Adversarial Attack on Fake-Faces Detectors Under White and Black Box Scenarios

2021 IEEE International Conference on Image Processing (ICIP) Pub Date : 2021-09-19 DOI:10.1109/ICIP42928.2021.9506273

Xiying Wang, R. Ni, Wenjie Li, Yao Zhao

{"title":"Adversarial Attack on Fake-Faces Detectors Under White and Black Box Scenarios","authors":"Xiying Wang, R. Ni, Wenjie Li, Yao Zhao","doi":"10.1109/ICIP42928.2021.9506273","DOIUrl":null,"url":null,"abstract":"Generative Adversarial Network (GAN) models have been widely used in various fields. More recently, styleGAN and styleGAN2 have been developed to synthesize faces that are indistinguishable to the human eyes, which could pose a threat to public security. But latest work has shown that it is possible to identify fakes using powerful CNN networks as classifiers. However, the reliability of these techniques is unknown. Therefore, in this paper we focus on the generation of content-preserving images from fake faces to spoof classifiers. Two GAN-based frameworks are proposed to achieve the goal in the white-box and black-box. For the white-box, a network without up/down sampling is proposed to generate face images to confuse the classifier. In the black-box scenario (where the classifier is unknown), real data is introduced as a guidance for GAN structure to make it adversarial, and a Real Extractor as an auxiliary network to constrain the feature distance between the generated images and the real data to enhance the adversarial capability. Experimental results show that the proposed method effectively reduces the detection accuracy of forensic models with good transferability.","PeriodicalId":314429,"journal":{"name":"2021 IEEE International Conference on Image Processing (ICIP)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE International Conference on Image Processing (ICIP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICIP42928.2021.9506273","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Generative Adversarial Network (GAN) models have been widely used in various fields. More recently, styleGAN and styleGAN2 have been developed to synthesize faces that are indistinguishable to the human eyes, which could pose a threat to public security. But latest work has shown that it is possible to identify fakes using powerful CNN networks as classifiers. However, the reliability of these techniques is unknown. Therefore, in this paper we focus on the generation of content-preserving images from fake faces to spoof classifiers. Two GAN-based frameworks are proposed to achieve the goal in the white-box and black-box. For the white-box, a network without up/down sampling is proposed to generate face images to confuse the classifier. In the black-box scenario (where the classifier is unknown), real data is introduced as a guidance for GAN structure to make it adversarial, and a Real Extractor as an auxiliary network to constrain the feature distance between the generated images and the real data to enhance the adversarial capability. Experimental results show that the proposed method effectively reduces the detection accuracy of forensic models with good transferability.

查看原文本刊更多论文

白盒和黑盒场景下假脸检测器的对抗性攻击

生成对抗网络(GAN)模型已广泛应用于各个领域。最近，styleGAN和styleGAN2已经被开发出来，可以合成人眼无法分辨的人脸，这可能会对公共安全构成威胁。但最新的研究表明，使用强大的CNN网络作为分类器来识别假货是可能的。然而，这些技术的可靠性是未知的。因此，在本文中，我们专注于从假人脸到欺骗分类器的内容保留图像的生成。提出了两种基于gan的框架来实现白盒和黑盒的目标。对于白盒，提出了一个没有上下采样的网络来生成人脸图像，以混淆分类器。在黑箱场景(分类器未知)中，引入真实数据作为GAN结构的指导，使其具有对抗性，并引入real Extractor作为辅助网络，约束生成图像与真实数据之间的特征距离，以增强对抗能力。实验结果表明，该方法有效地降低了具有良好可移植性的法医模型的检测精度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE International Conference on Image Processing (ICIP)

自引率

0.00%

发文量