Abstract
Deep learning-based face recognition models are vulnerable to adversarial attacks. In contrast to general noises, the presence of imperceptible adversarial noises can lead to catastrophic errors in deep face recognition models. The primary difference between adversarial noise and general noise lies in its specificity. Adversarial attack methods give rise to noises tailored to the characteristics of the individual image and recognition model at hand. Diverse samples and recognition models can engender specific adversarial noise patterns, which pose significant challenges for adversarial defense. Addressing this challenge in the realm of face recognition presents a more formidable endeavor due to the inherent nature of face recognition as an open set task. In order to tackle this challenge, it is imperative to employ customized processing for each individual input sample. Drawing inspiration from the biological immune system, which can identify and respond to various threats, this paper aims to create an artificial immune system to provide adversarial defense for face recognition. The proposed defense model incorporates the principles of antibody cloning, mutation, selection, and memory mechanisms to generate a distinct “antibody” for each input sample, wherein the term “antibody” refers to a specialized noise removal manner. Furthermore, we introduce a self-supervised adversarial training mechanism that serves as a simulated rehearsal of immune system invasions. Extensive experimental results demonstrate the efficacy of the proposed method, surpassing state-of-the-art adversarial defense methods. The source code is available here, or you can visit this website: https://github.com/RenMin1991/SIDE
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Data Availibility
The data that support the findings of this study are available in Large-scale CelebFaces Attributes (CelebA) Dataset: https://mmlab.ie.cuhk.edu.hk/projects/CelebA.html, Labeled Faces in the Wild: http://vis-www.cs.umass.edu/lfw/, and MegaFace Dataset: http://megaface.cs.washington.edu/dataset/download.html.
References
Aamir, M., Salman, K., Munawar, H., Roland, G., Jianbing, S., & Ling, S. (2019). Adversarial defense by restricting the hidden space of deep neural networks. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 3385–3394).
Aleksander, M., Aleksandar, M., Ludwig, S., Dimitris, T., & Adrian, V. (2018). Towards deep learning models resistant to adversarial attacks. In Proceedings of the international conference on learning representations.
Bai, Y., Feng, Y., Wang, Y., Dai, T., Xia, S.-T., & Jiang, Y. (2019). Hilbert-based generative defense for adversarial examples. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 4784–4793).
Burnet, F. M. (1957). A modification of Jerne’s theory of antibody production using the concept of clonal selection. The Australian Journal of Science, 20, 67–69.
Chandrasekaran, M., Asokan, P., Kumanan, S., Balamurugan, T., & Nickolas, S. (2006). Solving job shop scheduling problems using artificial immune system. The International Journal of Advanced Manufacturing Technology, 31(5–6), 580–593.
Chaoning, Z., Philipp, B., Adil, K., & So, K. I. (2021). Data-free universal adversarial perturbation and black-box attack. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 7868–7877).
Chuan, G., Mayank, R., Moustapha, C., & Laurens, V. D. M. (2017). Countering adversarial images using input transformations. arXiv:1711.00117
Cutello, V., Nicosia, G., Pavone, M., & Timmis, J. (2007). An immune algorithm for protein structure prediction on lattice models. IEEE Transactions on Evolutionary Computation, 11(1), 101–117.
Das, N., Shanbhogue, M., Chen, S. T., Hohman, F., Chen, L., Kounavis, M. E., & Chau, D. H. (2017). Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv:1705.02900
Deng, J., Guo, J., Xue, N., & Zafeiriou, S. (2018). ArcFace: Additive angular margin loss for deep face recognition. arXiv:1801.07698
Dolatabadi, H. M., Erfani, S. M., & Leckie, C. (2023). Adversarial coreset selection for efficient robust training. International Journal of Computer Vision, 131(12), 3307–3331.
Dong, Y., Su, H., Wu, B., Li, Z., Liu, W., Zhang, T., & Zhu, J. (2019). Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 7714–7722).
Duong, C. N., Quach, K. G., Jalata, I., Le, N., & Luu, K. (2019). MobiFace: A lightweight deep learning face recognition on mobile devices. In IEEE 10th international conference on biometrics theory, applications and systems (pp. 1–6). IEEE.
Florian, T., Alexey, K., Nicolas, P., Ian, G., Dan, B., & Patrick, M. (2018). Ensemble adversarial training: Attacks and defenses. In: Proceedings of the international conference on learning representations.
Gaojie, J., Xinping, Y., Dengyu, W., Ronghui, M., & Xiaowei, H. (2023). Randomized adversarial training via Taylor expansion. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 16447–16457).
