Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Text to Stealthy Adversarial Face Masks
Authors: Ben Lewis, Thomas Moyse, James Parkinson, Elizabeth Telford, Callum Whitfield, Ranko Lazic
TMLR 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Specifically our approach is capable of producing high-fidelity printable textures using the guidance of textual prompts to determine the style. This method can also be adapted for impersonation purposes, where the system misidentifies the attacker as a specific other individual. Finally, we address a gap in the existing literature by presenting a comprehensive benchmark (FAAB) for evaluating adversarial accessories in three dimensions, assessing their robustness and stealthiness. |
| Researcher Affiliation | Academia | Ben Lewis EMAIL Department of Computer Science, University of Warwick Thomas Moyse Department of Computer Science, University of Warwick James Parkinson Department of Computer Science, University of Warwick Elizabeth Telford Department of Computer Science, University of Warwick Callum Whitfield Department of Computer Science, University of Warwick Ranko LaziΔ EMAIL Department of Computer Science, University of Warwick |
| Pseudocode | Yes | Algorithm 1: Diffusion Attack on Facial Recognition (DAFR) Input: set of attacker pictures (H), text prompt (c), dodging sign (d), anchor embedding (ea), adversarial limit (l), iterations of the adversarial loop (k), adversarial guidance weight (s), facial recognition backbone (E), generation timesteps (T) x T N(0, I) for t from T to 1 do |
| Open Source Code | Yes | The supplementary material contains all the code to run the work, including Python code for all the attacks, benchmark and other utilities (such as threshold selection etc.). Instructions have been provided to help run the code. |
| Open Datasets | Yes | Datasets: We use two different datasets: Pub Fig (Kumar et al., 2009), which includes faces of a variety of celebrities, and is where the identities for the dodging benchmark come from, and VGGFACE2-HQ (Chen et al., 2024), which contains GAN upscaled images of the VGGFACE2 dataset (Cao et al., 2018). ... The pretraining was performed on the MS1MV3 dataset (Deng et al., 2019b). |
| Dataset Splits | Yes | Datasets: We use two different datasets: Pub Fig (Kumar et al., 2009), which includes faces of a variety of celebrities, and is where the identities for the dodging benchmark come from, and VGGFACE2-HQ (Chen et al., 2024), which contains GAN upscaled images of the VGGFACE2 dataset (Cao et al., 2018). We randomly choose 100 identities from VGGFACE2-HQ to form part of the finetuned classes and another 900 to be used as part of the threshold selection process. ... Each mask is generated using 25 images of the identity and then tested on 10 other images of that same person. |
| Hardware Specification | Yes | All the work for this project was performed on a single NVIDIA A5000 GPU. |
| Software Dependencies | No | The paper mentions several tools and models like "Stable Diffusion s v2-1", "MTCNN", "FFHQ", and "Adam optimizer", but it does not provide specific version numbers for general software dependencies such as Python, PyTorch, or CUDA libraries. |
| Experiment Setup | Yes | Table 2: Names and hyperparameter values of different hyperparameter sets for each attack, with DAFR using notation from algorithm 1. TV Weight Adv Mask-a 0.05 Adv Mask-b 0.35 Adv. Weight SASMask-a 25 SASMask-b 50 SASMask-c 600 SASMask-d 950 SASMask-e 2000 l s k DAFR-a 0.8 7 5 DAFR-b 0.8 7 10 DAFR-c 0.8 10 12 DAFR-d 0.8 2 1 We note that for each DAFR attack, we use 200 DDIM sampling steps. |