Research And Implementation Of Adversarial Attack And Defense Algorithms For Robust Face Recognition

The face recognition system has become the most mature application of artificial intelligence,and has begun to be implemented in large numbers and serve human life.However,due to the emergence of adversarial attacks in recent years,the vulnerability of neural networks has received extensive attention.Face adversarial samples make small changes to the face image to deceive the AI system to make wrong decisions and destroy the face authentication system.It will cause great loss to the society.Therefore,improving the defense ability of face recognition systems against adversarial samples has become a research hotspot.This thesis aims to analyze the vulnerability of the face system through the research of adversarial attacks,so as to further design targeted defense methods and improve the defense ability of the face recognition system against adversarial samples.At present,face-based adversarial attack and defense mostly study one of the tasks of attack and defense,and rarely combine the two.Furthermore,most of the attacked models in adversarial attack research are too single,and it is difficult to explain whether their attack methods can be applied to a variety of different neural network models,which lacks convincing.This thesis studies from the perspective of digital world.Firstly,based on the basic I-FGSM attack algorithm,a momentum I-FGSM algorithm based on Face-Feature is proposed,which adds the idea of momentum to optimize the attack model.Then,based on the denoising model of the classic auto-encoder,a denoising defense algorithm based on face feature fusion is designed,which fuses the face feature layer information.At the same time,this thesis further designs a physical attack algorithm to generate adversarial sample stickers to test the effect of the face model against physical attacks.Finally,based on the proposed algorithm,the WEB-side attack system is implemented,which can better show the process and effect of the attack.This thesis trains six different attacked face recognition models based on the cross-combination of five different backbone networks and three different loss functions to test the effects of attack and defense under various model structures.This thesis is tested on the LFW,IJB-C and Megaface test sets.The proposed digital attack algorithm can achieve a success rate of more than 95.46%in the above six attacked models.The recognition accuracy rate of the face model for adversarial samples after adding the defense module can be restored to more than 95.16%.At the same time,the two kinds of stickers generated by the physical attack model are used for wearing attacks in real scenes.The experiment shows that the cosine similarity after wearing the stickers is reduced by 0.5238 on average,which has a significant effect.