Research on White-Box Counter-Attack Method based on Convolution Neural Network Face Recognition


Shuya Tian and Xiangwei Lai, Southwest University, China


In recent years, deep neural network has been widely used in face recognition, in which the model of a convolution neural network for face recognition is mostly black box model. Because the model structure and related parameters cannot be obtained, the attack effect of the counter sample is poor. In order to better realize the attack effect of the black box attack, this paper uses the white box attack to realize the black box attack. Aiming at the convolution neural network face recognition model, this paper proposes an improved FGMS counterattack algorithm, which uses the cosine similarity between the clean sample and the antagonistic sample as the loss function. The threshold is set to 0.8 as the condition for the success of the attack. In order to avoid excessive changes in the image, the threshold super-parameters is set to limit the range and size of the disturbance fluctuation, so that the countermeasure samples are not easy to be detected and improve the visual quality. Countermeasure samples are detected by black box attack on the VGG16 model, and a good attack effect is obtained.


Face recognition, adversarial examples, White box attack.