George, C., Calvin, M., & Simon, L. (2021). Architectural adversarial robustness: The case for deep pursuit. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 7150–7158).
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv:1412.6572
Gupta, P., & Rahtu, E. (2019). Ciidefence: Defeating adversarial attacks by fusing class-specific image inpainting and image denoising. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 6708–6717).
Hao-Yun, C., Jhao-Hong, L., Shih-Chieh, C., Jia-Yu, P., Yu-Ting, C., Wei, W., & Da-Cheng, J. (2019). Improving adversarial robustness via guided complement entropy. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 4881–4889).
He, K., Gkioxari, G., Dollár, P., & Girshick, R. (2017). Mask R-CNN. In Proceedings of the IEEE international conference on computer vision (pp. 2961–2969).
He, K., Zhang, X., Ren, S., & Sun, J. (2016). Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 770–778).
Heng-Jie L. I., Hao, X.-H., & Zhang, L. (2008). Clonal selection algorithm for multi-objective optimization. Science Technology & Engineering, 453–482.
Hu, J., Shen, L., Albanie, S., Sun, G., & Wu, E. (2018). Squeeze-and-excitation networks. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 7132–7141).
Huang, G. B., Mattar, M., Berg, T., & Eric, L.-M. (2008). Labeled faces in the wild: A database for studying face recognition in unconstrained environments. In Workshop on faces in ’Real-Life’ images: Detection, alignment, and recognition.
Huang, G., Liu, Z., Maaten, L., & Weinberger, K. Q. (2017). Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 4700–4708).
Hyeungill, L., Sungyeob, H., & Jungwoo, L. (2017). Generative adversarial trainer: Defense to adversarial perturbations with GAN. arXiv:1705.03387
Jiawei, S., Vasconcellos, V. D., & Kouichi, S. (2019). One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23(5), 828–841.
Kaiming, H., Haoqi, F., Yuxin, W., Saining, X., & Ross, G. (2020). Momentum contrast for unsupervised visual representation learning. In IEEE/CVF conference on computer vision and pattern recognition.
Kemelmacher-Shlizerman, I., Seitz, S. M., Miller, D., & Brossard, E. (2016). The MegaFace benchmark: 1 million faces for recognition at scale. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 4873–4882).
Komkov, S., & Petiushko, A. (2021a). AdvHat: Real-world adversarial attack on ArcFace face id system. In 2020 25th international conference on pattern recognition (ICPR) (pp. 819–826). IEEE.
Komkov, S., & Petiushko, A. (2021b). AdvHat: Real-world adversarial attack on ArcFace face id system. In Proceedings of the international conference on pattern recognition.
Krizhevsky, A., Sutskever, I., & Hinton, G. E. (2012). ImageNet classification with deep convolutional neural networks. Advances in Neural Information Processing Systems, 25, 1097–1105.
Kurakin, A., Goodfellow, I., & Bengio, S. (2017). Adversarial machine learning at scale. In Proceedings of the international conference on learning representations.
LeCun, Y., Bottou, L., Bengio, Y., & Haffner, P. (1998). Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11), 2278–2324.
Lei, H., Yun-Yun, T., Pin-Yu, C., & Tsung-Yi, H. (2023). Towards compositional adversarial robustness: Generalizing adversarial training to composite semantic perturbations. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 24658–24667).
Li, Z., Yin, B., Yao, T., Guo, J., Ding, S., Chen, S., & Liu, C. (2023). Sibling-attack: Rethinking transferable adversarial attacks against face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 24626–24637).
Liang, K., & Xiao, B. (2023). Styless: Boosting the transferability of adversarial examples. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 8163–8172).
Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 1778–1787).
Liu, A., Tang, S., Liu, X., Chen, X., Huang, L., Tu, Z., Song, D., & Tao, D. (2023). Towards defending multiple adversarial perturbations via gated batch normalization. International Journal of Computer Vision.
Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., & Song, L. (2017). Sphereface: Deep hypersphere embedding for face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 212–220).
Liu, Z., Xu, Y., Ji, X., & Chan, A. B. (2023). Twins: A fine-tuning framework for improved transferability of adversarial robustness and generalization. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 16436–16446).
Long, J., Shelhamer, E., & Darrell, T. (2015). Fully convolutional networks for semantic segmentation. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 3431–3440).
Mazda, M., & Soheil, F. (2021). Sample efficient detection and classification of adversarial attacks via self-supervised embeddings. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 7677–7686).
Meng, D., & Chen, H. (2017). Magnet: a two-pronged defense against adversarial examples. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (pp. 135–147).
