Deep neural networks are well-known for their impressive performance in machine learning and artificial intelligence applications, such as object detection, automatic speech recognition, and visual art processing. However, recent research has demonstrated that well-trained deep neural networks are vulnerable to indistinguishable perturbations called adversarial examples, which can be applied in both digital and physical attacks. Extensive efforts have been devoted to addressing digital adversarial attacks. Madry et al. proposed an iterative gradient-based attack that can effectively search for adversarial examples within the allowed norm ball. Carlini and Wanger  formalized adversarial attacks as an optimization problem and found imperceptible perturbations. Moreover, an ample set of digital attacks ([4, 6, 3, 19, 17, 15]) can craft unnoticeable and strong perturbations over the entire image against face recognition (FR) systems. In practice, however, digital attacks cannot be directly applied in the physical world. For instance, in the setting of digital attacks, the malicious attacker attacking FR without any restriction for the positions of adversarial perturbations against the actual situation. In a reasonable scenario, a malicious attacker attempting to mislead the FR system can only add perturbations to the face instead of the background. Thus, a physical attack, which has more limitations than a digital attack, is more complicated. In addition to the positions of perturbations, adversarial perturbations are affected by several environmental factors, such as brightness, viewing angle, and the camera resolution in physical attacks. There have also been several efforts to address physical attacks. Certain physical attacks [12, 14, 8] have overcome specific limitations associated with printing adversarial noise on wearable objects, such as eyeglasses, T-shirts, and hats. Moreover, some studies have focused on attacking FR systems using adversarial patches  and adversarial light . All these studies considered environmental factors and the reducibility of adversarial perturbations.
In this study, inspired by , we designed an attack that uses full-face makeup as adversarial noise. Instead of printing, we aimed to manually perturb the face and ensure that it would mislead the FR system successfully. Compared with prior work on physical attacks, the most notable difference, and also the most challenging aspect, of our attack is the method of reproducing the noise from digital results. As shown in Fig.1, the adversarial examples crafted under the physical adversarial examples crafted in prior studies are visually distinctive to the human eye, whereas our adversarial example has a more natural appearance. Our contributions are summarized as follows: (1) We propose a novel method for synthesizing adversarial makeup. (2) When implemented in the real world, our attack can compensate for manual errors in makeup application and is thus an example of an effective physical adversarial example.
2 Related Work
2.1 Adversarial Attacks
Adversarial attacks can be conducted using digital and physical methods. Digital attacks involve fewer restrictions than physical attacks. In the physical scenario, many factors affect the presentation of adversarial perturbations, such as the light and angle of the camera lens. Both digital and physical attacks can be defined as targeted and untargeted attacks. The definition of a targeted attack is stricter, that is, the prediction result of the adversarial example must be a specific class. However, the output of the model is only different from the ground truth label in an untargeted attack. We present the details of digital and physical attacks in the following sections.
2.1.1 Digital Attacks
Several studies on attack methods have recently demonstrated that deep neural networks (DNNs) can be easily fooled by adversarial examples. In general, the loss function of a digital adversarial attack comprises the restrictions on perturbations and attack loss. For instance, Szegedy et al. proposed that given an input , one can find a solution that allows the classified result of to be close to the target class and to be small. This can be formalized as an optimization problem:
is a function to compute the distance between two probability distributions, such as the cross-entropy,is the victimized model, is the target label, and denotes the data dimension. The hyper-parameter governs the importance of the norm of perturbations . In addition to optimization-based attacks, Goodfellow et al. , Madry et al. , and Dong et al.  proposed gradient-based methods to attack DNNs.
Based on the purpose of out attack, we introduce several digital attacks on FR systems in this section. Zhu et al.  first attempted to use eye makeup to perturb the target input and then attack the FR system. Yang et al.  used a generative neural network to generate adversarial face images that attack an FR system. Adversarial examples generated using these approaches ([4, 6, 3, 17]) either appear factitious or cannot be directly applied in the physical world.
2.1.2 Physical Attacks
A physical attack requires more factors to be considered, and it uses an objective function similar to that in digital attacks. Considering Eq.1, however, the constraint on is not sufficient, which results in the failure of the physical attack . Sharif et al.  suggested that there are three aspects that should be considered for perturbations of : (1) how perturbations can be added in the real world; (2) environmental factors: light, positions of adversarial noise, and angle of the camera lens; (3) increasing the smoothness of the adversarial noise. Accordingly, they proposed a patch-based attack to add perturbations within a specific region, e.g., the area covered by eyeglasses, to attack FR systems. Similar attacks on wearable objects were also synthesized by [14, 8]. Yin et al.  proposed Adv-Makeup, which transfers eye makeup to perform attacks with a black-box setting .
is a technique that involves unsupervised training of an image-to-image translation model with unpaired examples. Its applications include style transfer, object transfiguration, season translation, and generation of photographs from paintings. As shown in Fig.2, Cycle-GAN comprises mapping functions and discriminators and aims to learn the mapping functions between two domains and , given training sets and . Its objective function contains forward–backward adversarial losses and a cycle-consistency loss, which allow images to be translated into other styles. Considering the applications of Cycle-GAN, it can be used effectively for our attack, which involves transferring images of faces both with and without makeup.
