• Stars
    star
    401
  • Rank 107,625 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 6 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Black-Box Adversarial Attack on Public Face Recognition Systems

Black-Box Adversarial Attack on Public Face Recognition Systems

Geekpwn CAAD (Competition on Adversarial Attacks and Defenses) 2018, is a competition that inherits the format of NIPS CAAD 2017, plus some new challenges. In October 2018, me and Cihang Xie were invited to Geekpwn CAAD CTF, a live competition with different types of adversarial attacks and defenses.

This CAAD CTF features a new challenge that asks teams to attack an unknown face recognition system. During the 30 minutes phase 1 competition, we were given an image of the competition moderator Chang-Jian Jiang. We need to make small modifications to the image, in order to fool the face recognition system to recognize it as Arnold Schwarzenegger. After the competition, we learned that the system we attacked was AWS Celebrity Recognition API.

This repo contains code and several results of such attacks.

Some Results

During the competition, we successfully attacked AWS to recognize Chang-Jian Jiang as Schwarzenegger:

AWS-JCJ

The following one is slightly harder (lower success rate with varying random seeds), probably because: (1) both source and target are American celebrities. (2) different gender

AWS-Trump

Apparently, Azure Vision API and Clarifai Celebrity Recognition can be fooled as well:

Azure-Trump

Clarifai-JCJ

Original and adversarial versions of the above images can be found at images/. You can download them and try on the public APIs.

Preparation to Use the Code

  1. Install 2 > TensorFlow ≥ 1.7, OpenCV, tqdm, scikit-learn

  2. Follow steps 1-4 in facenet wiki to setup facenet

  3. Clone this repo and uncompress the pre-trained model inside:

git clone https://github.com/ppwwyyxx/Adversarial-Face-Attack
cd Adversarial-Face-Attack
wget https://github.com/ppwwyyxx/Adversarial-Face-Attack/releases/download/v0.1/model-20180402-114759.tar.bz2
tar xjvf model-20180402-114759.tar.bz2

You can also download the model from facenet.

  1. Validate the model and the dataset:
./face_attack.py --data /path/to/lfw_mtcnnpy_160 --validate-lfw
# /path/to/lfw_mtcnnpy_160 is obtained above in step #4 in facenet wiki.

It should print a high accuracy on LFW, like:

Accuracy: 0.99517+-0.00361
Validation rate: 0.97467+-0.01454 @ FAR=0.00067

Run attack

./face_attack.py --data /path/to/lfw_mtcnnpy_160 \
	--attack images/clean-JCJ.png \
	--target Arnold_Schwarzenegger \
	--output JCJ-to-Schwarzenegger.png

--target has to be a person which has many images (the more the better) in the LFW dataset. Such person can be found by:

find /path/to/lfw_mtcnnpy_160/ -type f -printf "%h\0" | \
    xargs -0 -L1 basename | sort | uniq -c | sort -k1 -n

You can add new celebrities as victims in the LFW directory, or add additional images for existing celebrities in LFW. After adding new images, you'll need to repeat step 4 in facenet wiki, to crop and align the images you add.

Note that the attack contains randomness: you'll not get the same output every time.

Disclaimer

  1. This work is only for computer vision research. Please do not use it for illegal purposes.

  2. This work has no relationship with the authors' schools or employers.

  3. It turns out after a year, AWS is no longer vulnerable to my attack.

More Repositories

1

OpenPano

Automatic Panorama Stitching From Scratch
C++
1,844
star
2

wechat-dump

Cracking encrypted wechat message history from android
Python
1,645
star
3

speaker-recognition

A Speaker Recognition System
C++
675
star
4

dash-docset-tensorflow

dash/zeal docset for TensorFlow 1 & 2
CSS
197
star
5

SoPaper

Automatically Search and Download Papers
Python
194
star
6

RAM-multiprocess-dataloader

Demystify RAM Usage in Multi-Process Data Loaders
Python
169
star
7

moco.tensorflow

A TensorFlow re-implementation of Momentum Contrast (MoCo): https://arxiv.org/abs/1911.05722
Python
161
star
8

cocoapi

Contains the "pycocotools" package on PyPI. Changes made to the official cocoapi about packaging.
Jupyter Notebook
123
star
9

GroupNorm-reproduce

An official collection of code in different frameworks that reproduces experiments in "Group Normalization"
Python
117
star
10

Ray-Tracing-Engine

A Photorealistic 3D Rendering Engine
C++
104
star
11

dotfiles

my dotfiles..
Python
58
star
12

dotvim

Over 1200+ lines of vimrc
Vim Script
43
star
13

Stereo-Pose-Machines

Stereo Pose Machines - Real Time 3D Pose Estimation
Python
43
star
14

vim-PinyinSearch

help vim search Chinese by Pinyin
Vim Script
39
star
15

FRN-on-common-ImageNet-baseline

Filter Response Normalization tested on better ImageNet baselines.
Python
35
star
16

dash-docset-matlab

Generate Dash Docset for Matlab
22
star
17

haDNN

Proof-of-Concept CNN in Halide
C++
21
star
18

hexo-tag-vimhighlight

Highlight code using vim in hexo
CoffeeScript
20
star
19

duxiu-downloader

Download e-books from duxiu.com
JavaScript
14
star
20

math

notes on math
TeX
8
star
21

dash-docset-jax

Create nice dash/zeal docset for JAX+Flax
Python
7
star
22

N-Body

Parallel N-Body Simulation Program
C++
5
star
23

dash-docset-torch

Dash/zeal docset for torch
Shell
5
star
24

ImageResizer

An Image Resizer using Seam Carving alogrithm.
C++
5
star
25

sigmod14contest

Code for ACM SIGMOD 2014 programming contest
C++
5
star
26

tensorflow-wheels

A repo to store custom tensorflow wheels in releases
5
star
27

Mandelbrot-Set

draw Mandelbrot set based on Xwindow. Use mpi / openmp / pthread to speed up
C++
3
star
28

vim-SugarCpp

support SugarCpp in vim.
Vim Script
2
star
29

sudoku

A sudoku solver using dancing links and algorithm X
C++
1
star
30

googlecli

Command Line Google Search
Python
1
star