WO2023286251A1 - Adversarial image generation apparatus, control method, and computer-readable storage medium - Google Patents

Adversarial image generation apparatus, control method, and computer-readable storage medium Download PDF

Info

Publication number
WO2023286251A1
WO2023286251A1 PCT/JP2021/026667 JP2021026667W WO2023286251A1 WO 2023286251 A1 WO2023286251 A1 WO 2023286251A1 JP 2021026667 W JP2021026667 W JP 2021026667W WO 2023286251 A1 WO2023286251 A1 WO 2023286251A1
Authority
WO
WIPO (PCT)
Prior art keywords
adversarial
patch
image
face
loss
Prior art date
Application number
PCT/JP2021/026667
Other languages
French (fr)
Inventor
Inderjeet Singh
Kazuya Kakizaki
Toshinori Araki
Takuma Amada
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Priority to PCT/JP2021/026667 priority Critical patent/WO2023286251A1/en
Priority to JP2023579862A priority patent/JP2024523607A/en
Publication of WO2023286251A1 publication Critical patent/WO2023286251A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T11/002D [Two Dimensional] image generation

Definitions

  • the present disclosure generally relates to adversarial attacks to computer systems.
  • adversarial attack an attack to computer systems using adversarial examples is called adversarial attack.
  • NPL1 discloses an adversarial attack in which a perturbation in the form of eyeglasses is added to a face image of a person to generate an adversarial image, which is an adversarial example in the form of an image data.
  • the perturbation is repeatedly updated until the adversarial image becomes capable of deceiving a face verification system in determining that the face in the adversarial image is a face of a target person who is not included in the adversarial image in reality.
  • NPL1 also discloses a technique to smoothen the perturbation during the repetitive update thereof in order to implement a physically realizable attack. Specifically, NPL1 introduces an index called total variation in which the difference of pixel values of two adjacent pixels in the perturbation to describe the smoothness of the perturbation. The total variation is included as a regularizer in an optimization problem for the adversarial image, thereby updating the adversarial image so as to enable it to deceive the face verification system while maintaining the smoothness of the perturbation.
  • NPL1 M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, "Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition," In Proceedings of 23rd ACM Conference on Computer and Communications Security (CCS 2016), pp.1528-1540, October 24, 2016
  • NPL1 In the total variation disclosed by NPL1, the difference of pixel values is computed for all sets of two adjacent pixels in the perturbation.
  • An objective of the present disclosure is to provide a novel technique to generate an adversarial image.
  • the present disclosure provides an adversarial image generation apparatus comprising at least one processor and memory storing instructions.
  • the at least one processor is configured to execute the instructions to: acquire a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; add an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly perform an update of the adversarial image.
  • the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  • the present disclosure provides a control method performed by a computer.
  • the control method comprises: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image.
  • the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  • the present disclosure provides a non-transitory computer readable storage medium storing a program that causes a computer to execute: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image.
  • the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  • Fig. 1 illustrates an overview of the adversarial image generation apparatus of the first example embodiment.
  • Fig. 2 is a block diagram illustrating an example of a functional configuration of the adversarial image generation apparatus.
  • Fig. 3 is a block diagram illustrating an example of the hardware configuration of a computer realizing the adversarial image generation apparatus.
  • Fig.4 illustrates an environment where an adversarial attack can be performed.
  • Fig. 5 illustrates an example of adversarial attacks that can be performed in the environment illustrated by Fig. 4.
  • Fig. 6 is a flowchart illustrating an example of a process performed by the adversarial image generation apparatus 2000.
  • Fig. 7 illustrates an overview of the adversarial image generation apparatus 2000 of the second example embodiment.
  • Fig. 8 illustrates how the smoothness loss works at the boundary.
  • a storage unit is formed with one or more storage devices.
  • FIG. 1 illustrates an overview of the adversarial image generation apparatus 2000 of the first example embodiment. Note that the overview illustrated by Fig. 1 shows an example of operations of the adversarial image generation apparatus 2000 to make it easy to understand the adversarial image generation apparatus 2000, and does not limit or narrow the scope of possible operations of the adversarial image generation apparatus 2000.
  • the adversarial image generation apparatus 2000 acquires the first face image 10 and the second face image 20, and generates an adversarial image 30 by modifying the first face image 10 based on the second face image 20.
  • the first face image 10 is an image data in which a face of a first person is captured.
  • the second face image 20 is an image data in which a face of a second person is captured.
  • the adversarial image 30 is generated so as to enable the second person to impersonate the first person by using the adversarial image 30. More specifically, the adversarial image 30 is generated so that a classifier determines that the adversarial image 30 includes the face of the second person, although it includes the face of the first person in reality.
  • the classifier is a computer system to recognize which person is captured in an image data input thereto.
  • One of examples of the classifier is a face verification system that is installed in various facilities, such as an airport.
  • this classifier is called "target classifier”.
  • the adversarial image generation apparatus 2000 operates as follows.
  • the adversarial image generation apparatus 2000 acquires the first face image 10 and the second face image 20, and generates the adversarial image 30 by adding an adversarial patch to the first face image 10.
  • the adversarial patch is an image data in the form of a wearable item such as eyeglasses, a hat, or a face mask.
  • the adversarial image generation apparatus 2000 repeatedly updates the adversarial patch in the adversarial image 30 until at least the following two goals are achieved: 1) features of the adversarial image 30 becomes substantially similar to features of the second face image 20 (successful impersonation); and 2) the adversarial patch becomes substantially smooth (smoothening of the adversarial patch).
  • the first goal needs to be achieved so as to enable the second person to impersonate the first person by using the adversarial image 30.
  • the second goal needs to be achieved so as to generate the adversarial image 30 that can be used for a physically realizable attack.
  • the adversarial image generation apparatus 2000 handles an adversarial attack with physical realizability in which a physical copy of the adversarial image 30 is used.
  • the physical copy of the adversarial image 30 is obtained by printing the adversarial image 30 on a physical medium such as a paper.
  • the physical copy of the adversarial image 30 is used to deceive the classifier. For example, a face of the second person and the physical copy of the adversarial image 30 are captured by a camera, and the two images generated are compared by the classifier.
  • the smoothness of the adversarial image haves influence on the physical realizability of adversarial attacks. Specifically, abrupt pixel value variations in the adversarial image results in significant camera and printability errors, causing a reduction in physical adversarial attack success rate. Thus, it is necessary to achieved the second goal.
  • the repetitive update of the adversarial patch includes: computing a loss named total loss; and updating the adversarial image 30 to reduce the total loss.
  • the total loss includes a similarity loss regarding the adversarial image 30 and the second face image 20.
  • the similarity loss describes a degree of difference between the features of the adversarial image 30 and those of the second face image 20.
  • the total loss includes a smoothness loss regarding the adversarial patch.
  • the smoothness loss describes a degree of difference of pixel values of adjacent pixels in the adversarial patch.
  • the smoothness loss computes the smoothness only for adjacent pixels in the adversarial patch that have intensity larger than a threshold (hereinafter, intensity threshold).
  • intensity threshold a threshold
  • the difference of pixel values of adjacent pixels is reflected on the smoothness loss only when those pixels have intensity larger than the intensity threshold.
  • the adversarial image generation apparatus 2000 After the repetitive update of the adversarial patch in the adversarial image 30 is finished, the adversarial image generation apparatus 2000 outputs the adversarial image 30.
  • the adversarial image 30 is generated by adding the adversarial patch to the first face image 10, and updated until at least two goals mentioned above are achieved.
  • the adversarial image generation apparatus 2000 can be used, for example, to evaluate a risk of the target classifier by trying to generate the adversarial image 30 that can deceive the target classifier in a testing environment. If such the adversarial image 30 is successfully generated, it is said that the target classifier is vulnerable to the adversarial attack. Thus, it is possible to modify the target classifier to become resistant to the adversarial attack before putting it into production.
  • the smoothness loss employed in the adversarial image generation apparatus 2000 is unique in that it computes the smoothness only for adjacent pixels in the adversarial patch that have intensity larger than the intensity threshold.
  • the adversarial image generation apparatus 2000 provides a novel way to evaluate a risk of computer systems to adversarial attacks using the adversarial image. More detailed advantages of the adversarial image generation apparatus 2000 will be described later.
  • Fig. 2 illustrates an example of a functional configuration of the adversarial image generation apparatus 2000.
  • the adversarial image generation apparatus 2000 includes an acquisition unit 2020 and a generation unit 2040.
  • the acquisition unit 2020 acquires the first face image 10 and the second face image 20.
  • the generation unit 2040 generates the adversarial image 30 by adding the adversarial patch to the first face image 10.
  • the generation unit 2060 repeatedly updates the adversarial patch in the adversarial image 30.
  • the update of the adversarial patch includes: computing the similarity loss for the adversarial image 30 and the second face image; computing the smoothness loss for the adversarial patch; and updating the adversarial patch based on the total loss in which the similarity loss and the smoothness loss are included.
  • the adversarial image generation apparatus 2000 may be realized by one or more computers.
  • Each of the one or more computers may be a special-purpose computer manufactured for implementing the adversarial image generation apparatus 2000, or may be a general-purpose computer like a personal computer (PC), a server machine, or a mobile device.
  • PC personal computer
  • server machine or a mobile device.
  • the adversarial image generation apparatus 2000 may be realized by installing an application in the computer.
  • the application is implemented with a program that causes the computer to function as the adversarial image generation apparatus 2000.
  • the program is an implementation of the functional units of the adversarial image generation apparatus 2000.
  • Fig. 3 is a block diagram illustrating an example of the hardware configuration of a computer 1000 realizing the adversarial image generation apparatus 2000.
  • the computer 1000 includes a bus 1020, a processor 1040, a memory 1060, a storage device 1080, an input/output interface 1100, and a network interface 1120.
  • the bus 1020 is a data transmission channel in order for the processor 1040, the memory 1060, the storage device 1080, and the input/output interface 1100, and the network interface 1120 to mutually transmit and receive data.
  • the processor 1040 is a processer, such as a CPU (Central Processing Unit), GPU (Graphics Processing Unit), or FPGA (Field-Programmable Gate Array).
  • the memory 1060 is a primary memory component, such as a RAM (Random Access Memory) or a ROM (Read Only Memory).
  • the storage device 1080 is a secondary memory component, such as a hard disk, an SSD (Solid State Drive), or a memory card.
  • the input/output interface 1100 is an interface between the computer 1000 and peripheral devices, such as a keyboard, mouse, or display device.
  • the network interface 1120 is an interface between the computer 1000 and a network.
  • the network may be a LAN (Local Area Network) or a WAN (Wide Area Network).
  • the storage device 1080 may store the program mentioned above.
  • the CPU 1040 executes the program to realize each functional unit of the adversarial image generation apparatus 2000.
  • the hardware configuration of the computer 1000 is not limited to the configuration shown in Fig. 3.
  • the adversarial image generation apparatus 2000 may be realized by plural computers. In this case, those computers may be connected with each other through the network.
  • Fig.4 illustrates an environment where an adversarial attack can be performed.
  • a face verification system 100 is a target classifier that is installed at a security check point of an airport to verify an identity of a passenger 110 of an international flight at a gate 120 that the passenger 110 has to go through.
  • a camera 130 and a scanner 140 are also installed.
  • the passenger 110 is required to have a passport on which a face image of the passenger 110 is printed.
  • the passenger 110 When going through the gate 120, the passenger 110 has to scan the face image on the passport with the scanner 140.
  • the scanner 140 scans the face image on the passport to generate a scanned image 150, and pass it to the face verification system 100.
  • the camera 130 captures the face of the passenger 110 to generate a captured image 160, and pass it to the face verification system 100.
  • the face verification system 100 is required to allow the passenger 110 to go through the gate 120 only when the passenger 110 is the owner of the passport.
  • the face verification system 100 checks whether or not the passenger 110 is the owner of the passport, by checking whether or not the face in the captured image 160 matches the face in the scanned image 150. Specifically, the face verification system 100 determines that the passenger 110 is the owner of the passport when the face in the captured image 160 matches the face in the scanned image 150, and opens the gate 120 to allow the passenger 110 to go through it. On the other hand, the face verification system 100 determines that the passenger 110 is not the owner of the passport when the face in the captured image 160 does not match the face in the scanned image 150, and closes the gate 120 not to allow the passenger 110 to go through it.