Min, R., Yuhao, Z., Yunlong, W., & Zhenan, S. (2022). Perturbation inactivation based adversarial defense for face recognition. IEEE Transactions on Information Forensics and Security, 17, 2947–2962.
Min, R., Yunlong, W., Yuhao, Z., Kunbo, Z., & Zhenan, S. (2023). Multiscale dynamic graph representation for biometric recognition with occlusions. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(12), 15120–15136.
Moosavi-Dezfooli, S. M., Fawzi, A., Fawzi, O., & Frossard, P. (2014). Universal adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition.
Moosavi-Dezfooli, S.-M., Shrivastava, A., & Tuzel, O. (2018). Divide, denoise, and defend against adversarial attacks. arXiv:1802.06806
Nicholas, C., David, & W. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy (SP) (pp. 39–57). IEEE.
Nicolas, P., Patrick, M., Xi, W., Somesh, J., & Ananthram, S. (2016). Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP) (pp. 582–597). IEEE
Nunes, D. C. L., & Jonathan, T. (2002). Artificial immune systems: A new computational intelligence approach. Springer.
Peilan, L. T. X. (2019). A clonal selection algorithm for dynamic multimodal function optimization. Swarm and Evolutionary Computation, 50, 100459.
Qian, L., Yuxiao, H., Ye, L., Dongxiao, Z., Xin, J., & Yuntian, C. (2023). Discrete point-wise attack is not enough: Generalized manifold adversarial attack for face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 20575–20584).
Redmon, J., Divvala, S., Girshick, R., & Farhadi, A. (2016). You only look once: Unified, real-time object detection. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 779–788).
Ren, M., Wang, Y., Sun, Z., & Tan, T. (2020). Dynamic graph representation for occlusion handling in biometrics. In Proceedings of the AAAI conference on artificial intelligence (pp. 11940–11947).
Ren, S., He, K., Girshick, R., & Sun, J. (2015). Faster R-CNN: Towards real-time object detection with region proposal networks. Advances in Neural Information Processing Systems, 28, 91–99.
Ronneberger, O., Fischer, P., & Brox, T. (2015). U-net: Convolutional networks for biomedical image segmentation. In Medical image computing and computer-assisted intervention–MICCAI 2015: 18th international conference, Munich, Germany, October 5–9, 2015, Proceedings, Part III 18 (pp. 234–241). Springer.
Ross, A. S., & Doshi-Velez, F. (2018). Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: Proceedings of the thirty-second AAAI conference on artificial intelligence and thirtieth innovative applications of artificial intelligence conference.
Schroff, F., Kalenichenko, D., & Philbin, J. (2015). Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition.
Seyed-Mohsen, M.-D., Alhussein, F., & Pascal, F. (2016). DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 2574–2582).
Shao, R., Perera, P., Yuen, P. C., & Patel, V. M. (2022). Open-set adversarial defense with clean-adversarial mutual learning. International Journal of Computer Vision, 130(4), 1070–1087.
Sharif, M., Bhagavatula, S., Bauer, L., & Reiter, M. K. (2016). Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security (pp. 1528–1540).
Simonyan, K., & Zisserman, A. (2015). Very deep convolutional networks for large-scale image recognition. In Proceedings of the international conference on learning representations (pp. 1–10).
Song, Y., Kim, T., Nowozin, S., Ermon, S., & Kushman, N. (2017). PixelDefend: Leveraging generative models to understand and defend against adversarial examples. arXiv:1710.10766
Sun, B., Tsai, N.-h., Liu, F., Yu, R., & Su, H. (2019). Adversarial defense by stratified convolutional sparse coding. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 11447–11456).
Sun, Y., Wang, X., & Tang, X. (2014). Deep learning face representation from predicting 10,000 classes. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition.
Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V., & Rabinovich, A. (2015). Going deeper with convolutions. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 1–9).
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks.
Taesik, N., Hwan, K. J., & Saibal, M. (2018). Cascade adversarial machine learning regularized with a unified embedding. In Proceedings of the international conference on learning representations.
Taigman, Y., Yang, M., Ranzato, M., & Wolf, L. (2014). Deepface: Closing the gap to human-level performance in face verification. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition.
Transferable Adversarial LFW. http://www.whdeng.cn/TALFW/index.html
Turk, M. A., & Pentland, A. P. (1991). Face recognition using eigenfaces. In Proceedings. 1991 IEEE computer society conference on computer vision and pattern recognition (pp. 586–587). IEEE Computer Society.
Wang, H., Wang, Y., Zhou, Z., Ji, X., Li, Z., Gong, D., Zhou, J., & Liu, W. (2018). Cosface: Large margin cosine loss for deep face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 5265–5274).
