Research On Adversarial Attack For Face Attribute Recognition Based On Generative Adversarial Networks

With the popularity of the Internet and the maturity of facial recognition and analysis system,people's life has become more intelligent,but on the other hand,the problem of network privacy security has also been exposed.The photos uploaded by users to social media platform are used for feature recognition,expression analysis and other personal information extraction by many algorithms.The user's information is leaked without knowing,and even illegally exploited and used.With the frequent occurrence of personal information leakage incidents,the demand for user privacy protection is increasingly urgent.In order to better protect user privacy,this paper takes countermeasures against the face attribute recognition of user avatars,proposes an adversarial attack algorithm based on the generative adversarial networks,and applies this algorithm to the research field of face attribute recognition,including facial expression recognition and age recognition,so that it can successfully deceive the neural network model for misclassification,thereby preventing user information from being illegally collected and used without permission and authorization.The main content of this paper includes:First of all,in view of the current problems in some mainstream adversarial attack algorithms that need to understand the network parameters and gradient information of the target model,and are not suitable for the real world,an adversarial attack algorithm based on the generative adversarial networks is proposed.In the training process of the generator model,three loss functions are defined to constrain the model attack,example authenticity,and adversarial perturbation amplitude respectively,and a perturbation control strategy is defined to further control the perturbation amplitude of the generated adversarial examples to avoid distortion phenomenon.Experiments were performed on the MNIST data set with the FGSM adversarial attack algorithm.The experimental results show that the adversarial attack algorithm proposed in this paper can achieve attacks without knowing the network structure and parameters of the target model,and achieve an adversarial attack rate of 99%.Compared with the FGSM algorithm,it has increased by about 2%.Secondly,the proposed adversarial attack algorithm is applied to the research field of facial attribute recognition,combined with the task of two-class facial expression recognition,and successfully realized the attack of the facial expression recognition model.An experimental comparison with the Adv GAN attack algorithm was performed on the Celeb A dataset.The experimental results show that the attack rate of the adversarial attack algorithm proposed in this paper is 2.47% higher than that of the Adv GAN algorithm,and the perturbation degree of the adversarial example is reduced by 9.56%,which proves the perturbation control strategy proposed in this paper can help generate higher-quality adversarial examples.Finally,the combined application of the proposed adversarial attack algorithm and the field of face attribute recognition is further expanded,and it is applied to the field of multi-class face age recognition,and successfully achieves targeted and untargeted attacks on the face age recognition model.In the training process of the face age recognition model,a recognition faulttolerant mechanism is added,and the optimization strategy of label smoothing and model fusion is used to improve the success rate of model recognition.The experimental results show that the algorithm proposed in this paper successfully attacks the face age recognition model,reducing its recognition accuracy from 79.36% to 4.52%,which proves the effectiveness of the adversarial attack algorithm proposed in this paper in continuous attribute multi-classification tasks.This paper applies the proposed adversarial attack algorithm to the field of face attribute recognition,and provides a method for user privacy protection from a new perspective.The experimental results prove the effectiveness of the algorithm and its feasibility in the field of user privacy protection.