Research On Adversarial Defense Methods Of Face Recognition

In recent years,with the rapid development of deep learning and convolutional neural network(CNN),the performance of face recognition has made breakthrough progress,and has been widely used in a variety of authentication scenarios,such as financial payment and station entry.Although face recognition has made remarkable achievements under a variety of complex natural scenes,the researchers found that images added with certain small perturbations can easily deceive a CNN-based face recognition system,this kind of attack method is generally called adversarial attack.To deal with this threat,many researchers have proposed effective adversarial defense methods.However,the current adversarial defense methods still have some shortcomings: the generalization ability of the defense methods to different attack types is weak,and the recognition accuracy of the model on natural images and disturbed images is difficult to be well balanced.In response to the technical problems mentioned above,this paper intends to carry out the research on adversarial defense in face recognition scenarios.The main contents of this paper are as follows:(1)Adversarial defense on face recognition by generative modelRegardless of the type of attack method,they all reduce the probability of the image in the natural image domain.We propose an adversarial defense method based on the generative model,which generates multiple candidate reconstructed images by randomly sampling latent codes,and select the high probability sample which similar to the original image as the final input of the face recognition system.The defense method proposed in this paper adopts the strategy of destroying first and reconstructing later,to separate the coupling of removing perturbations and restoring identity information,and improve the quality of face images after preprocessing.Besides,the model does not need to utilize any specific adversarial attack agent in the training process,and has good robustness to unkown types of attack methods.(2)Adversarial defense on face recognition by simplified adversarial trainingThe research shows that adversarial training requires more network parameters than standard training,which leads to a poor balance between the generalization and robustness.This paper proposed to divide the samples into three categories acoording to the difficulty of learning,and each type of sample adopts a specific training strategy.We focus on the samples near the decision boundary to simplify the learning difficulty,and use the limited network capacity for the data space which has the greatest impact on performance.In addition,we employ a simplified attack proxy to enhance the generalization of the model under different face datasets.