Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition

Zohra Rezgui; Amina Bassit

doi:10.1109/BIOSIG52210.2021.9548308

Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition

Zohra Rezgui, Amina Bassit

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

3 Citations (Scopus)

179 Downloads (Pure)

Abstract

Modern biometric systems establish their decision based on the outcome of machine learning (ML) classifiers trained to make accurate predictions. Such classifiers are vulnerable to diverse adversarial attacks, altering the classifiers’ predictions by adding a crafted perturbation. According to ML literature, those attacks are transferable among models that perform the same task. However, models performing different tasks, but sharing the same input space and the same model architecture, were never included in transferability scenarios. In this paper, we analyze this phenomenon for the special case of VGG16-based biometric classifiers. Concretely, we study the effect of the white-box FGSM attack, on a gender classifier and compare several defense methods as countermeasures. Then, in a black-box manner, we attack a pre-trained face recognition classifier using adversarial images generated by the FGSM. Our experiments show that this attack is transferable from a gender classifier to a face recognition classifier where both were independently trained.

Original language	English
Title of host publication	2021 International Conference of the Biometrics Special Interest Group (BIOSIG)
Place of Publication	Piscataway, NJ
Publisher	IEEE
ISBN (Electronic)	978-1-6654-2693-0
ISBN (Print)	978-1-6654-2694-7
DOIs	https://doi.org/10.1109/BIOSIG52210.2021.9548308
Publication status	Published - 27 Sept 2021
Event	20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021 - Darmstadt (Virtual), Germany Duration: 15 Sept 2021 → 17 Sept 2021 Conference number: 20

Publication series

Name	International Conference of the Biometrics Special Interest Group (BIOSIG)
Publisher	IEEE
Volume	2021
ISSN (Electronic)	1617-5468

Conference

Conference	20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021
Abbreviated title	BIOSIG 2021
Country/Territory	Germany
City	Darmstadt (Virtual)
Period	15/09/21 → 17/09/21

Keywords

2023 OA procedure

Access to Document

10.1109/BIOSIG52210.2021.9548308

ArticleFinal published version, 2.44 MBLicence: Taverne

Cite this

@inproceedings{3aa5bdb1205d4f5b81f71154ca2adaa0,

title = "Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition",

abstract = "Modern biometric systems establish their decision based on the outcome of machine learning (ML) classifiers trained to make accurate predictions. Such classifiers are vulnerable to diverse adversarial attacks, altering the classifiers{\textquoteright} predictions by adding a crafted perturbation. According to ML literature, those attacks are transferable among models that perform the same task. However, models performing different tasks, but sharing the same input space and the same model architecture, were never included in transferability scenarios. In this paper, we analyze this phenomenon for the special case of VGG16-based biometric classifiers. Concretely, we study the effect of the white-box FGSM attack, on a gender classifier and compare several defense methods as countermeasures. Then, in a black-box manner, we attack a pre-trained face recognition classifier using adversarial images generated by the FGSM. Our experiments show that this attack is transferable from a gender classifier to a face recognition classifier where both were independently trained.",

keywords = "2023 OA procedure",

author = "Zohra Rezgui and Amina Bassit",

year = "2021",

month = sep,

day = "27",

doi = "10.1109/BIOSIG52210.2021.9548308",

language = "English",

isbn = "978-1-6654-2694-7",

series = "International Conference of the Biometrics Special Interest Group (BIOSIG)",

publisher = "IEEE",

booktitle = "2021 International Conference of the Biometrics Special Interest Group (BIOSIG)",

address = "United States",

note = "20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021, BIOSIG 2021 ; Conference date: 15-09-2021 Through 17-09-2021",

}

Rezgui, Z & Bassit, A 2021, Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition. in 2021 International Conference of the Biometrics Special Interest Group (BIOSIG). International Conference of the Biometrics Special Interest Group (BIOSIG), vol. 2021, IEEE, Piscataway, NJ, 20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021, Darmstadt (Virtual), Germany, 15/09/21. https://doi.org/10.1109/BIOSIG52210.2021.9548308

Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition. / Rezgui, Zohra; Bassit, Amina.
2021 International Conference of the Biometrics Special Interest Group (BIOSIG). Piscataway, NJ: IEEE, 2021. (International Conference of the Biometrics Special Interest Group (BIOSIG); Vol. 2021).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition

AU - Rezgui, Zohra

AU - Bassit, Amina

N1 - Conference code: 20

PY - 2021/9/27

Y1 - 2021/9/27

N2 - Modern biometric systems establish their decision based on the outcome of machine learning (ML) classifiers trained to make accurate predictions. Such classifiers are vulnerable to diverse adversarial attacks, altering the classifiers’ predictions by adding a crafted perturbation. According to ML literature, those attacks are transferable among models that perform the same task. However, models performing different tasks, but sharing the same input space and the same model architecture, were never included in transferability scenarios. In this paper, we analyze this phenomenon for the special case of VGG16-based biometric classifiers. Concretely, we study the effect of the white-box FGSM attack, on a gender classifier and compare several defense methods as countermeasures. Then, in a black-box manner, we attack a pre-trained face recognition classifier using adversarial images generated by the FGSM. Our experiments show that this attack is transferable from a gender classifier to a face recognition classifier where both were independently trained.

AB - Modern biometric systems establish their decision based on the outcome of machine learning (ML) classifiers trained to make accurate predictions. Such classifiers are vulnerable to diverse adversarial attacks, altering the classifiers’ predictions by adding a crafted perturbation. According to ML literature, those attacks are transferable among models that perform the same task. However, models performing different tasks, but sharing the same input space and the same model architecture, were never included in transferability scenarios. In this paper, we analyze this phenomenon for the special case of VGG16-based biometric classifiers. Concretely, we study the effect of the white-box FGSM attack, on a gender classifier and compare several defense methods as countermeasures. Then, in a black-box manner, we attack a pre-trained face recognition classifier using adversarial images generated by the FGSM. Our experiments show that this attack is transferable from a gender classifier to a face recognition classifier where both were independently trained.

KW - 2023 OA procedure

U2 - 10.1109/BIOSIG52210.2021.9548308

DO - 10.1109/BIOSIG52210.2021.9548308

M3 - Conference contribution

SN - 978-1-6654-2694-7

T3 - International Conference of the Biometrics Special Interest Group (BIOSIG)

BT - 2021 International Conference of the Biometrics Special Interest Group (BIOSIG)

PB - IEEE

CY - Piscataway, NJ

T2 - 20th International Conference of the Biometrics Special Interest Group, BIOSIG 2021

Y2 - 15 September 2021 through 17 September 2021

ER -

Transferability Analysis of an Adversarial Attack on Gender Classification to Face Recognition

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this