We used the Cycle-GAN framework to generate imperceptible adversarial examples. Instead of adding irrelevant noise to the images, full-face makeup is used as adversarial perturbation to mislead well-trained FR systems. As shown in Figure 3, the framework consists of two components. One is the architecture of Cycle-GAN, which is responsible for translating the image styles between those with and without makeup. The other is the victimized FR classifier, VGG 16. With images of an individual not wearing makeup as the input data and randomly selecting faces with cosmetics applied, the makeup generator can synthesize a face with full-face makeup, misleading the VGG 16 successfully. When the makeup generator has been trained, randomly selected non-makeup images of the same individual with the input data can fool the face recognition system, VGG 16.
3.2 Makeup Generation
The purpose of our attack is to generate unobtrusive adversarial examples. Considering applications in the physical world, full-face makeup, which provides assorted appearances and is common in daily life, can be enforced easily. To achieve this goal, we selected Cycle-GAN, which involves automatic training of image-to-image translation models without paired examples. As shown in Figure 3, we follow the setting of Cycle-GAN , which comprising two generators and two discriminators. Cycle-GAN contains two GAN architectures. The makeup generator translates non-makeup images to full-face makeup images, and generator can transform images that contain makeup to non-makeup images. The discriminator is used to stimulate the perceptual authenticity of the synthetic image featuring cosmetics, and is applied to improve the quality of the generative image reconstructed by .
With the input of the non-makeup source image and makeup image , we first employ face detection using YoLov4 to perform face cropping for input . Considering that FR classifiers are used in real life, YoLov4 should correctly classify faces with different angles to obviate the need for face alignment. The generator takes non-makeup images as input and outputs with generative full-face makeup; the generator takes as input and outputs without cosmetics. To improve the quality of the synthetic images, we also applied discriminators that cause the synthetic images to appear more natural. The discriminator takes the real source image with cosmetics and the output with generative full-face makeup from the generator as input, and the discriminator takes the real non-makeup source image and the output without makeup generated by the generator as input. Cycle-GAN contains two GAN networks; thus, we define the loss of GAN as follows:
To ensure consistency between and , , and vice versa, the loss is defined as
Furthermore, we introduce the loss to limit the differences between the input and output of the generators. is formalized as follows:
Therefore, the full objective of the Cycle-GAN is
where and govern the corresponding importance of other objectives.
3.3 Makeup Attack
The most difficult aspect of using makeup as an adversarial perturbation is that people cannot apply makeup precisely. Manual application of makeup on the face cannot exactly the match the digital result. To overcome this challenge, we use Gaussian blur, denoted as , which can dim the boundaries of the makeup to simulate manual errors. Then, to produce the makeup-based adversarial perturbations, we introduce the following untargeted attack objective function:
Let denote the Gaussian blur output of the perturbed example of , subject to , where is the data dimension, and denotes the space of valid data examples.is the ground-truth label of . is a hyper-parameter that controls the model confidence of . If is set higher, the adversarial example will have a stronger classification confidence. The targeted attack loss can be defined as a similar loss from Eq. (6).
In summary, we solve the optimization problem to minimize the loss function . We summarize our complete attack loss function , which combines Cycle-GAN and generates adversarial examples, as follows:
We obtained the results of our attack in a white-box setting and performed both untargeted and targeted attacks. We collected a non-makeup image dataset, which consists of images of eight colleagues from our laboratory. There were 2286 images in the training set and 254 samples in the test set. We used the makeup dataset employed by Chen et al. 
, which contains 361 training samples. Our experimental results showed that the prediction probability for each class is calculated using the following equation:
where denotes that the percentage of frames is classified as Class .
4.1 Experiment Setup
We conducted untargeted and targeted attacks in a white-box setting, meaning that attackers could access all parameters of the model. For the coefficients of our attack objective function, we set , , and . We trained the classifier from the pre-trained weights and scratches. For the training with pre-trained weights111https://github.com/rcmalli/keras-vggface
, we selected Adam as the optimizer, trained the model with 367 epochs, and set the learning rate to 0.00001. For the training from scratch, we used the Adam optimizer with a learning rate of 0.00001 and 408 epochs. For both training methods, we set the batch size to 25. In our attack, we used the Adam optimizer with a learning rate of 0.0002 and set the batch size to 1. We ran our attack with more than 100 epochs and then selected the images that appeared the most natural as the adversarial examples. All the experiments were conducted using a PC with an Intel Xeon E5-2620v4 CPU, 125 GB RAM, and an NVIDIA TITAN Xp GPU with 12 GB RAM. The camera used was an ASUS ZenFone 5Z ZS620KL (rear camera).
