Improving Visual Quality and Transferability of Adversarial Attacks on Face Recognition Simultaneously with Adversarial Restoration
Fengfan Zhou, Hefei Ling, Yuxuan Shi, Jiazhong Chen, Ping Li
TL;DR
The paper tackles the vulnerability of face recognition systems to adversarial examples by targeting both visual quality and transferability. It introduces AdvRestore, which leverages a Restoration Latent Diffusion Model (RLDM) trained for face restoration and injects adversarial perturbations into the RLDM's UNet during inference, with the restoration task treated as a sibling objective to improve transferability. The attack optimizes a surrogate-model loss, $\mathcal{L}=\|\phi(\mathcal{F}(x^{adv}))-\phi(\mathcal{F}(x^{t}))\|^2_2$, under a perturbation budget $\|x^{adv}-x^{s}\|_p \leq \varrho$, and employs DDIM acceleration to generate $x^{adv}$ efficiently; during training, only UNet parameters are updated while the encoder/decoder are fixed. Across LFW experiments with multiple FR models, AdvRestore achieves higher visual quality (as measured by SSIM, PSNR, LPIPS, and a Visual Quality Score) and stronger black-box transferability (ASR) than baseline attacks, validating the joint improvement provided by the restoration prior.
Abstract
Adversarial face examples possess two critical properties: Visual Quality and Transferability. However, existing approaches rarely address these properties simultaneously, leading to subpar results. To address this issue, we propose a novel adversarial attack technique known as Adversarial Restoration (AdvRestore), which enhances both visual quality and transferability of adversarial face examples by leveraging a face restoration prior. In our approach, we initially train a Restoration Latent Diffusion Model (RLDM) designed for face restoration. Subsequently, we employ the inference process of RLDM to generate adversarial face examples. The adversarial perturbations are applied to the intermediate features of RLDM. Additionally, by treating RLDM face restoration as a sibling task, the transferability of the generated adversarial face examples is further improved. Our experimental results validate the effectiveness of the proposed attack method.