  • Fig. 5 illustrates an example of adversarial attacks that can be performed in the environment illustrated by Fig. 4.
  • the person X is a malicious passenger who is prohibited from going abroad and thus from getting his passport, whereas the person Y is allowed to go abroad and to get her passport.
  • the person X corresponds to the second person while the person Y corresponds to the first person.
  • the person X since the person X cannot get his own passport, he asks the person Y to get her own passport on which an adversarial image is printed as the face image of the person Y.
  • the adversarial image printed on the person Y's passport is the face image of the person Y to which the adversarial patch is added.
  • the adversarial image is generated using the face image of the person X so that the face verification system 100 determines that the face in the adversarial image matches the face of the person X. Since the person Y is allowed to get her passport and the face captured in the adversarial image is that of the person Y, she can get her passport on which the adversarial image is printed.
  • the person X obtains the passport of the person Y from the person Y, and uses it at the above-mentioned gate 120. Since the adversarial image printed on the passport of the person Y is generated so that the face verification system 100 determines that the face in the adversarial image matches the face of the person X, the face verification system 100 determine that the person X is the owner of the passport of the person Y (i.e. the person X is identified as the person Y), and opens the gate 120 to allow the person X to go through it. As a result, the person X can take an international flight to go abroad although he is prohibited from doing so.
  • the adversarial image generation apparatus 2000 can be used, for example, to evaluate a risk of the face verification system 100 to adversarial attacks in a testing environment. Specifically, the adversarial image generation apparatus 2000 is used to try to generate an adversarial image with which the face verification system 100 is deceived as described above. If such the adversarial image is successfully generated, it is demonstrated that the face verification system 100 is vulnerable to the adversarial attack. Thus, the face verification system 100 is appropriately modified to eliminate this vulnerability. By doing so, it is possible to increase the security of the face verification system 100 before putting it into production.
  • Fig. 6 is a flowchart illustrating an example of a process performed by the adversarial image generation apparatus 2000.
  • the acquisition unit 2020 acquires the first face image 10 and the second face image 20 (S102).
  • the generation unit 2040 initializes the adversarial patch (S104).
  • the generation unit 2040 generates the adversarial image by adding the adversarial patch to the first face image 10 (S106).
  • Steps S108 to S114 form a loop process that is a sequence of processes to repeatedly update the adversarial patch in the adversarial image 30 until the predetermined termination condition is satisfied.
  • the satisfaction of the termination condition is checked at the end of the loop process, i.e. step S114.
  • the generation unit 2040 computes the similarity loss for the adversarial image 30 and the second face image 20 (S108).
  • the generation unit 2040 computes the smoothness loss for the adversarial patch (S110).
  • the generation unit 2040 updates the adversarial patch based on the total loss that includes the similarity loss and the smoothness loss (S112).
  • the generation unit 2040 checks whether the predetermined termination condition is satisfied or not (S112). If the termination condition is satisfied (S114: YES), the process moves on to S116. On the other hand, if the termination condition is not satisfied (S114: NO), the process moves on to Step S108; the loop process is performed again.
  • the adversarial image generation apparatus 2000 outputs the adversarial image 30 that has been repeatedly updated in the loop process (S116).
  • the acquisition unit 2020 acquires the first face image 10 and the second face image 20 (S102).
  • the first face image 10 and the second face image 20 are stored in a storage unit in advance in such a manner that the adversarial image generation apparatus 2000 can acquire it.
  • the acquisition unit 2020 acquires the first face image 10 and the second face image 20 from the storage unit.
  • the first face image 10 and the second face image 20 are input into the adversarial image generation apparatus 2000 by a user thereof.
  • the acquisition unit 2020 acquires the first face image 10 and the second face image 20 that are input by the user.
  • the acquisition unit 2020 receives the first face image 10 and the second face image 20 that are sent from another computer, such as a camera or a scanner.
  • the generation unit 2040 initializes the adversarial patch (S104). To do so, the generation unit 2040 acquires information that defines the adversarial patch.
  • the information that defines the adversarial patch is called "patch information".
  • the generation unit 2040 can acquire the patch information in a way similar to that the acquisition unit 2020 acquires the first face image 10 and the second face image 20.
  • the patch information may be stored in a storage unit in advance in such a manner that the adversarial image generation apparatus 2000 can acquire it. In this case, the generation unit 2040 acquires the patch information from the storage unit.
  • the adversarial patch may be defined by its shape and size.
  • the patch information may indicate these two pieces of information.
  • the patch information may include a template image of the adversarial patch that indicates the shape and the size of the adversarial patch.
  • the adversarial patch may illustrate a wearable item, such as eyeglasses.
  • the generation unit 2040 may adjust it based on the first face image 10. Specifically, the generation unit 2040 may adjust the size of the adversarial patch so that the item illustrated by the adversarial patch fits the face of the first person captured in the first face image 10.
  • the generation unit 2040 adjusts the size of the adversarial patch so that the width of eyeglasses illustrated by the adversarial patch becomes substantially equal to that of the face of the first person captured in the first face image 10.
  • the generation unit 2040 initializes a value of each pixel of the adversarial patch. For example, the generation unit 2040 randomly initializes a value of each pixel. More specifically, a probability distribution is prepared in advance, and the generation unit 2040 samples a random value from the probability distribution for each pixel of the adversarial patch as the value of the pixel.
  • the probability distribution used to initialize the adversarial patch is called "first distribution".
  • the generation unit 2040 uses the first distribution to obtain R, G, and B values for each pixel of the adversarial patch. For example, for each pixel of the adversarial patch, the generation unit 2040 samples a value from the first distribution three times to initialize the R, G, and B values of the pixel.
  • three separate first distributions are prepared for each of R, G, and B.
  • the generation unit 2040 samples a value from the first distribution corresponding to R to initialize the R value of the pixel, samples a value from the fist distribution corresponding to G to initialize the G value of the pixel, and samples a value from the first distribution corresponding to B to initialize the B value of the pixel.
  • the first distribution is configured to be a three-dimensional probability distribution.
  • the generation unit 2040 samples a random three-dimensional vector that represents a set of R, G, and B values from the first distribution to initialize the set of R, G, and B values of the pixel.
  • the first distribution is defined as a three-dimensional Gaussian distribution.
  • the generation unit 2040 generates the adversarial image 30 by adding the adversarial patch to the first face image 10 (S106).
  • the adversarial patch is added to the first face image 10 by adding each pixel of the adversarial patch to the corresponding pixel of the first face image 10.
  • Adding each pixel of the adversarial patch to the corresponding pixel of the first image 10 may mean "replacing each pixel of the first face image 10 with the corresponding pixel of the adversarial patch" or "adding the pixel value of each pixel of the adversarial patch to the pixel value of the corresponding pixel of the first face image 10".
  • the location in the first face image 10 to which the adversarial patch is added may be defined in advance, or adjusted by the generation unit 2040.
  • the generation unit 2040 may determine the location so that the item illustrated by the adversarial patch fits the face of the first person captured in the first face image 10.
  • the adversarial patch illustrates eyeglasses.
  • the generation unit 2040 adjusts the location so that each lens part of the eyeglasses overlaps the corresponding eye of the first person captured in the first face image 10.
  • the generation unit 2040 repeatedly updates the adversarial patch in the adversarial image 30.
  • the goals of the update include 1) successful impersonation and 2) smoothing of the adversarial patch.
  • the generation unit 2040 computes the total loss that includes at least the similarity loss and the smoothness loss, and updates the adversarial patch based on the total loss.
  • the similarity loss indicates a degree of difference between the features of the adversarial image 30 and those of the second face image 20. Thus, the similarity loss is used to achieve the first goal.
  • the smoothness loss indicates a degree of smoothness of the adversarial patch. Thus, the smoothness loss is used to achieve the second goal.
  • the total loss is defined as a weighted sum of the similarity loss and the smoothness loss.
  • the generation unit 2040 updates the adversarial patch so as to reduce the total loss. After updating the adversarial patch, the adversarial image 30 may be regenerated by adding the updated adversarial patch to the first image 10.
  • the generation unit 2040 may use one of those well-known ways to update the adversarial patch included in the adversarial image 30 based on the total loss.
  • the similarity loss is a loss that describes a degree of difference between the features of the adversarial image 30 and those of the second face image 20.
  • the similarity loss is computed by applying the features of the adversarial image 30 and those of the second face image 20 to a predefined loss function (hereinafter, a similarity loss function).
  • the similarity loss function may be defined using cosine similarity, Lp-norm, and so on.
  • the similarity loss function may be defined using cosine similarity as follows: Equation 1 where A and B represents images for which the similarity loss is computed; L_sim(A,B) represents the similarity loss function that computes the similarity loss for the images A and B; f(I) represents a function that extracts features from an image I; cos(U,V) represents cosine similarity between the features U and V; a_i represents the i-th element of the feature f(A); and b_i represents the i-th element of the feature f(B).
  • the generation unit 2040 may use a feature extractor that is configured to extract features from an image data input thereto.
  • the feature extractor may be formed with a machine learning-based model, such as a neural network.
  • a feature extraction layer of a CNN convolutional neural network
  • the function of the feature extractor is represented by f() in the equation (1).
  • the generation unit 2040 uses a feature extractor whose structure is the same as or substantially similar to that of the feature extractor of the target classifier.
  • An adversarial attack under this situation may be called "white-box attack”.
  • the structure of the feature extractor of the target classifier it is not necessarily required to know the structure of the feature extractor of the target classifier in advance.
  • the structure of the feature extractor of the target classifier is unknown.
  • any feature extractor other than that of the target classifier can be employed as the feature extractor of the generation unit 2040.
  • a user of the adversarial image generation apparatus 2000 may freely configure the structure of the feature extractor of the generation unit 2040. The same applies to the case where there is no specific target classifier (in other words, an adversarial attack may be performed to arbitrary classifier).
  • the generation unit 2040 may extract a pair of the features of the adversarial image 30 and the second face image 20 for each feature extractor, there by obtaining multiple pairs of the features of the adversarial image 30 and the second face image 20. Then, the generation unit 2040 may compute the similarity loss for each of the multiple pairs of the features, and combine them into a single value (called “total similarity loss” hereinafter). In this case, the total similarity loss is applied to the total loss.
  • the total similarity loss may be computed as follows: Equation 2 where L_tsim(A,B) represents a loss function named "a total similarity loss function" that computes the total similarity loss for the images A and B; j represents an identifier of a feature extractor; K represents the number of feature extractors used to compute the total similarity loss; and f_j(I) represents the features of the image I that are extracted by the j-th feature extractor.
  • NPL1 discloses a loss of computing the smoothness for an entirety of a perturbation (adversarial patch), which is named total variation.
  • Total variation is defined as follows: Equation 3 where r represents a pertubaion (adversarial patch); TV(r) represents the total variation computed for the pertubation r; and r_i,j is a pixel in the pertubation r at coordinates (i,j).
  • the smoothness loss employed in this example embodiment is activated only for adjacent pixels in the adversarial patch that have intensity larger than the intensity threshold.
  • P represents the adversarial patch
  • L_smooth(P) represents the smoothness loss computed for the adversarial patch P
  • p_(i,j) represents the intensity of the pixel at coordinates (i,j) of the adversarial patch P
  • M represents a mask used to control an activation of the smoothness loss for each set of adjacent pixels based on their intensity
  • T_p is the intensity threshold.
  • This selective activation of the smoothness loss provides an effect of that the similarity loss is dominant in the total loss in an early stage of the repetitive updates of the adversarial patch, and the smoothness loss gradually becomes influential later.
  • this effect is called “delayed smoothening”.
  • the adversarial patch includes a lot of pixels whose intensity is lower than or equal to T_p.
