are known. Boundry Attack (Brendel et al., 2018) and Evolutionary Attack (Dong et al., 2019b) are effective methods for dealing with this attack setting.

Adversarial attacks on face recognition come in two common forms: dodging attacks and impersonation attacks. The purpose of dodging attacks is to reduce the confidence of the similarity of the same identity pair in order to evade face recognition. Impersonation attacks attempt to fool face recognition by using one identity to mimic another. Both technically and practically, impersonation attacks are more challenging and practical than dodging attacks. As a result, we concentrate on impersonation attack methods. Dong et al. (Dong et al., 2019b) proposed a decision-based adversarial attack on face recognition. Zhong et al. (Zhong and Deng, 2020) increased the diversity of agent face recognition models by using the dropout (Srivastava et al., 2014) technique to improve the transferability of the adversarial examples. Yang et al. (Yang et al., 2021) introduced a GAN (Goodfellow et al., 2014a) to generate adversarial examples for impersonation attacks on face recognition. Dong et al. (Dong et al., 2019b), Zhong et al. (Zhong and Deng, 2020), and Yang et al. (Yang et al., 2021) are the digital-based attacks on face recognition, which makes them hard to implement in the real world. At this point, there are also many researchers who have proposed methods for physical-based attacks on face recognition. Sharif et al. (Sharif et al., 2016, 2019) proposed a way to perform real-physical attacks on face recognition by printing out a pair of eyeglass frames. Komkov et al. (Komkov and Petiushko, 2021) proposed a physical attack method that can print an adversarial sticker using a color printer and put it on a hat to complete the attack. Nguyen et al. (Nguyen et al., 2020) proposed an adversarial light projection attack method that uses a projector for physical attack. Yin et al. (Yin et al., 2021) generated eye makeup patches by GAN and printed them out and stuck them around the eyes to perform physical attacks. Methods (Sharif et al., 2016, 2019; Komkov and Petiushko, 2021) are perfect for white-box physical attacks. But realistic environments are often black-box situations and they are hard to attack with black-box face recognition models or systems. Although the method (Yin et al., 2021) can perform a transferable black-box attack, it is ineffective for low-pixel face images and for commercial face recognition systems.

Compared with the previous methods, we propose an adversarial attack method on face recognition, RSTAM, which can effectively accomplish the black-box impersonation attack, both on low-pixel face pictures and on commercial face recognition systems. Furthermore, RSTAM can carry out a physical attack with the help of a mobile and compact printer.

Figure 1 shows an example of the RSTAM. The raw image of the target identity is from a social network. Firstly, we apply the facial landmark detection method (Jin et al., 2021) to generate corresponding facial landmarks of the raw image. Then we obtain the aligned target image according to the facial landmarks. Similarly, we can use the facial landmarks in the source image to obtain the eye region of the attacker. After that, we use our proposed method RSTAM to generate an adversarial mask and print out the adversarial mask using the Canon SELPHY CP1300 (CP1300, 2022), which is a mobile and compact printer. Finally, the attacker with the printed adversarial mask is obtained. We can see from Figure 1 that the similarity confidence between the attack and the target is high on all five commercial face recognition systems, with Face++ (Face++, 2022) 84.89%, Baidu (Baidu, 2022) 80.24%, Aliyun (Aliyun, 2022) 75.23%, Tencent (Tencent, 2022) 63.83%, and Microsoft (Microsoft, 2022) 70.94%. Figure 1 further shows that we can effectively perform physical impersonation attacks on the commercial face recognition systems using a photo of the target identity on a social network.

In this section, we will give a detailed description for the adversarial mask. Let $\mathbf{x}^{t}$ denote a face image of the target identity, $\mathbf{x}^{s}$ denote a source image of the attacker, $\mathbf{x}^{adv}$ denote an attack image of the attacker with an adversarial mask and $f(\mathbf{x}):\mathbf{X}\rightarrow\mathbb{R}^{d}$ denote a face recognition model that extracts a normalized feature representation vector for an input image $\mathbf{x}\in\mathbf{X}\subset\mathbb{R}^{n}$. Our goal for the aversarial mask attack is to solve the following constrained optimization problem,

where $\mathcal{L}$ is a cosine similarity loss function,

$\odot$ is the element-wise product, and $\mathbf{M}$ is a binary mask. The binary mask $\mathbf{M}$ is used to constrain that only one pixel can be perturbed when its corresponding position is 1 in $\mathbf{M}$. We design an initial binary mask $\mathbf{M}_{0}$, and then use the initial binary mask $\mathbf{M}_{0}$ and the facial landmarks of the source image to generate the corresponding binary mask $\mathbf{M}$. Figure 2 shows an example of the binary mask $\mathbf{M}$ we generate using the initial binary mask $\mathbf{M}_{0}$ and the facial landmarks of the source image.

