Fast black box attack of face recognition system based on metaheuristic simulated annealing

Abstract

Deep neural networks (DNNs), which have high accuracy prediction and stable network performance, have been widely deployed in various fields. However, the adversarial example, a sample of input data which has been modified very slightly in a way, may easily cause a DNN to maximize loss. Instead of white box attack being able to obtain gradient information, most DNN based systems in actual use can only be attacked by multiple queries. In this paper, we regard face recognition (FR) system as target, and propose a new method named SA-Attack to generate adversarial samples which cannot be distinguished by human within very limited queries. Experiments show that SA-Attack can successfully attack advanced face recognition models, including public and commercial solutions, which proves the practicability of our method.