Wang, Z., Guo, H., Zhang, Z., Liu, W., Qin, Z., & Ren, K. (2021). Feature importance-aware transferable adversarial attacks. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 7639–7648).
Wang, Z., Yang, H., Feng, Y., Sun, P., Guo, H., Zhang, Z., & Ren, K. (2023). Towards transferable targeted adversarial examples. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 20534–20543).
Wei, X., Yu, J., & Huang, Y. (2023). Infrared adversarial patches with learnable shapes and locations in the physical world. International Journal of Computer Vision, 132, 1–17.
Wu, X., He, R., Sun, Z., & Tan, T. (2018). A light CNN for deep face representation with noisy labels. IEEE Transactions on Information Forensics and Security, 13, 2884–2896.
Xiaoyu, C., & Zhenqiang, G. N. (2017). Mitigating evasion attacks to deep neural networks via region-based classification. In Proceedings of the 33rd annual computer security applications conference (pp. 278–287).
Xie, C., Wu, Y., Maaten, L. v. d., Yuille, A. L., & He, K. (2019). Feature denoising for improving adversarial robustness. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 501–509).
Yang, X., Liu, C., Xu, L., Wang, Y., Dong, Y., Chen, N., Su, H., & Zhu, J. (2023). Towards effective adversarial textured 3D meshes on physical face recognition. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 4119–4128).
Yaoyao, Z., & Weihong, D. (2019). Adversarial learning with margin-based triplet embedding regularization. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 6549–6558).
Yuan, Z., Zhang, J., Jia, Y., Tan, C., Xue, T., & Shan, S. (2021). Meta gradient adversarial attack. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 7748–7757).
Yuhao, Z., Min, R., Hui, J., Linlin, D., Zhenan, S., & Ping, L. (2023). Joint holistic and masked face recognition. IEEE Transactions on Information Forensics and Security, 18, 3388–3400.
Yunseok, J., Tianchen, Z., Seunghoon, H., & Honglak, L. (2019). Adversarial defense via learning to generate diverse attacks. In Proceedings of the IEEE/CVF international conference on computer vision (pp 2740–2749).
Zhang, J., Huang, J.-t., Wang, W., Li, Y., Wu, W., Wang, X., Su, Y., & Lyu, M. R. (2023). Improving the transferability of adversarial samples by path-augmented method. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 8173–8182).
Zhang, J., Huang, Y., Wu, W., & Lyu, M. R. (2023). Transferable adversarial attacks on vision transformers with token gradient regularization. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 16415–16424).
Zhang, Y., Hou, J., & Yuan, Y. (2023). A comprehensive study of the robustness for lidar-based 3d object detectors against adversarial attacks. International Journal of Computer Vision, 132, 1–33.
Zheng, Z., Zheng, L., Yang, Y., & Wu, F. (2023). U-turn: Crafting adversarial queries with opposite-direction features. International Journal of Computer Vision, 131(4), 835–854.
Zhezhi, H., Siraj, R. A., & Deliang, F. (2019). Parametric noise injection: Trainable randomness to improve deep neural network robustness against adversarial attack. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 588–597).
Zhong, Y., & Deng, W. (2020). Towards transferable adversarial attack against deep face recognition. IEEE Transactions on Information Forensics and Security, 16, 1452–1466.
Zhou, D., Wang, N., Peng, C., Gao, X., Wang, X., Yu, J., & Liu, T. (2021). Removing adversarial noise in class activation feature space. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 7878–7887).
Zhu, Z.-A., Lu, Y.-Z., & Chiang, C.-K. (2019). Generating adversarial examples by makeup attacks on face recognition. In 2019 IEEE international conference on image processing (ICIP) (pp. 2516–2520).
Ziwei, L., Ping, L., Xiaogang, W., & Xiaoou, T. (2015). Deep learning face attributes in the wild. In Proceedings of international conference on computer vision.
Acknowledgements
The authors would like to thank the associate editor and the reviewers for their valuable comments and advices.
Funding
This work is jointly supported by the National Key Research and Development Program of China (2022YFC3310400), the China Postdoctoral Science Foundation (BX20230044, 2023M730290), the National Natural Science Foundation of China (62276025, U23B2054, 62276263), and the Shenzhen Technology Plan Program (KQTD20170331093217368).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Segio Escalera.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Ren, M., Wang, Y., Zhu, Y. et al. Artificial Immune System of Secure Face Recognition Against Adversarial Attacks. Int J Comput Vis (2024). https://doi.org/10.1007/s11263-024-02153-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11263-024-02153-0