Let $\mathbf{A}$ denote an adversarial mask. We can generate an adversarial mask $\mathbf{A}$ with the $\ell_{\infty}$-norm perturbations (Goodfellow et al., 2014b; Madry et al., 2018) by performing a multi-step update as

where $\alpha$ is a perturbation step size, $\mathbf{sign}(\cdot)$ is the sign function, ${Clip}_{\mathbf{x}^{adv}_{0},\epsilon}$ denotes element-wise clipping, aiming to restrict $\mathbf{x}^{adv}$ with in the $\ell_{\infty}$-bound of $\mathbf{x}^{adv}_{0}$. $\epsilon$ is a perturbation bound, $\|\mathbf{x}^{adv}-\mathbf{x}_{0}^{adv}\|_{\infty}\leq\epsilon$ .

The similarity transformation, which has four degrees of freedom (4DoF), consists of translational, rotational, and scaling transformations. It is commonly used for face alignment (Tadmor et al., 2016; Liu et al., 2017). Many previous studies (Xie et al., 2019; Gao et al., 2020; Dong et al., 2019a; Xiang et al., 2021) have demonstrated that the transferability of adversarial examples can be greatly improved by increasing the diversity of the inputs. In order to improve the transferability of the adversarial masks, we propose a random similarity transformation strategy to increase the diversity of the inputs. Moreover, our strategy requires only one hyperparameter to control the random similarity transformation with 4DoF. Let $U(a,b)$ denote the uniformly distributed random sampling function from $a$ to $b$ and $\beta$ denote a hyperparameter. At each iteration we can obtain a random similarity transformation matrix $\mathbf{T}$ by the following strategy,

where $W$ and $H$ are the width and height of the input image. Let $(p_{x},p_{y})$ denote one coordinate of the input image. We can use the similarity transformation matrix $\mathbf{T}$ to obtain the corresponding transformed coordinates $(p_{x}^{t},p_{y}^{t})$,

Finally, we generate the transformed input image by bilinear interpolation.

Xie et al. (Xie et al., 2019) first found that the transferability of adversarial examples could be further improved by increasing the diversity of inputs. Methods (Dong et al., 2019a; Gao et al., 2020; Xiang et al., 2021) also demonstrate this finding. From the description in Section 3.2, we can consider that the adversarial masks are a type of the adversarial examples, so we can also use this finding as well. For the adversarial mask attack on face recognition, we propose a random similarity transformation strategy to enhance the diversity of the input face images, which is described in Section 3.3. Using this strategy we propose the adversarial mask attack method with random similarity transformation, RSTAM. Algorithm block 1 describes the detailed algorithm for the $\ell_{\infty}$-bound RSTAM, RSTAM_∞. Similarly, the RSTAM attack can also use the $\ell_{2}$-norm perturbations, RSTAM₂. In RSTAM₂, we get $\bar{\mathbf{x}}^{adv}_{n+1}$ by

When multiple pre-trained face models are available, it is natural to consider using the ensemble idea to obtain more transferable adversarial examples. Ensemble methods are also often used in research and competitions to improve performance and robustness (Dietterich, 2000; Seni and Elder, 2010). Dong et al. (Dong et al., 2018) demonstrated that the transferability of adversarial examples can be effectively improved by applying ensemble methods. However, the number of pre-trained models available is limited. Therefore, Dong’s hard ensemble method is still prone to “overfitting” pre-trained face models. Meta-learning has been proposed as a framework to address the challenging few-shot learning setting (Finn et al., 2017; Sun et al., 2019; Jamal and Qi, 2019). Inspired by meta-learning, we propose a random meta-optimization strategy for ensembling several pre-trained face models to generate adversarial masks. Different from meta-learning, which is used to update the parameters of the neural network model, the random meta-optimization strategy assumes the network model as data and then updates the adversarial masks directly. Algorithm block 2 describes in detail the RAAM${}_{\infty}^{meta}$ algorithm for performing ensemble attacks using the random meta-optimization strategy.