  • the smoothness loss may be small in the early stage, thereby allowing the similarity loss to be dominant in the total loss.
  • the similarity loss has more influence on the update of the adversarial patch than the smoothness loss.
  • the adversarial patch is updated mainly based on the similarity loss in the early stage, thereby allowing much more feasible solution space for the adversarial patch from the viewpoint of the capability of deceiving the classifier.
  • the adversarial patch After some updates of the adversarial patch, the number of pixels whose intensity is larger than the intensity threshold may increase, and thus the smoothness loss becomes influential in the total loss. In this situation, the adversarial patch is updated sufficiently taking the smoothness loss into consideration. The adversarial patch is therefore eventually optimized based on both of the similarity loss and the smoothness loss.
  • the adversarial patch is initialized so that all or almost all of its pixels have intensity lower than or equal to the intensity threshold.
  • the first distribution from which pixel values of the adversarial patch is sampled is defined so as to give higher probability for the pixel values whose intensity is lower than or equal to the intensity threshold and to give lower probability (e.g. zero) for the pixel values whose intensity is larger than the intensity threshold.
  • a user of the adversarial image generation apparatus 2000 determines a threshold of the probability called "first probability threshold", and the first distribution is configured to give probability less than or equal to the first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  • first probability threshold is set to be zero, every pixel sampled from the first distribution has the intensity lower than or equal to the intensity threshold.
  • the smoothness loss that the generation unit 2040 can use is not limited to one represented by the equation (4).
  • Other examples of the smoothness loss are follows: Equation 5 Equation 6 Equation 7 where s and z are arbitrary real numbers larger than or equal to 1.
  • the generation unit 2040 computes the total loss based on the similarity loss and the smoothness loss. There are various well-known ways to combine two or more types of losses into one, and thus one of such the ways is employed to define the total loss.
  • the total loss is defined as a weighted sum of the similarity loss and the smoothness loss as follows: Equation 8 where X1 represents the first face image 10; P represents the adversarial patch; X1+P represents the adversarial image 30; X2 represents the second face image 20; L_total((X1+P),X2) represents the total loss computed for the adversarial image 30 and the second face image 20; ⁇ represents a weight assigned to the smoothness loss; and ⁇ represents a weight assigned to the similarity loss.
  • L_sim is replaced by L_tsim in the equation (8).
  • the generation unit 2040 repeatedly updates the adversarial patch until the predefined termination condition is satisfied (S114).
  • the termination condition is set to be that "the update of the adversarial patch is performed predetermined times".
  • the predetermined time is N.
  • the predetermined condition is satisfied when the generation unit 2040 has performed the update of the adversarial patch N times.
  • the termination condition is set to be that "the total loss is less than a predetermined threshold".
  • the predetermined threshold is Th. In this case, the predetermined condition is satisfied when total loss computed by the generation unit 2040 is less Th.
  • the adversarial image generation apparatus 2000 outputs the adversarial image 30 (S116). There are various ways to output the adversarial image 30. For example, the adversarial image generation apparatus 2000 puts the adversarial image 30 into a storage unit. In another example, the adversarial image generation apparatus 2000 outputs the adversarial image 30 to a display device so that the display device displays the adversarial image 30. In another example, the adversarial image generation apparatus 2000 outputs the adversarial image 30 to a printer to generate a physical copy of the adversarial image 30.
  • the adversarial image 30 can be used for a risk evaluation of the target classifier, such as the face verification system 100 (See Figs. 4 and 5).
  • a physical copy of the adversarial image 30 is generated by printing the adversarial image 30 on a physical medium, such as a sheet of paper or a card, using a printer. Then, the target classifier is evaluated using the printed image of the adversarial image 30.
  • the printed image of the adversarial image is captured by a camera (e.g. scanned by a scanner), and the captured image is passed on to the target classifier.
  • the target classifier also acquires the face image of the second person (e.g. the second face image 20). Then, the target classifier is evaluated whether it determines that the face in the captured image matches that of the second person (in reality, the face in the captured image is not that of the second person, but the first person). Note that it is preferable to perform an appropriate preprocessing, such as data clearing and image alignment, for the images input into the target classifier.
  • the adversarial image 30 successfully deceives the target classifier. Since it demonstrates that the target classifier is vulnerable to the adversarial attack, the target classifier should be modified to be resistant to the adversarial attack.
  • FIG. 7 illustrates an overview of the adversarial image generation apparatus 2000 of the second example embodiment. Note that the overview illustrated by Fig. 7 shows an example of operations of the adversarial image generation apparatus 2000 to make it easy to understand the adversarial image generation apparatus 2000, and does not limit or narrow the scope of possible operations of the adversarial image generation apparatus 2000.
  • the adversarial image generation apparatus 2000 of the second example embodiment is different from that of the first example embodiment in that the adversarial patch is generated as a combination of at least two different types of patches: a first patch 40 and a second patch 50.
  • an adversarial attack that is performed using the adversarial patch generated as a combination of the first patch 40 and the second patch 50 is called "noise combo attack”.
  • the first patch 40 is the same as the adversarial patch described in the first example embodiment. Specifically, the first patch 40 is in the form of a wearable item, such as eyeglasses.
  • the second patch 50 is formed with scattered noises and does not illustrate such the item unlike the first patch 40.
  • the first patch 40 illustrates eyeglasses
  • the second patch 50 is formed with noises scattered over an image region whose size is the same as that of the first face image 10. Note that the size of the second patch 50 is not necessarily equal to that of the first face image 10.
  • the first patch 40 and the second patch 50 are also different from each other in the initial intensity of pixels thereof. Specifically, the first patch 40 is initialized so that the intensity of the pixels thereof is larger than that of the pixels of the second patch 50.
  • the first distribution is the probability distribution introduced in the first example embodiment to initialize the adversarial patch in the first example embodiment.
  • the first distribution is used to sample pixel values therefrom to initialize the first patch 40.
  • the second distribution is used to sample pixel values therefrom to initialize the second patch 50.
  • the first distribution and the second distribution are different from each other in the range of the intensity of pixels that can be sampled therefrom.
  • the lower limit of the range of the intensity of pixels that can be sampled from the first distribution is set as being larger than the upper limit of the range of the intensity of pixels that can be sampled from the second distribution.
  • pixels that can be sampled from the first distribution have the rage of intensity [L1,U1]
  • pixels that can be sampled from the second distribution have the rage of intensity [L2,U2].
  • L1 is set to be larger than U2.
  • the generation unit 2040 of the second example embodiment adds the first patch 40 and the second patch 50 to generate the adversarial patch 60.
  • the adversarial image 30 is generated by adding the adversarial patch 60 to the first face image 10.
  • the second patch 50 is depicted to be easy to notice in Fig. 7 for illustrative purpose.
  • the second patch 50 in the adversarial image 30 is inconspicuous: i.e. the intensity of the pixels of the second patch 50 is much lower than that of the first face image 10.
  • the generation unit 2040 of the second example embodiment updates the adversarial patch 60 in a similar manner to that of the first example embodiment. Specifically, the generation unit 2040 computes the smoothness loss for the adversarial patch 60 and the similarity loss for the adversarial image 30 and the second face image 20, and updates the adversarial patch 60 (i.e. the first patch 40 and the second patch 50) based on the total loss.
  • the smoothness loss employed in the adversarial image generation apparatus 2000 is also effective to appropriately secure the boundary between the first patch 40 and the second patch 50.
  • the intensity of the pixels of the first patch 40 is larger than that of the second patch 50.
  • the boundary between the two patches may be smoothed, resulting in reducing effects of the noise combo attack.
  • the smoothness loss exemplified in the first example embodiment is activated only when both of two adjacent pixels have the intensity larger than the intensity threshold. Since the intensity of one of the two adjacent pixels at the boundary of the two patches may be lower than the intensity threshold, the smoothness loss may not be activated at the boundary.
  • the smoothness loss employed in the adversarial image generation apparatus 2000 is advantageous in that it can secure the boundary between two patches, resulting in successfully enjoying the effects of the noise combo attack explained later.
  • Fig. 8 illustrates how the smoothness loss works at the boundary.
  • the boundary is also smoothened (shown at the upper right in Fig. 8).
  • the mask M for controlling the activation indicates 1 only for the region inside the boundary, and thus the boundary is not smoothened (shown at the bottom right in Fig. 8).
  • the adversarial image generation apparatus 2000 of the second example embodiment can perform the noise combo attack where the first patch 40 and the second patch 50 are combined into the adversarial patch 60.
  • the noise combo attack is advantageous at least in that the following effects are achieved.
  • the adversarial image generation apparatus 2000 can reduce the time required for the risk evaluation of the target classifier.
  • the faster convergence rate reduces the overfitting problem and results in a better success rate of the adversarial attack.
  • the adversarial image generation apparatus 2000 it is possible to perform the risk evaluation of the target classifier more effectively.
  • the larger area of adversarial patch also results in a better success rate of the adversarial attack, and it is possible to perform the risk evaluation of the target classifier more effectively.
  • the noise combo attack allows significantly high physical transferability of the generated digital attacks because it makes the first patch 40 in the adversarial patch 60 substantially smooth.
  • the adversarial image generation apparatus 2000 of the second example embodiment may have the same functional configuration as that of the first example embodiment. Thus, its functional configuration may be illustrated by Fig. 2.
  • the adversarial image generation apparatus 2000 of the second example embodiment may have the same hardware configuration as that of the first example embodiment. Thus, its hardware configuration may be illustrated by Fig. 3. However, the program stored in the storage device 1080 of the second example embodiment may implement the functional configurations of the adversarial image generation apparatus 2000 of the second example embodiment.
  • the flow of the process performed by the adversarial image generation apparatus 2000 of the second example embodiment is the same as that performed by the adversarial image generation apparatus 2000 of the first example embodiment, and thus can be illustrated by Fig. 5.
  • the initialization of the adversarial patch 60 includes the initializations of the first patch 40 and the second patch 50.
  • the update of the adversarial patch 60 includes the updates of the first patch 40 and the second patch 50.
  • non-transitory computer readable media or tangible storage media can include a random-access memory (RAM), a read-only memory (ROM), a flash memory, a solid-state drive (SSD) or other types of memory technologies, a CD-ROM, a digital versatile disc (DVD), a Blu-ray disc or other types of optical disc storage, and magnetic cassettes, magnetic tape, magnetic disk storage or other types of magnetic storage devices.
  • the program may be transmitted on a transitory computer readable medium or a communication medium.
  • transitory computer readable media or communication media can include electrical, optical, acoustical, or other forms of propagated signals.
  • An adversarial image generation apparatus comprising: at least one processor; and memory storing instructions; wherein the at least one processor is configured to execute the instructions to: acquire a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; add an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly perform an update of the adversarial image, the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and update pixels in the adversarial image
  • the adversarial image generation apparatus according to supplementary note 1, wherein the at least one processor is further configured to execute: initialize the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  • the adversarial image generation apparatus includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item, the at least one processor is further configured to execute: initialize the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and initialize the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  • the adversarial image generation apparatus according to supplementary note 3, wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  • the adversarial image generation apparatus is further configured to execute: extracts features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
  • a control method performed by a computer comprising: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image, the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and update pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  • a non-transitory computer-readable storage medium storing a program that causes a computer to execute: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image, the update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and update pixels in the adversarial patch based on the similarity loss and the smoothness loss.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Image Analysis (AREA)

