Real-World Adversarial Examples involving Makeup Application

by   Chang-Sheng Lin, et al.

Deep neural networks have developed rapidly and have achieved outstanding performance in several tasks, such as image classification and natural language processing. However, recent studies have indicated that both digital and physical adversarial examples can fool neural networks. Face-recognition systems are used in various applications that involve security threats from physical adversarial examples. Herein, we propose a physical adversarial attack with the use of full-face makeup. The presence of makeup on the human face is a reasonable possibility, which possibly increases the imperceptibility of attacks. In our attack framework, we combine the cycle-adversarial generative network (cycle-GAN) and a victimized classifier. The Cycle-GAN is used to generate adversarial makeup, and the architecture of the victimized classifier is VGG 16. Our experimental results show that our attack can effectively overcome manual errors in makeup application, such as color and position-related errors. We also demonstrate that the approaches used to train the models can influence physical attacks; the adversarial perturbations crafted from the pre-trained model are affected by the corresponding training data.



There are no comments yet.


page 1

page 3

page 4

page 5


Robust Attacks on Deep Learning Face Recognition in the Physical World

Deep neural networks (DNNs) have been increasingly used in face recognit...

Robust Physical-World Attacks on Face Recognition

Face recognition has been greatly facilitated by the development of deep...

ReabsNet: Detecting and Revising Adversarial Examples

Though deep neural network has hit a huge success in recent studies and ...

A geometry-inspired decision-based attack

Deep neural networks have recently achieved tremendous success in image ...

On Brightness Agnostic Adversarial Examples Against Face Recognition Systems

This paper introduces a novel adversarial example generation method agai...

Application of Adversarial Examples to Physical ECG Signals

This work aims to assess the reality and feasibility of the adversarial ...

Using a GAN to Generate Adversarial Examples to Facial Image Recognition

Images posted online present a privacy concern in that they may be used ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Deep neural networks are well-known for their impressive performance in machine learning and artificial intelligence applications, such as object detection, automatic speech recognition, and visual art processing. However, recent research has demonstrated that well-trained deep neural networks are vulnerable to indistinguishable perturbations called adversarial examples, which can be applied in both digital and physical attacks. Extensive efforts have been devoted to addressing digital adversarial attacks. Madry et al.

[9] proposed an iterative gradient-based attack that can effectively search for adversarial examples within the allowed norm ball. Carlini and Wanger [1] formalized adversarial attacks as an optimization problem and found imperceptible perturbations. Moreover, an ample set of digital attacks ([4, 6, 3, 19, 17, 15]) can craft unnoticeable and strong perturbations over the entire image against face recognition (FR) systems. In practice, however, digital attacks cannot be directly applied in the physical world. For instance, in the setting of digital attacks, the malicious attacker attacking FR without any restriction for the positions of adversarial perturbations against the actual situation. In a reasonable scenario, a malicious attacker attempting to mislead the FR system can only add perturbations to the face instead of the background. Thus, a physical attack, which has more limitations than a digital attack, is more complicated. In addition to the positions of perturbations, adversarial perturbations are affected by several environmental factors, such as brightness, viewing angle, and the camera resolution in physical attacks. There have also been several efforts to address physical attacks. Certain physical attacks [12, 14, 8] have overcome specific limitations associated with printing adversarial noise on wearable objects, such as eyeglasses, T-shirts, and hats. Moreover, some studies have focused on attacking FR systems using adversarial patches [11] and adversarial light [10]. All these studies considered environmental factors and the reducibility of adversarial perturbations.

Figure 1: Illustration of physical adversarial examples generated by Adv eyeglasses, Adv T-shirts, Adv Hat, and our attack.

In this study, inspired by [19], we designed an attack that uses full-face makeup as adversarial noise. Instead of printing, we aimed to manually perturb the face and ensure that it would mislead the FR system successfully. Compared with prior work on physical attacks, the most notable difference, and also the most challenging aspect, of our attack is the method of reproducing the noise from digital results. As shown in Fig.1, the adversarial examples crafted under the physical adversarial examples crafted in prior studies are visually distinctive to the human eye, whereas our adversarial example has a more natural appearance. Our contributions are summarized as follows: (1) We propose a novel method for synthesizing adversarial makeup. (2) When implemented in the real world, our attack can compensate for manual errors in makeup application and is thus an example of an effective physical adversarial example.

2 Related Work

2.1 Adversarial Attacks

Adversarial attacks can be conducted using digital and physical methods. Digital attacks involve fewer restrictions than physical attacks. In the physical scenario, many factors affect the presentation of adversarial perturbations, such as the light and angle of the camera lens. Both digital and physical attacks can be defined as targeted and untargeted attacks. The definition of a targeted attack is stricter, that is, the prediction result of the adversarial example must be a specific class. However, the output of the model is only different from the ground truth label in an untargeted attack. We present the details of digital and physical attacks in the following sections.