In order to evaluate the performance of the attacks, we randomly select 500 different identity pairs from the CelebA-HQ and LFW datasets, respectively. Furthermore, we randomly select 1000 different identity makeup images from the MT dataset to make up 500 different identity pairs, and 500 subjects of CASIA-FaceV5 are randomly paired into 250 different identity pairs for the experiment.  
Face Recognition Models and Face Recognition Systems. In our experiments, we use five face recognition models, FaceNet (Schroff et al., 2015), MobileFace, IRSE50, IRSE101, and IR151 (Deng et al., 2019), and five commercial face recognition systems, Face++ (Face++, 2022), Baidu (Baidu, 2022), Aliyun (Aliyun, 2022), Tencent (Tencent, 2022) and Microsoft (Microsoft, 2022). Because the API of Aliyun’s face recognition system is not available to individual users, we only use the web application of Aliyun’s face recognition system for our experiments. In Microsoft’s face recognition system, we use “recognition_04” face recognition model and “detection_03” face detection model, which are the latest versions of Microsoft’s face recognition system. All other face recognition systems use the default version.  
Evaluate Metrics. For impersonation attacks on face recognition models, the attack success rate ($ASR$) (Deb et al., 2020; Zhong and Deng, 2020; Yin et al., 2021) is reported as an evaluation metric,

where $N$ is the number of pairs in the face dataset, $1_{\tau}$ denotes the indicator function, $\tau$ is a pre-determined threshold. For each victim facial recognition model, $\tau$ will be determined at 0.1% False Acceptance Rate ($FAR$) on all possible image pairs in LFW, i.e. FaceNet 0.409, MobileFace 0.302, IRSE50 0.241, and IR152 0.167.

For the evaluation of attacks on face recognition systems, we report the mean confidence scores ($MCS$) on each dataset as an evaluation metric,

where conf is a confidence score between the target and the attack returned from the face recognition system API, $N$ is the number of pairs in the face dataset.  
Implementation Details. We first resize all the input images from all datasets to $512\times 512$ and normalize to $[0,1]$. The following is the setting of our main comparison method in the experiment.

• •

  PASTE is the standard baseline that we use to directly paste the target image’s associated binary mask $M$ region onto the attacker’s source image and then perform the impersonation attack.

• •

  AM_∞ is the adversarial mask attack method with the $\ell_{\infty}$-bound. The perturbation step size $\alpha$ is set to 0.003. The number of iterations $N$ is set to 2000. the perturbation bound $\epsilon$ is set to 0.3. The target face model $f$ uses IRSE101 and the remaining models, FaceNet, MobileFace, IRSE50 and IR151, are used as victim models for the black box attack.

• •

  RSTAM_∞ is the $\ell_{\infty}$-bound RSTAM. The hyperparameter $\beta$ is set to 0.2. Other settings are the same as on AM_∞.

• •

  RSTAM${}_{\infty}^{all}$ uses all five face recognition models as target face models without using the random meta-optimization ensemble strategy. Assume that the target face models $F=[f_{1},f_{2},f_{3},f_{4},f_{5}]$, we can get the $n_{th}$ update gradient as

  (9)

  $$\mathbf{g}_{n}=\frac{1}{5}\sum^{5}_{i=1}\nabla_{\mathbf{x}^{adv}_{n}}{\mathcal{L}(f_{i}(\boldsymbol{RST}(\mathbf{x}^{adv}_{n},\beta)),f_{i}(\mathbf{x}^{t}))}.$$

  Other settings are the same as on RSTAM_∞.

• •

  RSTAM${}_{\infty}^{meta}$ is the $\ell_{\infty}$-bound RSTAM with using the random meta-optimization ensemble strategy. The target models $F$ use all five face recognition models. Other settings are the same as on RSTAM_∞.

• •

  RSTAM₂ is the $\ell_{2}$-bound RSTAM. The perturbation step size $\alpha$ is set to 2. Other settings are the same as on RSTAM_∞.

• •

  RSTAM${}_{2}^{meta}$ is the $\ell_{2}$-bound RSTAM with using the random meta-optimization ensemble strategy. The perturbation step size $\alpha$ is set to 2. Other settings are the same as on RSTAM${}_{\infty}^{meta}$.

Additionally, we implement our codes based on the open source deep learning platform PyTorch (Paszke et al., 2019).

