This repo is the official implementation of "Manifold Projection for Adversarial Defense on Face Recognition" by Jianli Zhou, Chao Liang and Jun Chen.
Although deep convolutional neural network based face recognition system has achieved remarkable success, it is susceptible to adversarial images: carefully constructed imperceptible perturbations can easily mislead deep neural networks. A recent study has shown that in addition to regular off-manifold adversarial images, there are also adversarial images on the manifold. In this paper, we propose Adversarial Variational AutoEncoder (A-VAE), a novel framework to tackle both types of attacks. We hypothesize that both off-manifold and on-manifold attacks move the image away from the high probability region of image manifold. We utilize variational autoencoder (VAE) to estimate the lower bound of the log-likelihood of image and explore to project the input images back into the high probability regions of image manifold again. At inference time, our model synthesizes multiple similar realizations of a given image by random sampling, then the nearest neighbor of the given image is selected as the final input of the face recognition model. As a preprocessing operation, our method is attack-agnostic and can adapt to a wide range of resolutions. The experimental results on LFW demonstrate that our method achieves state-of-the-art defense success rate against conventional off-manifold attacks such as FGSM, PGD, and C&W under both grey-box and white-box settings, and even on-manifold attack.
We have provided the CASIA-Webface dataset for model training on Baiduyun. Please unzip it and put it into the ./dataset/ folder.
You can train A-VAE on CASIA-Webface with default settings using the following code:
cd avae_train
python main.py
Of course, you can also directly use the pre-trained A-VAE model for testing, where the number of model iterations is 144002.
We have provided the LFW dataset for model test on Baiduyun. Please unzip it and put it into the ./dataset/ folder. In the meantime, we use the pre-trained ResNet-50 as the face classifier during the testing process.
You can modify the following lines according to your needs to adjust the testing content, such as whether to use A-VAE, adopt gray-box or white-box attacks, and which attack method to use, etc.
avae_defense = False #['True','False']
white_box = False #['True','False']
if not white_box:
# c&w attack
inputs = cw_ut(net, inputs, targets, to_numpy=False)
# fgsm/pgd attack
# inputs = fgsm_face(net, inputs, targets, epsilon, alpha, iteration, t=True, random=True)
else:
inputs = fgsm_w(net, g_running, inputs, targets, epsilon, alpha, iteration, t=True)
Then, You can test A-VAE on LFW using the following code:
cd avae_test
python eval.py
If you find this repository useful, please consider giving ⭐ or citing:
@inproceedings{zhou2020manifold,
title={Manifold projection for adversarial defense on face recognition},
author={Zhou, Jianli and Liang, Chao and Chen, Jun},
booktitle={Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23--28, 2020, Proceedings, Part XXX 16},
pages={288--305},
year={2020},
organization={Springer}
}