Abstract

An adversarial image generation apparatus (2000) acquires a first face image (10) that includes a face of a first person, and a second face image (20) that includes a face of a second person. The adversarial image generation apparatus 2000 adds an adversarial patch to the first image (10) to generate an adversarial image (30). The adversarial patch illustrates a wearable item. The adversarial image generation apparatus (2000) repeatedly performs an update of the adversarial image, which includes: computing a similarity loss that indicates difference between features of the adversarial image (30) and features of the second face image (20); computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.

Description

ADVERSARIAL IMAGE GENERATION APPARATUS, CONTROL METHOD, AND COMPUTER-READABLE STORAGE MEDIUM
The present disclosure generally relates to adversarial attacks to computer systems.
The recent development in adversarial machine learning has found that deep neural networks are vulnerable to well-designed input samples called adversarial examples. The vulnerability to adversarial examples becomes a significant risk for applying deep neural networks in safety-critical environments like face verification systems. For the risk evaluation of the existing learning-based systems, there exist approaches focused on attacking using strong adversarial examples. Note that an attack to computer systems using adversarial examples is called adversarial attack.
NPL1 discloses an adversarial attack in which a perturbation in the form of eyeglasses is added to a face image of a person to generate an adversarial image, which is an adversarial example in the form of an image data. The perturbation is repeatedly updated until the adversarial image becomes capable of deceiving a face verification system in determining that the face in the adversarial image is a face of a target person who is not included in the adversarial image in reality.
NPL1 also discloses a technique to smoothen the perturbation during the repetitive update thereof in order to implement a physically realizable attack. Specifically, NPL1 introduces an index called total variation in which the difference of pixel values of two adjacent pixels in the perturbation to describe the smoothness of the perturbation. The total variation is included as a regularizer in an optimization problem for the adversarial image, thereby updating the adversarial image so as to enable it to deceive the face verification system while maintaining the smoothness of the perturbation.
NPL1: M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, "Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition," In Proceedings of 23rd ACM Conference on Computer and Communications Security (CCS 2016), pp.1528-1540, October 24, 2016
In the total variation disclosed by NPL1, the difference of pixel values is computed for all sets of two adjacent pixels in the perturbation. An objective of the present disclosure is to provide a novel technique to generate an adversarial image.
The present disclosure provides an adversarial image generation apparatus comprising at least one processor and memory storing instructions. The at least one processor is configured to execute the instructions to: acquire a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; add an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly perform an update of the adversarial image. The update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
The present disclosure provides a control method performed by a computer. The control method comprises: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image. The update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
The present disclosure provides a non-transitory computer readable storage medium storing a program that causes a computer to execute: acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured; adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and repeatedly performing an update of the adversarial image. The update of the adversarial image including: computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image; computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
According to the present disclosure, a novel technique to generate an adversarial image is provided.
Fig. 1 illustrates an overview of the adversarial image generation apparatus of the first example embodiment. Fig. 2 is a block diagram illustrating an example of a functional configuration of the adversarial image generation apparatus. Fig. 3 is a block diagram illustrating an example of the hardware configuration of a computer realizing the adversarial image generation apparatus. Fig.4 illustrates an environment where an adversarial attack can be performed. Fig. 5 illustrates an example of adversarial attacks that can be performed in the environment illustrated by Fig. 4. Fig. 6 is a flowchart illustrating an example of a process performed by the adversarial image generation apparatus 2000. Fig. 7 illustrates an overview of the adversarial image generation apparatus 2000 of the second example embodiment. Fig. 8 illustrates how the smoothness loss works at the boundary.
Example embodiments according to the present disclosure will be described hereinafter with reference to the drawings. The same numeral signs are assigned to the same elements throughout the drawings, and redundant explanations are omitted as necessary. In addition, a storage unit is formed with one or more storage devices.
FIRST EXAMPLE EMBODIMENT
<Overview>
Fig. 1 illustrates an overview of the adversarial image generation apparatus 2000 of the first example embodiment. Note that the overview illustrated by Fig. 1 shows an example of operations of the adversarial image generation apparatus 2000 to make it easy to understand the adversarial image generation apparatus 2000, and does not limit or narrow the scope of possible operations of the adversarial image generation apparatus 2000.
The adversarial image generation apparatus 2000 acquires the first face image 10 and the second face image 20, and generates an adversarial image 30 by modifying the first face image 10 based on the second face image 20. The first face image 10 is an image data in which a face of a first person is captured. The second face image 20 is an image data in which a face of a second person is captured.
The adversarial image 30 is generated so as to enable the second person to impersonate the first person by using the adversarial image 30. More specifically, the adversarial image 30 is generated so that a classifier determines that the adversarial image 30 includes the face of the second person, although it includes the face of the first person in reality. The classifier is a computer system to recognize which person is captured in an image data input thereto. One of examples of the classifier is a face verification system that is installed in various facilities, such as an airport. Hereinafter, in the case where there is a specific classifier to be tricked, this classifier is called "target classifier".
For the purpose mentioned above, the adversarial image generation apparatus 2000 operates as follows. The adversarial image generation apparatus 2000 acquires the first face image 10 and the second face image 20, and generates the adversarial image 30 by adding an adversarial patch to the first face image 10. The adversarial patch is an image data in the form of a wearable item such as eyeglasses, a hat, or a face mask.
The adversarial image generation apparatus 2000 repeatedly updates the adversarial patch in the adversarial image 30 until at least the following two goals are achieved: 1) features of the adversarial image 30 becomes substantially similar to features of the second face image 20 (successful impersonation); and 2) the adversarial patch becomes substantially smooth (smoothening of the adversarial patch). The first goal needs to be achieved so as to enable the second person to impersonate the first person by using the adversarial image 30.
The second goal needs to be achieved so as to generate the adversarial image 30 that can be used for a physically realizable attack. Specifically, the adversarial image generation apparatus 2000 handles an adversarial attack with physical realizability in which a physical copy of the adversarial image 30 is used. The physical copy of the adversarial image 30 is obtained by printing the adversarial image 30 on a physical medium such as a paper. The physical copy of the adversarial image 30 is used to deceive the classifier. For example, a face of the second person and the physical copy of the adversarial image 30 are captured by a camera, and the two images generated are compared by the classifier.
The smoothness of the adversarial image haves influence on the physical realizability of adversarial attacks. Specifically, abrupt pixel value variations in the adversarial image results in significant camera and printability errors, causing a reduction in physical adversarial attack success rate. Thus, it is necessary to achieved the second goal.
In order to achieve the above-mentioned goals, the repetitive update of the adversarial patch includes: computing a loss named total loss; and updating the adversarial image 30 to reduce the total loss. To achieve the first goal, the total loss includes a similarity loss regarding the adversarial image 30 and the second face image 20. The similarity loss describes a degree of difference between the features of the adversarial image 30 and those of the second face image 20.
To achieve the second goal, the total loss includes a smoothness loss regarding the adversarial patch. The smoothness loss describes a degree of difference of pixel values of adjacent pixels in the adversarial patch. Unlike the total variation that is disclosed by NPL1, the smoothness loss computes the smoothness only for adjacent pixels in the adversarial patch that have intensity larger than a threshold (hereinafter, intensity threshold). In other words, the difference of pixel values of adjacent pixels is reflected on the smoothness loss only when those pixels have intensity larger than the intensity threshold. As a result, pixels in the adversarial patch are not smoothened while their intensities are lower than the threshold.
After the repetitive update of the adversarial patch in the adversarial image 30 is finished, the adversarial image generation apparatus 2000 outputs the adversarial image 30.
<Example of Advantageous Effect>
According to the adversarial image generation apparatus 2000, the adversarial image 30 is generated by adding the adversarial patch to the first face image 10, and updated until at least two goals mentioned above are achieved. The adversarial image generation apparatus 2000 can be used, for example, to evaluate a risk of the target classifier by trying to generate the adversarial image 30 that can deceive the target classifier in a testing environment. If such the adversarial image 30 is successfully generated, it is said that the target classifier is vulnerable to the adversarial attack. Thus, it is possible to modify the target classifier to become resistant to the adversarial attack before putting it into production.
In addition, the smoothness loss employed in the adversarial image generation apparatus 2000 is unique in that it computes the smoothness only for adjacent pixels in the adversarial patch that have intensity larger than the intensity threshold. Thus, the adversarial image generation apparatus 2000 provides a novel way to evaluate a risk of computer systems to adversarial attacks using the adversarial image. More detailed advantages of the adversarial image generation apparatus 2000 will be described later.
Hereinafter, more detailed explanation of the adversarial image generation apparatus 2000 will be described.
<Example of Functional Configuration>
Fig. 2 illustrates an example of a functional configuration of the adversarial image generation apparatus 2000. The adversarial image generation apparatus 2000 includes an acquisition unit 2020 and a generation unit 2040. The acquisition unit 2020 acquires the first face image 10 and the second face image 20. The generation unit 2040 generates the adversarial image 30 by adding the adversarial patch to the first face image 10. The generation unit 2060 repeatedly updates the adversarial patch in the adversarial image 30. The update of the adversarial patch includes: computing the similarity loss for the adversarial image 30 and the second face image; computing the smoothness loss for the adversarial patch; and updating the adversarial patch based on the total loss in which the similarity loss and the smoothness loss are included.
<Example of Hardware Configuration>
The adversarial image generation apparatus 2000 may be realized by one or more computers. Each of the one or more computers may be a special-purpose computer manufactured for implementing the adversarial image generation apparatus 2000, or may be a general-purpose computer like a personal computer (PC), a server machine, or a mobile device.
The adversarial image generation apparatus 2000 may be realized by installing an application in the computer. The application is implemented with a program that causes the computer to function as the adversarial image generation apparatus 2000. In other words, the program is an implementation of the functional units of the adversarial image generation apparatus 2000.
Fig. 3 is a block diagram illustrating an example of the hardware configuration of a computer 1000 realizing the adversarial image generation apparatus 2000. In Fig. 3, the computer 1000 includes a bus 1020, a processor 1040, a memory 1060, a storage device 1080, an input/output interface 1100, and a network interface 1120.
The bus 1020 is a data transmission channel in order for the processor 1040, the memory 1060, the storage device 1080, and the input/output interface 1100, and the network interface 1120 to mutually transmit and receive data. The processor 1040 is a processer, such as a CPU (Central Processing Unit), GPU (Graphics Processing Unit), or FPGA (Field-Programmable Gate Array). The memory 1060 is a primary memory component, such as a RAM (Random Access Memory) or a ROM (Read Only Memory). The storage device 1080 is a secondary memory component, such as a hard disk, an SSD (Solid State Drive), or a memory card. The input/output interface 1100 is an interface between the computer 1000 and peripheral devices, such as a keyboard, mouse, or display device. The network interface 1120 is an interface between the computer 1000 and a network. The network may be a LAN (Local Area Network) or a WAN (Wide Area Network).
The storage device 1080 may store the program mentioned above. The CPU 1040 executes the program to realize each functional unit of the adversarial image generation apparatus 2000.
The hardware configuration of the computer 1000 is not limited to the configuration shown in Fig. 3. For example, as mentioned-above, the adversarial image generation apparatus 2000 may be realized by plural computers. In this case, those computers may be connected with each other through the network.