In this section, we will present the outcomes of the black-box impersonation attack in the digital world. Firstly, we will report quantitative results and qualitative results in the datasets CelebA-HQ, LFW, MT, and CASIA-FaceV5, respectively. Next, we will report the results of the hyperparameter $\beta$ sensitivity experiments.  
Quantitative Results. Table 1-4 show the quantitative results on digital images. Table 1 shows the results of the black-box impersonation attack on the CelebA-HQ dataset, which is a high-definition multi-attribute face dataset including annotations with 40 attributes per image. The images in this collection span a wide range of position variants as well as background clutter. We can see from Table 1 that the $ASR$ of RSTAM_∞ for Face Models is much higher than PASTE benchmark and AM_∞, 64.20% (RSTAM_∞) vs. 27.40% (PASTE) vs. 31.60% (AM_∞) on FaceNet, 63.20% vs. 48.00% vs. 43.80% on MobileFace, 91.00% vs. 54.80% vs. 59.60% on IRSE50, and 91.80% vs. 41.20% vs. 51.20% on IR151. The hard ensemble attack method RSTAM${}^{all}_{\infty}$ increases the $MCS$ on Face++ (74.24% vs. 71.94%) and Baidu (72.54% vs. 70.80%) but decreases on Tencent (49.50% vs. 50.63%) and Microsoft (49.12% vs. 53.97%) for the Face Systems in Table 1. Thus, we can think that the hard ensemble attack method is not the best ensemble attack method, and the ensemble attack method RSTAM${}^{meta}_{\infty}$ based on our proposed random meta-optimization strategy can further improve the performance of the ensemble attack method, 74.76% (RSTAM${}^{meta}_{\infty}$) vs. 74.24% (RSTAM${}^{all}_{\infty}$) on Face++, 72.83% vs. 72.54% on Baidu, 50.88% vs. 49.50 on Tencent, and 50.58% vs. 49.12% on Microsoft. Lastly, we can also see in Table 1 that the $\ell_{2}$-bound RSTAM has better attack performance than the $\ell_{\infty}$-bound in the black-box attack on commercial face recognition system.

Table 2 provides the results of the black-box impersonation attack on the low-quality face dataset LFW. From Table 2, we can observe that the RSTAM attack is still effective on low-quality face images. The $MCS$ of RSTAM${}^{meta}_{2}$ on LFW can reach 70.29% in Face++, 70.08% in Baidu, 51.45% in Tencent and 50.13% in Microsoft.

Table 3 presents the results of the black box impersonation attack on the female makeup face images of the MT dataset and Table 4 presents the results of the attack on the Asian face dataset CASIA-FaceV5. Compared with the multi-attribute datasets CelebA-HQ and LFW, the Face Models show lower robustness under relatively single-attribute face datasets MT and CASIA, and PASTE can then achieve a higher $ASR$. In contrast, commercial face recognition systems show similar robustness to single-attribute face datasets and multi-attribute face datasets. It can also be demonstrated that RSTAM, our proposed black-box impersonation attack method, can effectively work with single-attribute or multi-attribute datasets, high-quality or low-quality images, face recognition models, and commercial face recognition systems.

The successful completion of an attack in the digital world does not guarantee that it can be applied to the physical world. Moreover, compared to digital attacks, physical attacks have more practical value in the real world. Therefore, we use a mobile and compact printer, Canon SELPHY CP1300, to print out adversarial masks to carry out experiments on physical attacks. The setup of the physical environment is shown in Figure 5. For shooting, the camera makes use of the iPhone 11 Pro Max’s 12 MP front-facing camera as well as a Bluetooth remote control.

Figure 5 shows the visualization results of our physical black-box impersonation attacks against the five state-of-the-art commercial face recognition systems. The target and source are the same as in Figure 1. Although the printed adversarial masks exhibit distortion in comparison to the digital adversarial masks, the confidence scores of the physical attacks at position ① are not much reduced, and even increase on RSTAM${}^{meta}_{\infty}$ and RSTAM${}^{meta}_{2}$ against the Face++. This also shows that RSTAM is effective in using a mobile and compact printer to implement physical attacks in a realistic environment. Except for the attack on the Tencent face system, RSTAM can maintain a high confidence score for commercial face recognition systems at various positions. Moreover, RSTAM can have good attack performance at the long-range position ④, where the face is of low quality. Similarly, in the physical world, the RSTAM${}^{meta}_{\infty}$ and RSTAM${}^{meta}_{2}$ ensemble attack methods based on random meta-optimization strategy have superior attack performance.