Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A White-Box False Positive Adversarial Attack Method on Contrastive Loss Based Offline Handwritten Signature Verification Models

Zhongliang Guo, Weiye Li, Yifei Qian, Ognjen Arandjelović, Lei Fang

TL;DR

This work targets offline handwritten signature verification models trained with contrastive loss and reveals a vulnerability to white-box false positive attacks. It reframes the attack as a style-transfer problem between related handwriting styles and optimizes a synthesized image using a four-loss objective that includes Attack Loss, Difference Loss, Style Loss, and Total Variation Loss, with Adam-based training on a frozen Siamese network. The authors demonstrate state-of-the-art FP attack performance on two signature datasets (CEDAR and BHSig260-B), showing large gains from including style transfer and providing detailed ablations and robustness tests under adversarial training. Overall, the study exposes security gaps in contrastive-loss signature verification and offers a principled attack framework that could inform defenses to improve robustness against stylistically consistent perturbations.

Abstract

In this paper, we tackle the challenge of white-box false positive adversarial attacks on contrastive loss based offline handwritten signature verification models. We propose a novel attack method that treats the attack as a style transfer between closely related but distinct writing styles. To guide the generation of deceptive images, we introduce two new loss functions that enhance the attack success rate by perturbing the Euclidean distance between the embedding vectors of the original and synthesized samples, while ensuring minimal perturbations by reducing the difference between the generated image and the original image. Our method demonstrates state-of-the-art performance in white-box attacks on contrastive loss based offline handwritten signature verification models, as evidenced by our experiments. The key contributions of this paper include a novel false positive attack method, two new loss functions, effective style transfer in handwriting styles, and superior performance in white-box false positive attacks compared to other white-box attack methods.

A White-Box False Positive Adversarial Attack Method on Contrastive Loss Based Offline Handwritten Signature Verification Models

TL;DR

This work targets offline handwritten signature verification models trained with contrastive loss and reveals a vulnerability to white-box false positive attacks. It reframes the attack as a style-transfer problem between related handwriting styles and optimizes a synthesized image using a four-loss objective that includes Attack Loss, Difference Loss, Style Loss, and Total Variation Loss, with Adam-based training on a frozen Siamese network. The authors demonstrate state-of-the-art FP attack performance on two signature datasets (CEDAR and BHSig260-B), showing large gains from including style transfer and providing detailed ablations and robustness tests under adversarial training. Overall, the study exposes security gaps in contrastive-loss signature verification and offers a principled attack framework that could inform defenses to improve robustness against stylistically consistent perturbations.

Abstract

In this paper, we tackle the challenge of white-box false positive adversarial attacks on contrastive loss based offline handwritten signature verification models. We propose a novel attack method that treats the attack as a style transfer between closely related but distinct writing styles. To guide the generation of deceptive images, we introduce two new loss functions that enhance the attack success rate by perturbing the Euclidean distance between the embedding vectors of the original and synthesized samples, while ensuring minimal perturbations by reducing the difference between the generated image and the original image. Our method demonstrates state-of-the-art performance in white-box attacks on contrastive loss based offline handwritten signature verification models, as evidenced by our experiments. The key contributions of this paper include a novel false positive attack method, two new loss functions, effective style transfer in handwriting styles, and superior performance in white-box false positive attacks compared to other white-box attack methods.
Paper Structure (17 sections, 11 equations, 3 figures, 2 tables, 1 algorithm)

This paper contains 17 sections, 11 equations, 3 figures, 2 tables, 1 algorithm.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. METHODS
  4. Problem Definition
  5. Attack Loss
  6. Difference Loss
  7. Style Transfer
  8. Style Loss
  9. Total Variation Loss
  10. Total Loss
  11. Optimization
  12. RESULTS
  13. Dataset and Pre-trained Model
  14. Experimental Setup
  15. Results and Discussion
  16. ...and 2 more sections

Figures (3)

  • Figure 1: Overview of our approach to executing an attack on a contrastive loss based siamese neural network. The network architecture involves the processing of two inputs: a genuine and a synthesized image. The latter is initialized using content derived from a forged image, and uniquely, remains the sole trainable element within this otherwise frozen network setup. Upon processing, the network generates a pair of embedding vectors; these are integral in computing the attack loss. Simultaneously, style loss is calculated within designated convolutional layers distributed among the twin branches of the network. A difference loss emerges from the comparison between the synthesized and the forged images. Moreover, the synthesized image alone serves as the basis for the calculation of the total variation loss. Crucially, all computed losses are fed back into the synthesized image
  • Figure 2: Visual results of several attack methods on two pairs of images.
  • Figure 3: Summary of hyperparameter ablation study results.