2.1.1 Digital Attacks

Several studies on attack methods have recently demonstrated that deep neural networks (DNNs) can be easily fooled by adversarial examples. In general, the loss function of a digital adversarial attack comprises the restrictions on perturbations and attack loss. For instance, Szegedy et al.

[13] proposed that given an input , one can find a solution that allows the classified result of to be close to the target class and to be small. This can be formalized as an optimization problem:



is a function to compute the distance between two probability distributions, such as the cross-entropy,

is the victimized model, is the target label, and denotes the data dimension. The hyper-parameter governs the importance of the norm of perturbations . In addition to optimization-based attacks, Goodfellow et al. [7], Madry et al. [9], and Dong et al. [5] proposed gradient-based methods to attack DNNs.

Based on the purpose of out attack, we introduce several digital attacks on FR systems in this section. Zhu et al. [19] first attempted to use eye makeup to perturb the target input and then attack the FR system. Yang et al. [15] used a generative neural network to generate adversarial face images that attack an FR system. Adversarial examples generated using these approaches ([4, 6, 3, 17]) either appear factitious or cannot be directly applied in the physical world.

2.1.2 Physical Attacks

A physical attack requires more factors to be considered, and it uses an objective function similar to that in digital attacks. Considering Eq.1, however, the constraint on is not sufficient, which results in the failure of the physical attack . Sharif et al. [12] suggested that there are three aspects that should be considered for perturbations of : (1) how perturbations can be added in the real world; (2) environmental factors: light, positions of adversarial noise, and angle of the camera lens; (3) increasing the smoothness of the adversarial noise. Accordingly, they proposed a patch-based attack to add perturbations within a specific region, e.g., the area covered by eyeglasses, to attack FR systems. Similar attacks on wearable objects were also synthesized by [14, 8]. Yin et al. [16] proposed Adv-Makeup, which transfers eye makeup to perform attacks with a black-box setting .

2.2 Cycle-GAN

Figure 2: Framework of Cycle-GAN. It is composed of two mapping functions, G: and F: , and two associated discriminators, and . is used to increase the similarity between the synthetic image from G and domain and vice versa for F and . The cycle-consistency loss can force G and F to be consistent with each other.

Cycle-GAN [18]

is a technique that involves unsupervised training of an image-to-image translation model with unpaired examples. Its applications include style transfer, object transfiguration, season translation, and generation of photographs from paintings. As shown in Fig.

2, Cycle-GAN comprises mapping functions and discriminators and aims to learn the mapping functions between two domains and , given training sets and . Its objective function contains forward–backward adversarial losses and a cycle-consistency loss, which allow images to be translated into other styles. Considering the applications of Cycle-GAN, it can be used effectively for our attack, which involves transferring images of faces both with and without makeup.

3 Methodology

Figure 3: Overview of the framework of our attack, which consists of Cycle-GAN and the VGG 16 face-recognition classifier. Cycle-GAN contains two generators ( and ) and discriminators ( and ). Among them, generator can generate adversarial faces with full-face makeup, successfully misleading the face recognition (FR) system, VGG 16.

3.1 Overview

We used the Cycle-GAN framework to generate imperceptible adversarial examples. Instead of adding irrelevant noise to the images, full-face makeup is used as adversarial perturbation to mislead well-trained FR systems. As shown in Figure 3, the framework consists of two components. One is the architecture of Cycle-GAN, which is responsible for translating the image styles between those with and without makeup. The other is the victimized FR classifier, VGG 16. With images of an individual not wearing makeup as the input data and randomly selecting faces with cosmetics applied, the makeup generator can synthesize a face with full-face makeup, misleading the VGG 16 successfully. When the makeup generator has been trained, randomly selected non-makeup images of the same individual with the input data can fool the face recognition system, VGG 16.

3.2 Makeup Generation

The purpose of our attack is to generate unobtrusive adversarial examples. Considering applications in the physical world, full-face makeup, which provides assorted appearances and is common in daily life, can be enforced easily. To achieve this goal, we selected Cycle-GAN, which involves automatic training of image-to-image translation models without paired examples. As shown in Figure 3, we follow the setting of Cycle-GAN [18], which comprising two generators and two discriminators. Cycle-GAN contains two GAN architectures. The makeup generator translates non-makeup images to full-face makeup images, and generator can transform images that contain makeup to non-makeup images. The discriminator is used to stimulate the perceptual authenticity of the synthetic image featuring cosmetics, and is applied to improve the quality of the generative image reconstructed by .

