Unravelling Robustness of Deep Learning Based Face Recognition Against Adversarial Attacks
Authors: Gaurav Goswami, Nalini Ratha, Akshay Agarwal, Richa Singh, Mayank Vatsa
AAAI 2018 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experimental evaluation using multiple open-source DNN-based face recognition networks, including Open Face and VGG-Face, and two publicly available databases (MEDS and Pa SC) demonstrates that the performance of deep learning based face recognition algorithms can suffer greatly in the presence of such distortions. |
| Researcher Affiliation | Collaboration | Gaurav Goswami,1,2 Nalini Ratha,3 Akshay Agarwal,1 Richa Singh,1 Mayank Vatsa1 1IIIT-Delhi, India 2IBM IRL, Bangalore, India, 3IBM TJ Watson Research Center, USA |
| Pseudocode | No | The paper does not contain any pseudocode or algorithm blocks. |
| Open Source Code | No | The paper mentions using 'Open Face' which is an open source implementation, and refers to its github link for information. However, the authors do not state that they are providing open-source code for their *own* described methodology. |
| Open Datasets | Yes | We use two publicly available face databases for our experiments, namely, the Point and Shoot Challenge (Pa SC) database (Beveridge et al. 2013) and the Multiple Encounters Dataset (MEDS) (Founds et al. 2011). |
| Dataset Splits | Yes | The Pa SC database contains still-to-still and video-to-video matching protocols. We use the frontal subset of the still-to-still protocol which contains 4,688 images pertaining to 293 individuals which are divided into equal size target and query sets. Each image in the target set is matched to each image in the query set and the resulting 2344 2344 score matrix is used to determine the verification performance. The MEDS-II database contains a total of 1,309 faces pertaining to 518 individuals. Similar to the case of Pa SC, we utilize the metadata provided with the MEDS release 2 database to obtain a subset of 858 frontal face images from the database. Each of these images is matched to every other image and the resulting 858 858 score matrix is utilized to evaluate the verification performance. For evaluating performance under the effect of distortions, we randomly select 50% of the total images from each database and corrupt them with the proposed distortions separately. These distorted sets of images are utilized to compute the new score matrices for each case. |
| Hardware Specification | No | The paper does not explicitly describe the hardware used for experiments. |
| Software Dependencies | No | The paper mentions using 'DLIB library (King 2009)' for facial landmarks but does not specify a version number. It also mentions 'Open Face (Amos et al.)' and 'VGG-Face (Parkhi, Vedaldi, and Zisserman 2015)' but not their specific versions or other software dependencies with versions. |
| Experiment Setup | Yes | For training the detection model, we use the remaining 10,000 frontal face images from the CMU Multi-PIE database as undistorted samples. We generate 10,000 distorted samples using all five distortions with 2,000 images per distortion that are also randomly selected from the CMU Multi-PIE database. We use the same training data for universal perturbations with 10,000 distorted and 10,000 undistorted samples. For Deep Fool, we use a subset of 1,680 face images from the CMU Multi-PIE database with 5 images from each of the 336 subjects with both distorted and undistorted versions for training the detection algorithm. Since the VGG-Face network has 20 intermediate layers, we obtain a feature vector of size 20 distances for each image. We perform a grid search based parameter optimization using the 20, 000 20 training matrix to optimize and learn the SVM model. For Deep Fool, the size of the training data is 3, 360 20. Once the model is learned, any given test image is characterized by the distance vector and processed by the SVM. The score given by the model for the image to belong to the distorted class is used as a distance metric. We determine the values of parameters η and κ via grid search optimization on the training data with verification performance as the criterion. |