<Example of Adversarial Attack>
In order to make it easier to understand the adversarial image generation apparatus 2000, an example of adversarial attacks is described below. Note that the following example is merely one of various possible modes of adversarial attacks, and thus it does not limit or narrow possible applications of the adversarial image generation apparatus 2000.
Fig.4 illustrates an environment where an adversarial attack can be performed. In this example, a face verification system 100 is a target classifier that is installed at a security check point of an airport to verify an identity of a passenger 110 of an international flight at a gate 120 that the passenger 110 has to go through. At the gate 120, a camera 130 and a scanner 140 are also installed. The passenger 110 is required to have a passport on which a face image of the passenger 110 is printed.
When going through the gate 120, the passenger 110 has to scan the face image on the passport with the scanner 140. The scanner 140 scans the face image on the passport to generate a scanned image 150, and pass it to the face verification system 100. In addition, the camera 130 captures the face of the passenger 110 to generate a captured image 160, and pass it to the face verification system 100.
The face verification system 100 is required to allow the passenger 110 to go through the gate 120 only when the passenger 110 is the owner of the passport. Thus, the face verification system 100 checks whether or not the passenger 110 is the owner of the passport, by checking whether or not the face in the captured image 160 matches the face in the scanned image 150. Specifically, the face verification system 100 determines that the passenger 110 is the owner of the passport when the face in the captured image 160 matches the face in the scanned image 150, and opens the gate 120 to allow the passenger 110 to go through it. On the other hand, the face verification system 100 determines that the passenger 110 is not the owner of the passport when the face in the captured image 160 does not match the face in the scanned image 150, and closes the gate 120 not to allow the passenger 110 to go through it.
However, there is a physically realizable adversarial attack that may enable a malicious passenger to deceive the face verification system 100 into determining that the passenger is the owner of the passport despite the fact that the face printed on the passport is not the face of that passenger. Fig. 5 illustrates an example of adversarial attacks that can be performed in the environment illustrated by Fig. 4. In this example, there are persons X and Y; the person X is a malicious passenger who is prohibited from going abroad and thus from getting his passport, whereas the person Y is allowed to go abroad and to get her passport. Note that the person X corresponds to the second person while the person Y corresponds to the first person.
In this situation, since the person X cannot get his own passport, he asks the person Y to get her own passport on which an adversarial image is printed as the face image of the person Y. The adversarial image printed on the person Y's passport is the face image of the person Y to which the adversarial patch is added. In addition, the adversarial image is generated using the face image of the person X so that the face verification system 100 determines that the face in the adversarial image matches the face of the person X. Since the person Y is allowed to get her passport and the face captured in the adversarial image is that of the person Y, she can get her passport on which the adversarial image is printed.
Then, the person X obtains the passport of the person Y from the person Y, and uses it at the above-mentioned gate 120. Since the adversarial image printed on the passport of the person Y is generated so that the face verification system 100 determines that the face in the adversarial image matches the face of the person X, the face verification system 100 determine that the person X is the owner of the passport of the person Y (i.e. the person X is identified as the person Y), and opens the gate 120 to allow the person X to go through it. As a result, the person X can take an international flight to go abroad although he is prohibited from doing so.
The adversarial image generation apparatus 2000 can be used, for example, to evaluate a risk of the face verification system 100 to adversarial attacks in a testing environment. Specifically, the adversarial image generation apparatus 2000 is used to try to generate an adversarial image with which the face verification system 100 is deceived as described above. If such the adversarial image is successfully generated, it is demonstrated that the face verification system 100 is vulnerable to the adversarial attack. Thus, the face verification system 100 is appropriately modified to eliminate this vulnerability. By doing so, it is possible to increase the security of the face verification system 100 before putting it into production.
<Flow of Process>
Fig. 6 is a flowchart illustrating an example of a process performed by the adversarial image generation apparatus 2000. The acquisition unit 2020 acquires the first face image 10 and the second face image 20 (S102). The generation unit 2040 initializes the adversarial patch (S104). The generation unit 2040 generates the adversarial image by adding the adversarial patch to the first face image 10 (S106).
Steps S108 to S114 form a loop process that is a sequence of processes to repeatedly update the adversarial patch in the adversarial image 30 until the predetermined termination condition is satisfied. The satisfaction of the termination condition is checked at the end of the loop process, i.e. step S114.
The generation unit 2040 computes the similarity loss for the adversarial image 30 and the second face image 20 (S108). The generation unit 2040 computes the smoothness loss for the adversarial patch (S110). The generation unit 2040 updates the adversarial patch based on the total loss that includes the similarity loss and the smoothness loss (S112).
The generation unit 2040 checks whether the predetermined termination condition is satisfied or not (S112). If the termination condition is satisfied (S114: YES), the process moves on to S116. On the other hand, if the termination condition is not satisfied (S114: NO), the process moves on to Step S108; the loop process is performed again.
After the loop process is terminated, the adversarial image generation apparatus 2000 outputs the adversarial image 30 that has been repeatedly updated in the loop process (S116).
<Acquisition of First and Second Face Image: S102>
The acquisition unit 2020 acquires the first face image 10 and the second face image 20 (S102). There are various ways for the acquisition unit 2020 to acquire those images. For example, the first face image 10 and the second face image 20 are stored in a storage unit in advance in such a manner that the adversarial image generation apparatus 2000 can acquire it. In this case, the acquisition unit 2020 acquires the first face image 10 and the second face image 20 from the storage unit. In another example, the first face image 10 and the second face image 20 are input into the adversarial image generation apparatus 2000 by a user thereof. In this case, the acquisition unit 2020 acquires the first face image 10 and the second face image 20 that are input by the user. In another example, the acquisition unit 2020 receives the first face image 10 and the second face image 20 that are sent from another computer, such as a camera or a scanner.
<Initialization of Adversarial Patch: S104>
The generation unit 2040 initializes the adversarial patch (S104). To do so, the generation unit 2040 acquires information that defines the adversarial patch. Hereinafter, the information that defines the adversarial patch is called "patch information". The generation unit 2040 can acquire the patch information in a way similar to that the acquisition unit 2020 acquires the first face image 10 and the second face image 20. For example, the patch information may be stored in a storage unit in advance in such a manner that the adversarial image generation apparatus 2000 can acquire it. In this case, the generation unit 2040 acquires the patch information from the storage unit.
The adversarial patch may be defined by its shape and size. Thus, the patch information may indicate these two pieces of information. For example, the patch information may include a template image of the adversarial patch that indicates the shape and the size of the adversarial patch. Regarding the shape, as described above, the adversarial patch may illustrate a wearable item, such as eyeglasses.
Regarding the size, the generation unit 2040 may adjust it based on the first face image 10. Specifically, the generation unit 2040 may adjust the size of the adversarial patch so that the item illustrated by the adversarial patch fits the face of the first person captured in the first face image 10.
Suppose that the adversarial patch illustrates eyeglasses. In this case, for example, the generation unit 2040 adjusts the size of the adversarial patch so that the width of eyeglasses illustrated by the adversarial patch becomes substantially equal to that of the face of the first person captured in the first face image 10.
The generation unit 2040 initializes a value of each pixel of the adversarial patch. For example, the generation unit 2040 randomly initializes a value of each pixel. More specifically, a probability distribution is prepared in advance, and the generation unit 2040 samples a random value from the probability distribution for each pixel of the adversarial patch as the value of the pixel. Hereinafter, the probability distribution used to initialize the adversarial patch is called "first distribution".
Note that since each pixel of the adversarial patch has R, G, and B values, the generation unit 2040 uses the first distribution to obtain R, G, and B values for each pixel of the adversarial patch. For example, for each pixel of the adversarial patch, the generation unit 2040 samples a value from the first distribution three times to initialize the R, G, and B values of the pixel.
In another example, three separate first distributions are prepared for each of R, G, and B. In this case, for each pixel of the adversarial patch, the generation unit 2040 samples a value from the first distribution corresponding to R to initialize the R value of the pixel, samples a value from the fist distribution corresponding to G to initialize the G value of the pixel, and samples a value from the first distribution corresponding to B to initialize the B value of the pixel.
In another example, the first distribution is configured to be a three-dimensional probability distribution. In this case, for each pixel of the adversarial patch, the generation unit 2040 samples a random three-dimensional vector that represents a set of R, G, and B values from the first distribution to initialize the set of R, G, and B values of the pixel.
There are various types of probability distributions that can be used as the first distribution. For example, the first distribution is defined as a three-dimensional Gaussian distribution.
<Generation of Adversarial Image 30: S106>
The generation unit 2040 generates the adversarial image 30 by adding the adversarial patch to the first face image 10 (S106). The adversarial patch is added to the first face image 10 by adding each pixel of the adversarial patch to the corresponding pixel of the first face image 10. Adding each pixel of the adversarial patch to the corresponding pixel of the first image 10 may mean "replacing each pixel of the first face image 10 with the corresponding pixel of the adversarial patch" or "adding the pixel value of each pixel of the adversarial patch to the pixel value of the corresponding pixel of the first face image 10".
The location in the first face image 10 to which the adversarial patch is added (in other words, correspondence between the pixels of the first face image 10 and those of the adversarial patch) may be defined in advance, or adjusted by the generation unit 2040. In the latter case, for example, the generation unit 2040 may determine the location so that the item illustrated by the adversarial patch fits the face of the first person captured in the first face image 10. Suppose that the adversarial patch illustrates eyeglasses. In this case, for example, the generation unit 2040 adjusts the location so that each lens part of the eyeglasses overlaps the corresponding eye of the first person captured in the first face image 10.
<Repetitive Update of Adversarial Patch: S108-S114>
The generation unit 2040 repeatedly updates the adversarial patch in the adversarial image 30. The goals of the update include 1) successful impersonation and 2) smoothing of the adversarial patch. In order to achieve the goals mentioned above, the generation unit 2040 computes the total loss that includes at least the similarity loss and the smoothness loss, and updates the adversarial patch based on the total loss. The similarity loss indicates a degree of difference between the features of the adversarial image 30 and those of the second face image 20. Thus, the similarity loss is used to achieve the first goal. On the other hand, the smoothness loss indicates a degree of smoothness of the adversarial patch. Thus, the smoothness loss is used to achieve the second goal.
These two types of losses are combined into the total loss. For example, the total loss is defined as a weighted sum of the similarity loss and the smoothness loss. The generation unit 2040 updates the adversarial patch so as to reduce the total loss. After updating the adversarial patch, the adversarial image 30 may be regenerated by adding the updated adversarial patch to the first image 10.
Note that there are various well-known ways to update an image with an objective of reducing the loss computed for the image. Thus, the generation unit 2040 may use one of those well-known ways to update the adversarial patch included in the adversarial image 30 based on the total loss.
Hereinafter, the details of the similarity loss, smoothness loss, and total loss are described.
<<Similarity loss>>
The similarity loss is a loss that describes a degree of difference between the features of the adversarial image 30 and those of the second face image 20. The similarity loss is computed by applying the features of the adversarial image 30 and those of the second face image 20 to a predefined loss function (hereinafter, a similarity loss function).
There are various well-known loss functions with which a degree of difference between two set of features can be computed, and thus one of those loss functions can be employed as the similarity loss function that is used by the generation unit 2040. Specifically, the similarity loss function may be defined using cosine similarity, Lp-norm, and so on. For example, the similarity loss function may be defined using cosine similarity as follows:
Equation 1
Figure JPOXMLDOC01-appb-I000001

