Design and Interpretation of Universal Adversarial Patches in Face Detection
This work addresses security vulnerabilities in face detection systems, which is critical for applications like surveillance and authentication, but it is incremental as it builds on existing adversarial patch research.
The paper tackles the problem of designing universal adversarial patches that can reliably prevent state-of-the-art face detectors from detecting real faces, showing that such patches often appear face-like and achieve high success rates in deceiving detectors across various metrics and scenarios.
We consider universal adversarial patches for faces -- small visual elements whose addition to a face image reliably destroys the performance of face detectors. Unlike previous work that mostly focused on the algorithmic design of adversarial examples in terms of improving the success rate as an attacker, in this work we show an interpretation of such patches that can prevent the state-of-the-art face detectors from detecting the real faces. We investigate a phenomenon: patches designed to suppress real face detection appear face-like. This phenomenon holds generally across different initialization, locations, scales of patches, backbones, and state-of-the-art face detection frameworks. We propose new optimization-based approaches to automatic design of universal adversarial patches for varying goals of the attack, including scenarios in which true positives are suppressed without introducing false positives. Our proposed algorithms perform well on real-world datasets, deceiving state-of-the-art face detectors in terms of multiple precision/recall metrics and transferability.