Defending Black Box Facial Recognition Classifiers Against Adversarial Attacks

Rajkumar Theagarajan, Bir Bhanu; Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, 2020, pp. 812-813

Defending adversarial attacks is a critical step towards reliable deployment of deep learning empowered solutions for biometrics verification. Current approaches for defending Black box models use the classification accuracy of the Black box as a performance metric for validating their defense. However, classification accuracy by itself is not a reliable metric to determine if the resulting image is "adversarial-free". This is a serious problem for online biometrics verification applications where the ground-truth of the incoming image is not known and hence we cannot compute the accuracy of the classifier or know if the image is "adversarial-free" or not. This paper proposes a novel framework for defending Black box systems from adversarial attacks using an ensemble of iterative adversarial image purifiers whose performance is continuously validated in a loop using Bayesian uncertainties. The proposed approach is (i) model agnostic, (ii) can convert single step black box defenses into an iterative defense and (iii) has the ability to reject adversarial examples. This paper uses facial recognition as a test case for validating the defense and experimental results on the MS-Celeb dataset show that the proposed approach can consistently detect adversarial examples and purify/reject them against a variety of adversarial attacks with different ranges of perturbations.