where A and B represents images for which the similarity loss is computed; L_sim(A,B) represents the similarity loss function that computes the similarity loss for the images A and B; f(I) represents a function that extracts features from an image I; cos(U,V) represents cosine similarity between the features U and V; a_i represents the i-th element of the feature f(A); and b_i represents the i-th element of the feature f(B).
To compute the similarity loss, it is necessary to extract the features from each of the adversarial image 30 and the second face image 20. The generation unit 2040 may use a feature extractor that is configured to extract features from an image data input thereto. The feature extractor may be formed with a machine learning-based model, such as a neural network. For example, a feature extraction layer of a CNN (convolutional neural network) can be used as a feature extractor. Note that the function of the feature extractor is represented by f() in the equation (1).
Suppose that the structure of the feature extractor of the target classifier is known in advance. In this case, it is preferable that the generation unit 2040 uses a feature extractor whose structure is the same as or substantially similar to that of the feature extractor of the target classifier. An adversarial attack under this situation may be called "white-box attack".
However, it is not necessarily required to know the structure of the feature extractor of the target classifier in advance. Suppose that the structure of the feature extractor of the target classifier is unknown. In this case, for example, any feature extractor other than that of the target classifier can be employed as the feature extractor of the generation unit 2040. In another example, a user of the adversarial image generation apparatus 2000 may freely configure the structure of the feature extractor of the generation unit 2040. The same applies to the case where there is no specific target classifier (in other words, an adversarial attack may be performed to arbitrary classifier).
In addition, in the case where the structure of the feature extractor of the target classifier is unknown or where there is no specific target classifier, it is possible to increase the accuracy of the similarity loss by using multiple feature extractors. Specifically, the generation unit 2040 may extract a pair of the features of the adversarial image 30 and the second face image 20 for each feature extractor, there by obtaining multiple pairs of the features of the adversarial image 30 and the second face image 20. Then, the generation unit 2040 may compute the similarity loss for each of the multiple pairs of the features, and combine them into a single value (called "total similarity loss" hereinafter). In this case, the total similarity loss is applied to the total loss.
The total similarity loss may be computed as follows:
Equation 2
Figure JPOXMLDOC01-appb-I000002

where L_tsim(A,B) represents a loss function named "a total similarity loss function" that computes the total similarity loss for the images A and B; j represents an identifier of a feature extractor; K represents the number of feature extractors used to compute the total similarity loss; and f_j(I) represents the features of the image I that are extracted by the j-th feature extractor.
<<Smoothness loss>>
Regarding smoothness loss, NPL1 discloses a loss of computing the smoothness for an entirety of a perturbation (adversarial patch), which is named total variation. Total variation is defined as follows:
Equation 3
Figure JPOXMLDOC01-appb-I000003

where r represents a pertubaion (adversarial patch); TV(r) represents the total variation computed for the pertubation r; and r_i,j is a pixel in the pertubation r at coordinates (i,j).
Unlike the total variation disclosed by NPL1, the smoothness loss employed in this example embodiment is activated only for adjacent pixels in the adversarial patch that have intensity larger than the intensity threshold. One of the examples of the smoothness loss in this example is defined as follows:
Equation 4
Figure JPOXMLDOC01-appb-I000004

where P represents the adversarial patch; L_smooth(P) represents the smoothness loss computed for the adversarial patch P; p_(i,j) represents the intensity of the pixel at coordinates (i,j) of the adversarial patch P; M represents a mask used to control an activation of the smoothness loss for each set of adjacent pixels based on their intensity; and T_p is the intensity threshold.
In the equation (4), since the mask M exists, the difference of the intensity between two adjacent pixels is reflected on the value of L_smooth only if both of the two adjacent pixels have the intensity larger than the intensity threshold. This means that the smoothness loss is activated only for two adjacent pixels of the adversarial patch whose intensity is larger than the intensity threshold.
This selective activation of the smoothness loss provides an effect of that the similarity loss is dominant in the total loss in an early stage of the repetitive updates of the adversarial patch, and the smoothness loss gradually becomes influential later. Hereinafter, this effect is called "delayed smoothening".
Specifically, in the early stage of the repetitive updates, it is expected that the adversarial patch includes a lot of pixels whose intensity is lower than or equal to T_p. Thus, the smoothness loss may be small in the early stage, thereby allowing the similarity loss to be dominant in the total loss. When the similarity loss is dominant in the total loss, the similarity loss has more influence on the update of the adversarial patch than the smoothness loss. Thus, the adversarial patch is updated mainly based on the similarity loss in the early stage, thereby allowing much more feasible solution space for the adversarial patch from the viewpoint of the capability of deceiving the classifier.
After some updates of the adversarial patch, the number of pixels whose intensity is larger than the intensity threshold may increase, and thus the smoothness loss becomes influential in the total loss. In this situation, the adversarial patch is updated sufficiently taking the smoothness loss into consideration. The adversarial patch is therefore eventually optimized based on both of the similarity loss and the smoothness loss.
In order to surely enjoy the advantage provided by the delayed smoothening, it is preferable that the adversarial patch is initialized so that all or almost all of its pixels have intensity lower than or equal to the intensity threshold. To do so, for example, the first distribution from which pixel values of the adversarial patch is sampled is defined so as to give higher probability for the pixel values whose intensity is lower than or equal to the intensity threshold and to give lower probability (e.g. zero) for the pixel values whose intensity is larger than the intensity threshold.
For example, a user of the adversarial image generation apparatus 2000 determines a threshold of the probability called "first probability threshold", and the first distribution is configured to give probability less than or equal to the first probability threshold for pixel values whose intensity is larger than the intensity threshold. When the first probability threshold is set to be zero, every pixel sampled from the first distribution has the intensity lower than or equal to the intensity threshold.
The smoothness loss that the generation unit 2040 can use is not limited to one represented by the equation (4). Other examples of the smoothness loss are follows:
Equation 5
Figure JPOXMLDOC01-appb-I000005