With the input of the non-makeup source image and makeup image , we first employ face detection using YoLov4 to perform face cropping for input . Considering that FR classifiers are used in real life, YoLov4 should correctly classify faces with different angles to obviate the need for face alignment. The generator takes non-makeup images as input and outputs with generative full-face makeup; the generator takes as input and outputs without cosmetics. To improve the quality of the synthetic images, we also applied discriminators that cause the synthetic images to appear more natural. The discriminator takes the real source image with cosmetics and the output with generative full-face makeup from the generator as input, and the discriminator takes the real non-makeup source image and the output without makeup generated by the generator as input. Cycle-GAN contains two GAN networks; thus, we define the loss of GAN as follows:


To ensure consistency between and , , and vice versa, the loss is defined as


Furthermore, we introduce the loss to limit the differences between the input and output of the generators. is formalized as follows:


Therefore, the full objective of the Cycle-GAN is


where and govern the corresponding importance of other objectives.

3.3 Makeup Attack

The most difficult aspect of using makeup as an adversarial perturbation is that people cannot apply makeup precisely. Manual application of makeup on the face cannot exactly the match the digital result. To overcome this challenge, we use Gaussian blur, denoted as , which can dim the boundaries of the makeup to simulate manual errors. Then, to produce the makeup-based adversarial perturbations, we introduce the following untargeted attack objective function:


Let denote the Gaussian blur output of the perturbed example of , subject to , where is the data dimension, and denotes the space of valid data examples.

is the output of x in the pre-softmax layer (known as logits), and

is the ground-truth label of . is a hyper-parameter that controls the model confidence of . If is set higher, the adversarial example will have a stronger classification confidence. The targeted attack loss can be defined as a similar loss from Eq. (6).

In summary, we solve the optimization problem to minimize the loss function . We summarize our complete attack loss function , which combines Cycle-GAN and generates adversarial examples, as follows:


4 Experiment

We obtained the results of our attack in a white-box setting and performed both untargeted and targeted attacks. We collected a non-makeup image dataset, which consists of images of eight colleagues from our laboratory. There were 2286 images in the training set and 254 samples in the test set. We used the makeup dataset employed by Chen et al. [2]

, which contains 361 training samples. Our experimental results showed that the prediction probability for each class is calculated using the following equation:


where denotes that the percentage of frames is classified as Class .

Figure 4: Visual comparison of adversarial examples generated by attacking models trained with pre-trained weights and from scratch under the setting of the targeted attack. The red crosses indicate that physical attacks failed. The targeted class is numbered 0, 2, 3, 4, , 7 from left to right (the attacker is class 1).

4.1 Experiment Setup

We conducted untargeted and targeted attacks in a white-box setting, meaning that attackers could access all parameters of the model. For the coefficients of our attack objective function, we set , , and . We trained the classifier from the pre-trained weights and scratches. For the training with pre-trained weights111

, we selected Adam as the optimizer, trained the model with 367 epochs, and set the learning rate to 0.00001. For the training from scratch, we used the Adam optimizer with a learning rate of 0.00001 and 408 epochs. For both training methods, we set the batch size to 25. In our attack, we used the Adam optimizer with a learning rate of 0.0002 and set the batch size to 1. We ran our attack with more than 100 epochs and then selected the images that appeared the most natural as the adversarial examples. All the experiments were conducted using a PC with an Intel Xeon E5-2620v4 CPU, 125 GB RAM, and an NVIDIA TITAN Xp GPU with 12 GB RAM. The camera used was an ASUS ZenFone 5Z ZS620KL (rear camera).

4.2 Untargeted Attack

Under an untargeted attack, the classifier trained with the pre-trained weights achieved an accuracy of 98.41% on the test set. In the physical world, the accuracy of the attack could reach 84%, as shown in Fig. 6 (a). As shown in Fig. 5 (c), the accuracy of the attacker reduces to 0% and the attacker has 34 percentage to be classified to the Class 3. The person in Class 3 (victimized class) shown in Fig. 5 (a). Fig. 5 (b) and (c) show that the physical adversarial example is not identical to the digital one. However, it can still attack successfully when the adversarial noise is reduced.

Figure 5: Visual comparison of physical and digital adversarial examples generated under the setting of the untargeted attack. (a) showed the person who is classified when taking physical adversarial examples as the input. (b) Digital adversarial sample generated by the attack. (c) Result of an attacker wearing makeup.
(a) Pre-trained
(b) Scratch
Figure 6: (a) shows that the attacker can be classified to himself with the 84% when using the model trained from the pre-trained weights. (b) showed the attacker had 96% to be classified to himself by the model trained from the scratch.

4.3 Targeted Attack

We trained the classifiers with pre-trained weights and from scratch on the targeted attack. The model trained using the pre-trained weights attained an accuracy of 98.41% on the test set. In addition, the accuracy of the model trained from scratch on the test set was 97.64%. In the physical setting, the attack achieves accuracies of 84% and 96% with the pre-trained model and the model trained from scratch, respectively, as shown in Fig. 6. The model trained from scratch is more robust; hence, the attacker can be classified correctly even when the viewing angle is varied. In Fig.4, however, the attacker can get the higher percentage of some targeted classes as attacking the model trained from the scratch. Moreover, if the targeted images have prominent features such as eyeglasses, they might be presented in the adversarial examples as well.

