Data Poisoning Won’t Save You From Facial Recognition
Authors: Evani Radiya-Dixit, Sanghyun Hong, Nicholas Carlini, Florian Tramer
ICLR 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We evaluate two systems for poisoning attacks against large-scale facial recognition, Fawkes (500,000+ downloads) and Low Key. We demonstrate how an oblivious model trainer can simply wait for future developments in computer vision to nullify the protection of pictures collected in the past. We further show that an adversary with black-box access to the attack can (i) train a robust model that resists the perturbations of collected pictures and (ii) detect poisoned pictures uploaded online. |
| Researcher Affiliation | Collaboration | Evani Radiya-Dixit Stanford University Sanghyun Hong Oregon State University Nicholas Carlini Google Florian Tramèr Stanford University, Google |
| Pseudocode | Yes | We present a standard security game for training-only clean-label poisoning attacks in Figure 8a. We argue that this game fails to properly capture the threat model of our facial recognition scenario. Below, we introduce a dynamic version of the poisoning game, and show how a model trainer can use a retroactive defense strategy to win the game. |
| Open Source Code | Yes | Code to reproduce our experiments is available at: https://github.com/ftramer/Face Cure. |
| Open Datasets | Yes | The experiments in this section are performed with the Face Scrub dataset (Ng & Winkler, 2014), which contains over 50,000 images of 530 celebrities. We replicate our main results with a different dataset, Pub Fig (Kumar et al., 2009) in Appendix C.2. |
| Dataset Splits | No | The paper mentions a 'training set' and 'test set' with a 70%-30% split, but does not explicitly mention or detail a validation dataset split. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used for running the experiments, such as GPU models, CPU specifications, or memory. |
| Software Dependencies | No | The paper mentions software tools and libraries used (e.g., Deep Face library, Fawkes tool, Mag Face, CLIP), but it does not provide specific version numbers for these or other ancillary software dependencies like programming languages or deep learning frameworks. |
| Experiment Setup | Yes | We fine-tune CLIP s pre-trained Vi T-32 model on CASIA-Web Face and VGG-Face2 for 50 epochs using an open source implementation of CLIP training (Ilharco et al., 2021). ... we add a 265-class linear layer on top of the feature extractor, and fine-tune the entire model end-to-end for 500 steps with batch size 32. ... We fine-tune the model for 3 epochs using Adam with learning rate η = 5 10 5. |