Equation 6
Figure JPOXMLDOC01-appb-I000006

Equation 7
Figure JPOXMLDOC01-appb-I000007

where s and z are arbitrary real numbers larger than or equal to 1.
<<Total Loss>>
The generation unit 2040 computes the total loss based on the similarity loss and the smoothness loss. There are various well-known ways to combine two or more types of losses into one, and thus one of such the ways is employed to define the total loss. For example, as mentioned above, the total loss is defined as a weighted sum of the similarity loss and the smoothness loss as follows:
Equation 8
Figure JPOXMLDOC01-appb-I000008

where X1 represents the first face image 10; P represents the adversarial patch; X1+P represents the adversarial image 30; X2 represents the second face image 20; L_total((X1+P),X2) represents the total loss computed for the adversarial image 30 and the second face image 20; α represents a weight assigned to the smoothness loss; and β represents a weight assigned to the similarity loss.
Note that in the case where the total similarity loss is used, L_sim is replaced by L_tsim in the equation (8).
<Termination Condition of Repetitive Update: S114>
As described above, the generation unit 2040 repeatedly updates the adversarial patch until the predefined termination condition is satisfied (S114). There are various conditions that can be employed as the termination condition. For example, the termination condition is set to be that "the update of the adversarial patch is performed predetermined times". Suppose that the predetermined time is N. In this case, the predetermined condition is satisfied when the generation unit 2040 has performed the update of the adversarial patch N times.
In another example, the termination condition is set to be that "the total loss is less than a predetermined threshold". Suppose that the predetermined threshold is Th. In this case, the predetermined condition is satisfied when total loss computed by the generation unit 2040 is less Th.
<Output of Adversarial Patch: S116>
The adversarial image generation apparatus 2000 outputs the adversarial image 30 (S116). There are various ways to output the adversarial image 30. For example, the adversarial image generation apparatus 2000 puts the adversarial image 30 into a storage unit. In another example, the adversarial image generation apparatus 2000 outputs the adversarial image 30 to a display device so that the display device displays the adversarial image 30. In another example, the adversarial image generation apparatus 2000 outputs the adversarial image 30 to a printer to generate a physical copy of the adversarial image 30.
As described above, the adversarial image 30 can be used for a risk evaluation of the target classifier, such as the face verification system 100 (See Figs. 4 and 5). In this case, a physical copy of the adversarial image 30 is generated by printing the adversarial image 30 on a physical medium, such as a sheet of paper or a card, using a printer. Then, the target classifier is evaluated using the printed image of the adversarial image 30.
Specifically, for example, the printed image of the adversarial image is captured by a camera (e.g. scanned by a scanner), and the captured image is passed on to the target classifier. The target classifier also acquires the face image of the second person (e.g. the second face image 20). Then, the target classifier is evaluated whether it determines that the face in the captured image matches that of the second person (in reality, the face in the captured image is not that of the second person, but the first person). Note that it is preferable to perform an appropriate preprocessing, such as data clearing and image alignment, for the images input into the target classifier.
If the target classifier determines that the face in the captured image matches that of the second person, the adversarial image 30 successfully deceives the target classifier. Since it demonstrates that the target classifier is vulnerable to the adversarial attack, the target classifier should be modified to be resistant to the adversarial attack.
SECOND EXAMPLE EMBODIMENT
<Overview>
Fig. 7 illustrates an overview of the adversarial image generation apparatus 2000 of the second example embodiment. Note that the overview illustrated by Fig. 7 shows an example of operations of the adversarial image generation apparatus 2000 to make it easy to understand the adversarial image generation apparatus 2000, and does not limit or narrow the scope of possible operations of the adversarial image generation apparatus 2000.
The adversarial image generation apparatus 2000 of the second example embodiment is different from that of the first example embodiment in that the adversarial patch is generated as a combination of at least two different types of patches: a first patch 40 and a second patch 50. Hereinafter, an adversarial attack that is performed using the adversarial patch generated as a combination of the first patch 40 and the second patch 50 is called "noise combo attack".
The first patch 40 is the same as the adversarial patch described in the first example embodiment. Specifically, the first patch 40 is in the form of a wearable item, such as eyeglasses. On the other hand, the second patch 50 is formed with scattered noises and does not illustrate such the item unlike the first patch 40. For example, in Fig. 7, the first patch 40 illustrates eyeglasses, whereas the second patch 50 is formed with noises scattered over an image region whose size is the same as that of the first face image 10. Note that the size of the second patch 50 is not necessarily equal to that of the first face image 10.
The first patch 40 and the second patch 50 are also different from each other in the initial intensity of pixels thereof. Specifically, the first patch 40 is initialized so that the intensity of the pixels thereof is larger than that of the pixels of the second patch 50.
To satisfy this condition, for example, two different probability distributions are prepared in advance: the first distribution and the second distribution. The first distribution is the probability distribution introduced in the first example embodiment to initialize the adversarial patch in the first example embodiment. In this example embodiment, the first distribution is used to sample pixel values therefrom to initialize the first patch 40. On the other hand, the second distribution is used to sample pixel values therefrom to initialize the second patch 50.
The first distribution and the second distribution are different from each other in the range of the intensity of pixels that can be sampled therefrom. For example, the lower limit of the range of the intensity of pixels that can be sampled from the first distribution is set as being larger than the upper limit of the range of the intensity of pixels that can be sampled from the second distribution. Suppose that pixels that can be sampled from the first distribution have the rage of intensity [L1,U1], whereas pixels that can be sampled from the second distribution have the rage of intensity [L2,U2]. In this case, L1 is set to be larger than U2.
The generation unit 2040 of the second example embodiment adds the first patch 40 and the second patch 50 to generate the adversarial patch 60. The adversarial image 30 is generated by adding the adversarial patch 60 to the first face image 10. Note that the second patch 50 is depicted to be easy to notice in Fig. 7 for illustrative purpose. However, in reality, it is preferable that the second patch 50 in the adversarial image 30 is inconspicuous: i.e. the intensity of the pixels of the second patch 50 is much lower than that of the first face image 10.
The generation unit 2040 of the second example embodiment updates the adversarial patch 60 in a similar manner to that of the first example embodiment. Specifically, the generation unit 2040 computes the smoothness loss for the adversarial patch 60 and the similarity loss for the adversarial image 30 and the second face image 20, and updates the adversarial patch 60 (i.e. the first patch 40 and the second patch 50) based on the total loss.
Note that, in addition to the delayed smoothening, the smoothness loss employed in the adversarial image generation apparatus 2000 is also effective to appropriately secure the boundary between the first patch 40 and the second patch 50. As mentioned above, the intensity of the pixels of the first patch 40 is larger than that of the second patch 50. Thus, there may be large difference of pixel values at the boundary just after the adversarial patch is initialized. However, if the total variation disclosed by NPL1 is used, the boundary between the two patches may be smoothed, resulting in reducing effects of the noise combo attack.
Considering this point, the smoothness loss exemplified in the first example embodiment is activated only when both of two adjacent pixels have the intensity larger than the intensity threshold. Since the intensity of one of the two adjacent pixels at the boundary of the two patches may be lower than the intensity threshold, the smoothness loss may not be activated at the boundary. Thus, the smoothness loss employed in the adversarial image generation apparatus 2000 is advantageous in that it can secure the boundary between two patches, resulting in successfully enjoying the effects of the noise combo attack explained later.
Fig. 8 illustrates how the smoothness loss works at the boundary. In the case where the smoothness loss is activated for all pixels, the boundary is also smoothened (shown at the upper right in Fig. 8). On the other hand, in the case where the smoothness loss is activated only when both of the two adjacent pixels have intensity larger than the threshold, the mask M for controlling the activation indicates 1 only for the region inside the boundary, and thus the boundary is not smoothened (shown at the bottom right in Fig. 8).
<Example of Advantageous Effect>
The adversarial image generation apparatus 2000 of the second example embodiment can perform the noise combo attack where the first patch 40 and the second patch 50 are combined into the adversarial patch 60. The noise combo attack is advantageous at least in that the following effects are achieved.
First, it is possible to increase the area of the adversarial patch comparing to the adversarial patch of the first example embodiment, and thus the convergence rate of the repetitive update of the adversarial patch increases considerably. As a result, for example, the adversarial image generation apparatus 2000 can reduce the time required for the risk evaluation of the target classifier.
Second, the faster convergence rate reduces the overfitting problem and results in a better success rate of the adversarial attack. In other words, it is highly possible to generate the adversarial image 30 that can deceive the classifier such as the face verification system 100. Thus, with the adversarial image generation apparatus 2000, it is possible to perform the risk evaluation of the target classifier more effectively.
Third, the larger area of adversarial patch also results in a better success rate of the adversarial attack, and it is possible to perform the risk evaluation of the target classifier more effectively.
Finally, the noise combo attack allows significantly high physical transferability of the generated digital attacks because it makes the first patch 40 in the adversarial patch 60 substantially smooth.
<Example of Functional Configuration>
The adversarial image generation apparatus 2000 of the second example embodiment may have the same functional configuration as that of the first example embodiment. Thus, its functional configuration may be illustrated by Fig. 2.
<Example of Hardware Configuration>
The adversarial image generation apparatus 2000 of the second example embodiment may have the same hardware configuration as that of the first example embodiment. Thus, its hardware configuration may be illustrated by Fig. 3. However, the program stored in the storage device 1080 of the second example embodiment may implement the functional configurations of the adversarial image generation apparatus 2000 of the second example embodiment.
<Flow of Process>
The flow of the process performed by the adversarial image generation apparatus 2000 of the second example embodiment is the same as that performed by the adversarial image generation apparatus 2000 of the first example embodiment, and thus can be illustrated by Fig. 5. Note that the initialization of the adversarial patch 60 includes the initializations of the first patch 40 and the second patch 50. In addition, the update of the adversarial patch 60 includes the updates of the first patch 40 and the second patch 50.
Although the present disclosure is explained above with reference to example embodiments, the present disclosure is not limited to the above-described example embodiments. Various modifications that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the invention.
The programs mentioned in this disclosure include instructions (or software codes) that, when loaded into a computer, cause the computer to perform one or more of the functions described in the embodiments. The program may be stored in a non-transitory computer readable medium or a tangible storage medium. By way of example, and not a limitation, non-transitory computer readable media or tangible storage media can include a random-access memory (RAM), a read-only memory (ROM), a flash memory, a solid-state drive (SSD) or other types of memory technologies, a CD-ROM, a digital versatile disc (DVD), a Blu-ray disc or other types of optical disc storage, and magnetic cassettes, magnetic tape, magnetic disk storage or other types of magnetic storage devices. The program may be transmitted on a transitory computer readable medium or a communication medium. By way of example, and not a limitation, transitory computer readable media or communication media can include electrical, optical, acoustical, or other forms of propagated signals.
The whole or part of the example embodiments disclosed above can be described as, but not limited to, the following supplementary notes.
<Supplementary notes>
  (Supplementary Note 1)
  An adversarial image generation apparatus comprising:
  at least one processor; and
  memory storing instructions;
  wherein the at least one processor is configured to execute the instructions to:
  acquire a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
  add an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
  repeatedly perform an update of the adversarial image, the update of the adversarial image including:
    computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
    computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
    update pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  (Supplementary Note 2)
  The adversarial image generation apparatus according to supplementary note 1,
  wherein the at least one processor is further configured to execute:
  initialize the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  (Supplementary Note 3)
  The adversarial image generation apparatus according to supplementary note 2,
  wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
  the at least one processor is further configured to execute:
  initialize the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
  initialize the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  (Supplementary Note 4)
  The adversarial image generation apparatus according to supplementary note 3,
  wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  (Supplementary Note 5)
  The adversarial image generation apparatus according to any one of supplementary notes 1 to 4,
  the at least one processor is further configured to execute:
  extracts features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
  (Supplementary Note 6)
  A control method performed by a computer, comprising:
  acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
  adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
  repeatedly performing an update of the adversarial image, the update of the adversarial image including:
    computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
    computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
    update pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  (Supplementary Note 7)
  The control method according to supplementary note 6, further comprising:
  initializing the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  (Supplementary Note 8)
  The control method according to supplementary note 7,
  wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
  the control method further comprises:
  initializing the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
  initializing the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  (Supplementary Note 9)
  The control method according to supplementary note 8,
  wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  (Supplementary Note 10)
  The control method according to any one of supplementary notes 6 to 9, further comprising:
  extracting features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
  (Supplementary Note 11)
  A non-transitory computer-readable storage medium storing a program that causes a computer to execute:
  acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
  adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
  repeatedly performing an update of the adversarial image, the update of the adversarial image including:
    computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
    computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
    update pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  (Supplementary Note 12)
  The storage medium according to supplementary note 11,
  wherein the program causes the computer to further execute:
  initializing the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  (Supplementary Note 13)
  The storage medium according to supplementary note 12,
  wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
  the program causes the computer to further execute:
  initializing the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
  initializing the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  (Supplementary Note 14)
  The storage medium according to supplementary note 13,
  wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  (Supplementary Note 15)
  The storage medium according to any one of supplementary notes 11 to 14,
  wherein the program causes the computer to further execute:
  extracting features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
10 first face image
20 second face image
30 adversarial image
40 first patch
50 second patch
60 adversarial patch
100 face verification system
110 passenger
120 gate
130 camera
140 scanner
150 scanned image
160 captured image
1000 computer
1020 bus
1040 processor
1060 memory
1080 storage device
1100 input/output interface
1120 network interface
2000 adversarial image generation apparatus
2020 acquisition unit
2040 generation unit

