高级检索

    一种局部遮挡人脸识别的对抗样本生成方法

    An Adversarial Example Generation Method for Locally Occluded Face Recognition

    • 摘要: 基于对抗样本开展对抗训练目前已成为提升模型鲁棒性、安全性的重要手段. 新冠疫情使得佩戴口罩成为常态,遮挡人脸识别成为现实需要. 针对当前缺乏遮挡人脸识别对抗样本生成方法的问题,提出了一种自适应对抗样本生成方法——AOA(adversarial examples against occluded faces recognition based on adaptive method). 首先,根据目标模型调整对抗样本生成策略,并根据输入人脸自动调整干扰区域. 其次,通过将扰动集中在对识别影响更大的区域,结合集成模型和高斯滤波,在局部特征增强的虹软、百度人脸识别上实现了黑盒攻击. 最后,结合动态掩码和动态扰动乘数避免了攻击过程中的冗余计算,并保证了攻击的可持续性,生成的扰动使得人脸修复遮挡识别模型错误分割遮挡区域,进而降低模型的识别准确率. 设计实现了人脸修复遮挡识别模型Arc-UFI. 实验表明,AOA能够实现针对局部特征增强和人脸修复的遮挡人脸识别的有效攻击. 此外,AOA可为模型安全对抗训练提供有益支撑.

       

      Abstract: Adversarial training based on adversarial examples has become an important means to improve model robustness and security recently. COVID-19 makes wearing masks the norm and occluded face recognition a practical need. Aiming at the problem of lacking an adversarial example generation method for occluded face recognition, an adaptive adversarial example generation method AOA (adversarial examples against occluded faces recognition based on adaptive method) is proposed. Firstly, it adjusts the adversarial example generation strategy according to the target model and automatically adjusts the interference area according to the input face. Secondly, by concentrating the disturbance on the area that has more significant impact on recognition and combining with the ensemble model and Gaussian filtering, black-box attacks conducted on local feature enhance ArcSoft and Baidu face recognition. Finally, the combination of dynamic masks and dynamic perturbation multiplier avoids redundant calculation in the attack process and ensures the sustainability of the attack. The generated perturbation makes the face inpainting occlusion recognition model wrongly segment the occlusion area, thereby reducing the model recognition accuracy. We build a face inpainting occlusion recognition model, called Arc-UFI. The experiments show that AOA is effective for attacking both local feature enhancement and face inpainting occluded face recognitions. In addition, AOA can provide useful support for model security adversarial training.

       

    /

    返回文章
    返回