Enhancing Remote Adversarial Patch Attacks on Face Detectors with Tiling and Scaling
Masora Okano, Koichi Ito, Masakatsu Nishigaki, Tetsushi Ohki
TL;DR
This work investigates remote adversarial patch attacks on face detectors, identifying scale diversity and a small class set as key obstacles. It introduces a patch applying framework that uses scaling and tiling along with a Borderline False Positive Loss to induce false positives near face regions without forcing a background misclassification. Empirical results show the proposed method achieves consistent obstruction across datasets and scales, outperforming patches designed for general object detectors, and demonstrates varying transferability across detectors. The findings underscore both the potential for privacy-preserving obfuscation and the need for robust defenses against RAP in face-detection systems.
Abstract
This paper discusses the attack feasibility of Remote Adversarial Patch (RAP) targeting face detectors. The RAP that targets face detectors is similar to the RAP that targets general object detectors, but the former has multiple issues in the attack process the latter does not. (1) It is possible to detect objects of various scales. In particular, the area of small objects that are convolved during feature extraction by CNN is small,so the area that affects the inference results is also small. (2) It is a two-class classification, so there is a large gap in characteristics between the classes. This makes it difficult to attack the inference results by directing them to a different class. In this paper, we propose a new patch placement method and loss function for each problem. The patches targeting the proposed face detector showed superior detection obstruct effects compared to the patches targeting the general object detector.