Security Evaluation of CNN-based Authentication System under Adversarial Attack
2.42 MB
avoin
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
Face verification systems are widely used in authentication, access control, surveillance, and mobile identity workflows. These systems usually follow a detect–embed–compare pipeline, where a face is detected and aligned, converted into an embedding by a deep neural network, and compared using a similarity metric and decision threshold. Although modern deep learning-based systems achieve strong clean performance, they may remain vulnerable to adversarially crafted inputs.
This thesis evaluates the clean and adversarial robustness of a pretrained face verification pipeline rather than training a new model from scratch. The implemented system uses MTCNN for face detection and alignment, InceptionResnetV1 pretrained on VGGFace2 for embedding extraction, cosine similarity for pair comparison, and a validation-selected threshold for verification decisions. The experiments follow an identity-disjoint evaluation protocol, and a clean baseline is first established using original face images.
The adversarial evaluation follows a pair-verification threat model. Two white-box gradient-based attacks are studied: the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD). The attacks are generated on aligned face crops, and only the first image in each pair is perturbed. For genuine pairs, the attack aims to decrease similarity and cause false rejection, while for impostor pairs, it aims to increase similarity and cause false acceptance.
The results show that the clean system performs well under normal conditions but is substantially affected by adversarial perturbations. PGD has a stronger impact than FGSM, and impostor-pair attacks are more successful than genuine-pair attacks, which is important for security-sensitive deployments because false acceptance can have serious consequences. The thesis also evaluates lightweight test-time prepro-cessing defenses, including JPEG recompression, Gaussian blur, median filtering, and bit-depth reduction. These defenses provide partial robustness improvements without retraining the model. JPEG recompression at quality 50 gives the best overall trade-off, while median filtering preserves clean accuracy slightly better. Overall, the findings show that clean verification accuracy alone is not sufficient for evaluating face verification systems intended for security-critical applications.