5 Conclusion

In this paper, we proposed a novel and powerful attack mechanism for real-world applications, which can utilize full-face makeup images to perform attacks on FR systems. Instead of adding adversarial perturbations using machines, our attack method adds them manually and overcomes errors associated with color and positions. The experimental results showed that our method is effective under the settings of both targeted and untargeted attacks. In future, we will attempt to reduce the amount of adversarial noise to make the perturbations less perceptible. We also intend to demonstrate that the method of training the models affects the physical attack.


  • [1] N. Carlini and D. Wagner (2017) Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pp. 39–57. Cited by: §1.
  • [2] C. Chen, A. Dantcheva, T. Swearingen, and A. Ross (2017) Spoofing faces using makeup: an investigative study. In 2017 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA), pp. 1–8. Cited by: §4.
  • [3] D. Deb, J. Zhang, and A. K. Jain (2019) Advfaces: adversarial face synthesis. In 2020 IEEE International Joint Conference on Biometrics (IJCB), pp. 1–10. Cited by: §1, §2.1.1.
  • [4] J. Deng, J. Guo, N. Xue, and S. Zafeiriou (2019) Arcface: additive angular margin loss for deep face recognition. In

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition

    pp. 4690–4699. Cited by: §1, §2.1.1.
  • [5] Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li (2018) Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 9185–9193. Cited by: §2.1.1.
  • [6] Y. Dong, H. Su, B. Wu, Z. Li, W. Liu, T. Zhang, and J. Zhu (2019) Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 7714–7722. Cited by: §1, §2.1.1.
  • [7] I. J. Goodfellow, J. Shlens, and C. Szegedy (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572. Cited by: §2.1.1.
  • [8] S. Komkov and A. Petiushko (2021) Advhat: real-world adversarial attack on arcface face id system. In 2020 25th International Conference on Pattern Recognition (ICPR), pp. 819–826. Cited by: §1, §2.1.2.
  • [9] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu (2018)

    Towards deep learning models resistant to adversarial attacks

    International Conference on Learning Representations. Cited by: §1, §2.1.1.
  • [10] D. Nguyen, S. S. Arora, Y. Wu, and H. Yang (2020) Adversarial light projection attacks on face recognition systems: a feasibility study. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pp. 814–815. Cited by: §1.
  • [11] M. Pautov, G. Melnikov, E. Kaziakhmedov, K. Kireev, and A. Petiushko (2019) On adversarial patches: real-world attack on arcface-100 face recognition system. In 2019 International Multi-Conference on Engineering, Computer and Information Sciences (SIBIRCON), pp. 0391–0396. Cited by: §1.
  • [12] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter (2016) Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 acm sigsac conference on computer and communications security, pp. 1528–1540. Cited by: §1, §2.1.2.
  • [13] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus (2014) Intriguing properties of neural networks. International Conference on Learning Representations. Cited by: §2.1.1.
  • [14] K. Xu, G. Zhang, S. Liu, Q. Fan, M. Sun, H. Chen, P. Chen, Y. Wang, and X. Lin (2020) Adversarial t-shirt! evading person detectors in a physical world. In European Conference on Computer Vision, pp. 665–681. Cited by: §1, §2.1.2.
  • [15] L. Yang, Q. Song, and Y. Wu (2021) Attacks on state-of-the-art face recognition using attentional adversarial attack generative network. Multimedia Tools and Applications 80 (1), pp. 855–875. Cited by: §1, §2.1.1.
  • [16] B. Yin, W. Wang, T. Yao, J. Guo, Z. Kong, S. Ding, J. Li, and C. Liu (2021) Adv-makeup: a new imperceptible and transferable attack on face recognition. arXiv preprint arXiv:2105.03162. Cited by: §2.1.2.
  • [17] Y. Zhong and W. Deng (2020) Towards transferable adversarial attack against deep face recognition. IEEE Transactions on Information Forensics and Security 16, pp. 1452–1466. Cited by: §1, §2.1.1.
  • [18] J. Zhu, T. Park, P. Isola, and A. A. Efros (2017) Unpaired image-to-image translation using cycle-consistent adversarial networks. In Proceedings of the IEEE international conference on computer vision, pp. 2223–2232. Cited by: §2.2, §3.2.
  • [19] Z. Zhu, Y. Lu, and C. Chiang (2019) Generating adversarial examples by makeup attacks on face recognition. In 2019 IEEE International Conference on Image Processing (ICIP), pp. 2516–2520. Cited by: §1, §1, §2.1.1.