AdvFaces: Adversarial Face Synthesis

Abstract

Face recognition systems have been shown to be vulnerable to adversarial faces resulting from adding small perturbations to probe images. Such adversarial images can lead state-of-the-art face matchers to falsely reject a genuine subject (obfuscation attack) or falsely match to an impostor (impersonation attack). Current approaches to crafting adversarial faces lack perceptual quality and take an unreasonable amount of time to generate them. We propose, AdvFaces, an automated adversarial face synthesis method that learns to generate minimal perturbations in the salient facial regions via Generative Adversarial Networks. Once AdvFaces is trained, a hacker can automatically generate imperceptible face perturbations that can evade four black-box state-of-the-art face matchers with attack success rates as high as 97.22% and 24.30% at 0.1 % False Accept Rate, for obfuscation and impersonation attacks, respectively.