Claims (15)

  1.   An adversarial image generation apparatus comprising:
      at least one processor; and
      memory storing instructions;
      wherein the at least one processor is configured to execute the instructions to:
      acquire a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
      add an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
      repeatedly perform an update of the adversarial image, the update of the adversarial image including:
        computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
        computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
        updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  2.   The adversarial image generation apparatus according to claim 1,
      wherein the at least one processor is further configured to execute:
      initialize the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  3.   The adversarial image generation apparatus according to claim 2,
      wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
      the at least one processor is further configured to execute:
      initialize the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
      initialize the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  4.   The adversarial image generation apparatus according to claim 3,
      wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  5.   The adversarial image generation apparatus according to any one of claims 1 to 4,
      the at least one processor is further configured to execute:
      extracts features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
  6.   A control method performed by a computer, comprising:
      acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
      adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
      repeatedly performing an update of the adversarial image, the update of the adversarial image including:
        computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
        computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
        updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  7.   The control method according to claim 6, further comprising:
      initializing the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  8.   The control method according to claim 7,
      wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
      the control method further comprises:
      initializing the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
      initializing the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  9.   The control method according to claim 8,
      wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  10.   The control method according to any one of claims 6 to 9, further comprising:
      extracting features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
  11.   A non-transitory computer-readable storage medium storing a program that causes a computer to execute:
      acquiring a first face image and a second face image, the first face image being an image data in which a face of a first person is captured, the second face image being an image data in which a face of a second person is captured;
      adding an adversarial patch to the first image to generate an adversarial image, the adversarial patch including an image data that illustrates a wearable item; and
      repeatedly performing an update of the adversarial image, the update of the adversarial image including:
        computing a similarity loss that indicates difference between features of the adversarial image and features of the second face image;
        computing a smoothness loss in which difference between adjacent pixels in the adversarial patch is computed for pixels having intensity larger than an intensity threshold; and
        updating pixels in the adversarial patch based on the similarity loss and the smoothness loss.
  12.   The storage medium according to claim 11,
      wherein the program causes the computer to further execute:
      initializing the adversarial patch by sampling pixel values from a first probability distribution for each pixel of the adversarial patch, the first probability distribution giving probability less than or equal to a first probability threshold for pixel values whose intensity is larger than the intensity threshold.
  13.   The storage medium according to claim 12,
      wherein the adversarial image includes a first patch and the second patch, the first patch being an image data that illustrates a wearable item, the second patch being an image data that does not illustrate a wearable item,
      the program causes the computer to further execute:
      initializing the first patch by sampling pixel values from the first probability distribution for each pixel of the first patch; and
      initializing the second patch by sampling pixel values from a second probability distribution for each pixel of the second patch, the second probability distribution being different from the first distribution.
  14.   The storage medium according to claim 13,
      wherein intensity of pixels of the second patch is lower than intensity of pixels of the first patch.
  15.   The storage medium according to any one of claims 11 to 14,
      wherein the program causes the computer to further execute:
      extracting features of the adversarial image and the second image using a feature extractor whose structure is a same as or substantially similar to a structure of a feature extractor of a classifier that is a target of an evaluation of risk to an adversarial attack using the adversarial image.
PCT/JP2021/026667 2021-07-15 2021-07-15 Adversarial image generation apparatus, control method, and computer-readable storage medium WO2023286251A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/026667 WO2023286251A1 (en) 2021-07-15 2021-07-15 Adversarial image generation apparatus, control method, and computer-readable storage medium
JP2023579862A JP2024523607A (en) 2021-07-15 2021-07-15 Adversarial image generation device, control method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/026667 WO2023286251A1 (en) 2021-07-15 2021-07-15 Adversarial image generation apparatus, control method, and computer-readable storage medium

Publications (1)

Publication Number Publication Date
WO2023286251A1 true WO2023286251A1 (en) 2023-01-19

Family

ID=84918800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/026667 WO2023286251A1 (en) 2021-07-15 2021-07-15 Adversarial image generation apparatus, control method, and computer-readable storage medium

Country Status (2)

Country Link
JP (1) JP2024523607A (en)
WO (1) WO2023286251A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019197311A (en) * 2018-05-08 2019-11-14 コニカミノルタ株式会社 Learning method, learning program, and learning device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019197311A (en) * 2018-05-08 2019-11-14 コニカミノルタ株式会社 Learning method, learning program, and learning device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MAHMOOD SHARIF ; SRUTI BHAGAVATULA ; LUJO BAUER ; MICHAEL K. REITER: "Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition", COMPUTER AND COMMUNICATIONS SECURITY, ACM, 2 PENN PLAZA, SUITE 701 NEW YORK NY 10121-0701 USA, 24 October 2016 (2016-10-24) - 28 October 2016 (2016-10-28), 2 Penn Plaza, Suite 701 New York NY 10121-0701 USA , pages 1528 - 1540, XP058280134, ISBN: 978-1-4503-4139-4, DOI: 10.1145/2976749.2978392 *

Also Published As

Publication number Publication date
JP2024523607A (en) 2024-06-28

Similar Documents

Publication Publication Date Title
JP6778247B2 (en) Image and feature quality for eye blood vessels and face recognition, image enhancement and feature extraction, and fusion of eye blood vessels with facial and / or subface regions for biometric systems
US10810423B2 (en) Iris liveness detection for mobile devices
KR102324706B1 (en) Face recognition unlock method and device, device, medium
KR102483642B1 (en) Method and apparatus for liveness test
KR101309889B1 (en) Texture features for biometric authentication
CN102985933B (en) Distinguish real and flat surfaces
CN111738735B (en) Image data processing method and device and related equipment
KR102352345B1 (en) Liveness test method and apparatus
US12008471B2 (en) Robustness assessment for face recognition
US10922399B2 (en) Authentication verification using soft biometric traits
KR20190053602A (en) Face verifying method and apparatus
KR20210062381A (en) Liveness test method and liveness test apparatus, biometrics authentication method and biometrics authentication apparatus
KR20210069404A (en) Liveness test method and liveness test apparatus
KR20230169104A (en) Personalized biometric anti-spoofing protection using machine learning and enrollment data
CN113435264A (en) Face recognition attack resisting method and device based on black box substitution model searching
CN111898561A (en) Face authentication method, device, equipment and medium
CN115240280A (en) Construction method of human face living body detection classification model, detection classification method and device
Bera et al. Two-stage human verification using HandCAPTCHA and anti-spoofed finger biometrics with feature selection
CN112200075B (en) Human face anti-counterfeiting method based on anomaly detection
Shahriar et al. An iris-based authentication framework to prevent presentation attacks
JP2021093144A (en) Sensor-specific image recognition device and method
WO2023286251A1 (en) Adversarial image generation apparatus, control method, and computer-readable storage medium
CN112800941B (en) Face anti-fraud method and system based on asymmetric auxiliary information embedded network
Alharbi et al. Spoofing Face Detection Using Novel Edge-Net Autoencoder for Security.
Therar et al. Personal Authentication System Based Iris Recognition with Digital Signature Technology

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21950189

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023579862

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21950189

Country of ref document: EP

Kind code of ref document: A1