Third place solution for Vision Labs Adversarial Attacks on Black Box Face Recognition System Challenge.
Team Boyara Power (Oleksii Hrinchuk, Valentin Khrulkov, Elena Orlova)
Our solution consists of two parts. At first, we trained copycat network to imitate outputs of the Black Box. Then we attacked this substitute network with the standard White Box targeted attacks algorithm to get perturbed images and fool the original Black Box using them.
- Take pretrained FaceNet based on Inception v1 architecture.
- Replace all fully connected layers with one FC layer of 512 neurons, followed by BatchNorm and L2 normalization.
- Finetune the obtained network by training it for 10 epochs with learning rate decay after every 3 epochs.
- Train three such networks and combine them into ensemble (by averaging the resulting descriptors).
For better copycat network we used a number of data augmentation techniques, such as:
- Augment the data with 4 possible corner crops, and by performing horizontal flip, zoom and shift.
- Extend training set with previously computed submissions to better approximate the network in the proximity of given data.
- Generate synthetic inputs based on identifying directions in which the models’ output is varying the most.
- Best attacking algorithm in our experiments was targeted fast gradient method (FGM) accelerated with Nesterov momentum.
- We also noticed that 998 out of 1000 people from target images were exactly the people from source images (which can be found by analysing pairwise L2 distances between source and target images). Instead of attacking just 5 given target images we were attacking 20 (original targets, corresponding sources, mirror reflections of both) to get more robust and generalizable attacker.
| Model | Public score |
|---|---|
| Finetuned Facenet | 1.256 |
| + train augmentation | 1.114 |
| + ensemble & Nesterov | 1.007 |
| + BatchNorm | 0.981 |