A Multi-task Adversarial Attack Against Face Authentication

TL;DR

MTADV introduces a unified multi-task adversarial attack for face authentication that can impersonate multiple users or attack multiple systems within a single optimization framework. By optimizing a novel objective that averages feature-space distances to multiple targets across several systems, MTADV covers ST, MA, UA, TA, and CA under white- and gray-box settings, with demonstrated generalization across LFW, CelebA, CelebA-HQ and models such as FaceNet, InsightFace, and CurricularFace. Comprehensive experiments show MTADV achieves high attack success rates, maintains strong image fidelity (SSIM>0.855, LPIPS<0.1 at $\epsilon=0.03$), and remains effective against several defenses, highlighting significant implications for biometric security and robustness research. The work also provides thorough ablations, complexity analysis, and countermeasure discussions, offering a practical evaluation tool for assessing and strengthening face-authentication systems.

Abstract

Deep-learning-based identity management systems, such as face authentication systems, are vulnerable to adversarial attacks. However, existing attacks are typically designed for single-task purposes, which means they are tailored to exploit vulnerabilities unique to the individual target rather than being adaptable for multiple users or systems. This limitation makes them unsuitable for certain attack scenarios, such as morphing, universal, transferable, and counter attacks. In this paper, we propose a multi-task adversarial attack algorithm called MTADV that are adaptable for multiple users or systems. By interpreting these scenarios as multi-task attacks, MTADV is applicable to both single- and multi-task attacks, and feasible in the white- and gray-box settings. Furthermore, MTADV is effective against various face datasets, including LFW, CelebA, and CelebA-HQ, and can work with different deep learning models, such as FaceNet, InsightFace, and CurricularFace. Importantly, MTADV retains its feasibility as a single-task attack targeting a single user/system. To the best of our knowledge, MTADV is the first adversarial attack method that can target all of the aforementioned scenarios in one algorithm.

Figures (10)

• Figure 1: The single-task adversarial attacks against face authentication. (a) A legal user accesses the system. (b) It is a white-box attack when the target image is identical to that enrolled in the database, i.e., the database is known to the attacker. (c) It is a gray-box attack when the target image is different from that enrolled, i.e., the database is unknown.
• Figure 2: The multi-task adversarial attack impersonating multiple users. A single adversarial example can gain illegal access acting as multiple target users.
• Figure 3: The multi-task adversarial attack attacking multiple systems. A single adversarial example can gain illegal access to multiple systems where the identical target user enrolls.
• Figure 4: Geometric proof of the feasibility of MTADV in various attack scenarios. $X$, $Y$, and $Z$ denote targets. $X'$ and $X"$ denote other face images of $X$, regarding to the gray-box attack scenarios. $A$ denotes the adversarial example. The numbers in green represent the distances smaller than the threshold of Model 1 (FaceNet), whose threshold is approximate 0.6. The numbers in red represent the distances higher than the threshold, which indicates they are different subjects. The information in blue belongs to another model (InsightFace), whose threshold is approximate 0.8, regarding to the transferable attack scenario. These numbers are obtained based on our worst assumptions and geometric calculations.
• Figure 5: Illustration of adversarial examples (Adv) and differences (Diff) in various perturbation sizes. As observed, the difference among the adversarial example is visually negligible when $\epsilon\leq0.03$, while the perturbations are clearly visible when $\epsilon>0.05$. Our setting is $\epsilon=0.03$.