Abstract
Modern biometric systems establish their decision based on the outcome of machine learning (ML) classifiers trained to make accurate predictions. Such classifiers are vulnerable to diverse adversarial attacks, altering the classifiers’ predictions by adding a crafted perturbation. According to ML literature, those attacks are transferable among models that perform the same task. However, models performing different tasks, but sharing the same input space and the same model architecture, were never included in transferability scenarios. In this paper, we analyze this phenomenon for the special case of VGG16-based biometric classifiers. Concretely, we study the effect of the white-box FGSM attack, on a gender classifier and compare several defense methods as countermeasures. Then, in a black-box manner, we attack a pre-trained face recognition classifier using adversarial images generated by the FGSM. Our experiments show that this attack is transferable from a gender classifier to a face recognition classifier where both were independently trained.
Original language | English |
---|---|
Title of host publication | 2021 International Conference of the Biometrics Special Interest Group (BIOSIG) |
Place of Publication | Piscataway, NJ |
Publisher | IEEE |
ISBN (Electronic) | 978-1-6654-2693-0 |
ISBN (Print) | 978-1-6654-2694-7 |
DOIs | |
Publication status | Published - 27 Sept 2021 |
Event | 20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021 - Darmstadt (Virtual), Germany Duration: 15 Sept 2021 → 17 Sept 2021 Conference number: 20 |
Publication series
Name | International Conference of the Biometrics Special Interest Group (BIOSIG) |
---|---|
Publisher | IEEE |
Volume | 2021 |
ISSN (Electronic) | 1617-5468 |
Conference
Conference | 20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021 |
---|---|
Abbreviated title | BIOSIG 2021 |
Country/Territory | Germany |
City | Darmstadt (Virtual) |
Period | 15/09/21 → 17/09/21 |
Keywords
- 2023 OA procedure