4.2 Untargeted Attack
Under an untargeted attack, the classifier trained with the pre-trained weights achieved an accuracy of 98.41% on the test set. In the physical world, the accuracy of the attack could reach 84%, as shown in Fig. 6 (a). As shown in Fig. 5 (c), the accuracy of the attacker reduces to 0% and the attacker has 34 percentage to be classified to the Class 3. The person in Class 3 (victimized class) shown in Fig. 5 (a). Fig. 5 (b) and (c) show that the physical adversarial example is not identical to the digital one. However, it can still attack successfully when the adversarial noise is reduced.
4.3 Targeted Attack
We trained the classifiers with pre-trained weights and from scratch on the targeted attack. The model trained using the pre-trained weights attained an accuracy of 98.41% on the test set. In addition, the accuracy of the model trained from scratch on the test set was 97.64%. In the physical setting, the attack achieves accuracies of 84% and 96% with the pre-trained model and the model trained from scratch, respectively, as shown in Fig. 6. The model trained from scratch is more robust; hence, the attacker can be classified correctly even when the viewing angle is varied. In Fig.4, however, the attacker can get the higher percentage of some targeted classes as attacking the model trained from the scratch. Moreover, if the targeted images have prominent features such as eyeglasses, they might be presented in the adversarial examples as well.
In this paper, we proposed a novel and powerful attack mechanism for real-world applications, which can utilize full-face makeup images to perform attacks on FR systems. Instead of adding adversarial perturbations using machines, our attack method adds them manually and overcomes errors associated with color and positions. The experimental results showed that our method is effective under the settings of both targeted and untargeted attacks. In future, we will attempt to reduce the amount of adversarial noise to make the perturbations less perceptible. We also intend to demonstrate that the method of training the models affects the physical attack.
-  (2017) Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pp. 39–57. Cited by: §1.
-  (2017) Spoofing faces using makeup: an investigative study. In 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8. Cited by: §4.
-  (2019) Advfaces: adversarial face synthesis. In 2020 IEEE International Joint Conference on Biometrics (IJCB), pp. 1–10. Cited by: §1, §2.1.1.
-  (2019) Arcface: additive angular margin loss for deep face recognition. In , pp. 4690–4699. Cited by: §1, §2.1.1.
-  (2018) Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 9185–9193. Cited by: §2.1.1.
-  (2019) Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 7714–7722. Cited by: §1, §2.1.1.
-  (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572. Cited by: §2.1.1.
-  (2021) Advhat: real-world adversarial attack on arcface face id system. In 2020 25th International Conference on Pattern Recognition (ICPR), pp. 819–826. Cited by: §1, §2.1.2.
Towards deep learning models resistant to adversarial attacks. International Conference on Learning Representations. Cited by: §1, §2.1.1.
-  (2020) Adversarial light projection attacks on face recognition systems: a feasibility study. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pp. 814–815. Cited by: §1.
-  (2019) On adversarial patches: real-world attack on arcface-100 face recognition system. In 2019 International Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), pp. 0391–0396. Cited by: §1.
-  (2016) Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 acm sigsac conference on computer and communications security, pp. 1528–1540. Cited by: §1, §2.1.2.
-  (2014) Intriguing properties of neural networks. International Conference on Learning Representations. Cited by: §2.1.1.
-  (2020) Adversarial t-shirt! evading person detectors in a physical world. In European Conference on Computer Vision, pp. 665–681. Cited by: §1, §2.1.2.
-  (2021) Attacks on state-of-the-art face recognition using attentional adversarial attack generative network. Multimedia Tools and Applications 80 (1), pp. 855–875. Cited by: §1, §2.1.1.
-  (2021) Adv-makeup: a new imperceptible and transferable attack on face recognition. arXiv preprint arXiv:2105.03162. Cited by: §2.1.2.
-  (2020) Towards transferable adversarial attack against deep face recognition. IEEE Transactions on Information Forensics and Security 16, pp. 1452–1466. Cited by: §1, §2.1.1.
-  (2017) Unpaired image-to-image translation using cycle-consistent adversarial networks. In Proceedings of the IEEE international conference on computer vision, pp. 2223–2232. Cited by: §2.2, §3.2.
-  (2019) Generating adversarial examples by makeup attacks on face recognition. In 2019 IEEE International Conference on Image Processing (ICIP), pp. 2516–2520. Cited by: §1, §1, §2.1.1.