Fooling Computer Vision into Inferring the Wrong Body Mass Index

05/16/2019 ∙ by Owen Levin, et al. ∙ 0

Recently it's been shown that neural networks can use images of human faces to accurately predict Body Mass Index (BMI), a widely used health indicator. In this paper we demonstrate that a neural network performing BMI inference is indeed vulnerable to test-time adversarial attacks. This extends test-time adversarial attacks from classification tasks to regression. The application we highlight is BMI inference in the insurance industry, where such adversarial attacks imply a danger of insurance fraud.



There are no comments yet.


page 3

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Body Mass Index (BMI) is a widely used health quantity calculated as . The world health organization categorizes BMI broadly into Underweight , Normal , Overweight , and Obese  (World Health Organization, 2018). Kocabey et al. recently developed a regression task Face-to-BMI (Kocabey et al., 2017), where they accurately predicted BMI from images of human faces. The motivation for their study was identifying how an individual’s BMI affects their treatment by others on social media platforms (Kocabey et al., 2018).

In this paper we instead focus on the application of Face-to-BMI in the insurance industry, where adversarial attacks could become a issue. Suppose an insurance company uses a neural network to predict the BMI of their clients from photos and then uses this information to influence coverage. There are two scenarios in which an adversarial attacker may want to manipulate the input photo inperceptibly to attack the BMI predictor: (1) the attacker may want to make someone appear healthier to lower their rates; (2) conversely, make someone appear unhealthy to sabotage that person’s insurance application. We demonstrate that a neural network performing Face-to-BMI is indeed vulnerable to test-time adversarial attacks. This extends test-time adversarial attacks from classification tasks (e.g. (Papernot et al., 2016; Moosavi-Dezfooli et al., 2016; Goodfellow et al., 2015; Carlini and Wagner, 2017)) to regression.

2. Adversarial Attacks on Face-to-BMI Prediction

The victim neural network takes as input a

face image and outputs a BMI estimate. We use Alexnet 

(Krizhevsky et al., 2012) layers conv1 to fc7 plus one linear layer after fc7 to perform regression.

The threat model assumes a whitebox attacker with full knowledge of the victim weights and architecture. The attacker can edit any pixels in the photo, including those not on the human. We consider targeted attacks to force prediction into a pre-specified target range .

The attack formulation find the minimum perturbation such that for input input , . Both and must be valid images with integer pixel values in 0–255. We measure perturbation by its norm for some  (Papernot et al., 2016; Moosavi-Dezfooli et al., 2016; Goodfellow et al., 2015; Carlini and Wagner, 2017). Thus, the ideal attack solves


However, this is a difficult integer program. We heuristically solve a related problem to simply find a

small enough . We reformulate the attack goal as follows: We relax the integral constraint on and change the objective:


We initialize and perform early-stopping as soon as to encourage small norm on .

3. Experiments

Datasets. We use two datasets of (photo, BMI) pairs: (1) Federal Corrections Body Mass Index (FCBMI) consists of 9045 public photos at multiple federal and state corrections facilities. (2) VisualBMI dataset with 4206 photos collected by (Kocabey et al., 2017) from Reddit.

Training the victim network

. We train the BMI prediction network with transfer-learning. We load weights pre-trained on the ILSVRC 2012 data set for the conv1 to fc7 layers of Alexnet. Then we randomly initialize the last linear layer using Xavier 

(Glorot and Bengio, 2010). Finally we fine tune the entire network’s weights using our own training images. We use a random subset of 7000 images in FCBMI for fine-tuning, and keep the remaining 2045 images in FCBMI and the whole VisualBMI for testing. We pre-process the images identically to in AlexNet (Krizhevsky et al., 2012): images are converted from RGB to BGR, re-sized to . Finally we subtract the grand mean pixel value from each pixel in the images in the training set. This means that we provide an input in to the neural network at test time. During training we use loss. We use the Adam (Kingma and Ba, 2014) optimizer with . The batch size is 64 and learning rate is 0.0001.

Attack implementation. To solve (2) the attacker simulates the victim by pre-pending an extra input layer with and 1s:

Preprocessing +

AlexNet+Linear regression

(frozen weights)

Predicted BMI

The attacker freezes the weights of the entire network except and trains the network using projected gradient descent on the objective in (2). Once training is complete, the attacker takes a final projection step and rounds so that .

0:      : BMI prediction network,            : victim image,            : Max iterations
0:  : perturbation such that and
  while  or  do
      {gradient descent with step size }
     Project such that
  end while
   {rounds such that is moved to the nearest point in }
  return  {flags a failure if final is unsuccessful after iterations}
Algorithm 1 Adversarially attacking the BMI prediction network

Qualitative results. Figure 1 shows the BMI attack on 8 photos from the VisualBMI data set. We obscured the eyes with black boxes to preserve partial anonymity of those pictured. The boxes are not present in the original data set, so neither the prediction network nor the attacker saw or were influenced by them. Here the attack goal is to force BMI predictions into the normal range . The attacker succeeds at this. We note that all changes have small infinite norm: . Also, s have more nonzero elements and vary more the further the original BMI is from the target range.

Quantitative results. We demonstrate two attacks separately: “make-healthy” where the attacker forces BMI predictions into corresponding to normal weight, and “make-obese” with attack target range of corresponding to obesity. We use the 2045 test images from the FCBMI data set and all 4206 images in the VisualBMI data set. Figure 2

(left) shows BMI before and after attack on VisualBMI. One may expect the attack to just project the predicted BMI onto the boundary of the target range. We see almost exactly that, but there is some minor variance within the target region due to rounding of

. Infrequently, there are large outliers where the rounding shifts the prediction to the other side of the target range. One example of this phenomenon is the right-most face in Figure 

1. Figure 2(right) shows under both attacks. As expected, the further a victim’s initially predicted BMI from the target region, the larger the norm of the perturbation . Figure 3 shows on the FCBMI test set. The same trend holds. Also note the maximum pixel value change is small, roughly 5 out of 255. These attacks will be difficult for humans to perceive.

4. Conclusions and future work

We have demonstrated that naïve whitebox adversarial attacks can be a threat to Face-to-BMI regression. For this reason, we urge caution when using BMI predicted from images in applications such as insurance, as they can be manipulated to make someone’s rates artificially lower or higher.

The attacks in this paper requires the ability to modify any pixels. A more realistic attack would be physical, e.g. have the person wear make-up or accessories like glasses. An intermediate simulated attack could restrict the attack within face or skin pixels. Combining these with e.g. Expectation-Over-Transformation as in (Athalye and Sutskever, 2017) might allow someone to design adversarial make-up they could wear to influence the predicted BMI.

Figure 1. Attacks forcing BMI predictions into the “normal weight” range [18.7, 24.9]. Row (a): Original BMI prediction . Row (b): Attack and its norms. ’s color scale maps [-2, 2] linearly to [0, 255] (gray = no attack). Row (c): Attacked BMI prediction .
Figure 2. Left: -axis: the initial BMI prediction , -axis: the corresponding attacked BMI prediction for each image in the VisualBMI data set. We have highlighted the relevant target ranges. Right: -axis: , -axis: the corresponding of the first successful rounded for each victim image in the VisualBMI data set.
Figure 3. Attack on the FCBMI test set for make-healthy (Left) and make-obese (Right) attacks. To help visualize the distribution of data we dithered the norms using iid Gaussian noise with mean 0 and variance .005

Acknowledgments: The authors wish to thank Glenn Fung for discussions and sharing some of the data set used in this work. This work is supported in part by NSF 1545481, 1704117, 1836978, and the MADLab AF Center of Excellence FA9550-18-1-0166.