Vulnerability of Appearance-based Gaze Estimation
This study highlights a security issue in gaze estimation systems, which is incremental as it applies known adversarial attack concepts to a new domain.
The paper investigates the vulnerability of appearance-based gaze estimation models to adversarial attacks, finding that perturbed images can cause incorrect gaze direction outputs, with CA-Net showing superior defense performance among tested networks.
Appearance-based gaze estimation has achieved significant improvement by using deep learning. However, many deep learning-based methods suffer from the vulnerability property, i.e., perturbing the raw image using noise confuses the gaze estimation models. Although the perturbed image visually looks similar to the original image, the gaze estimation models output the wrong gaze direction. In this paper, we investigate the vulnerability of appearance-based gaze estimation. To our knowledge, this is the first time that the vulnerability of gaze estimation to be found. We systematically characterized the vulnerability property from multiple aspects, the pixel-based adversarial attack, the patch-based adversarial attack and the defense strategy. Our experimental results demonstrate that the CA-Net shows superior performance against attack among the four popular appearance-based gaze estimation networks, Full-Face, Gaze-Net, CA-Net and RT-GENE. This study draws the attention of researchers in the appearance-based gaze estimation community to defense from adversarial attacks.