{"id":15975,"date":"2019-04-23T11:59:36","date_gmt":"2019-04-23T09:59:36","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=15975"},"modified":"2022-11-21T15:25:46","modified_gmt":"2022-11-21T14:25:46","slug":"machine-perception-face-recognition","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/","title":{"rendered":"Robustifying Machine Perception for Image Recognition Systems: Defense Against the Dark Arts"},"content":{"rendered":"<p>Despite the fact that machine perception systems achieve superhuman performance on different perceptual tasks, researchers have recently demonstrated that they are not infallible. Images with methodically crafted perturbations, also called <b>adversarial examples<\/b>, can deceive these systems and cause misclassification. <!--more--><\/p>\n<p>This is particularly problematic for <strong>face recognition systems (FRSs)<\/strong> because they are more and more dependent on deep learning and increasingly deployed in security-critical domains like access control, public camera surveillance (CCTV), unlock functions for mobile devices or automated security controls at airports.<\/p>\n<p>FRSs are particularly vulnerable to an <a href=\"https:\/\/www.cs.cmu.edu\/~sbhagava\/papers\/face-rec-ccs16.pdf\">adversarial attack proposed by Sharif et al.<\/a> [1] (here referred to as <strong>adversarial glasses attack<\/strong>) that is based on perturbed eyeglass frames which can be worn to mislead the system. Examples of these adversarial attacks are depicted below, where the top row shows the attackers wearing the eyeglass frames and the bottom row depicts the individuals as which the attackers are classified:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15988 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/adv_glasses_attack.png\" alt=\"\" width=\"1213\" height=\"480\" \/><\/p>\n<p style=\"text-align: center;\">Taken from: [1]<\/p>\n<p>In this article we highlight, by means of adversarial examples in general and the mentioned glasses attack in particular, the importance to make FRSs robust against these undesirable threats. Additionally, we apply, optimize and evaluate a <a href=\"http:\/\/openaccess.thecvf.com\/content_cvpr_2018_workshops\/papers\/w32\/Hayes_On_Visible_Adversarial_CVPR_2018_paper.pdf\">defense method based on the adversarial example&#8217;s saliency map<\/a> [2] to make a trained FRS robust to the adversarial glasses attack.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Introduction-to-the-Dark-Arts\" >Introduction to the Dark Arts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Defense-Against-the-Dark-Arts\" >Defense Against the Dark Arts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Lets-move-on-to-the-action\" >Let&#8217;s move on to the action<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Preparations\" >Preparations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Results\" >Results<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#References\" >References<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Introduction-to-the-Dark-Arts\"><\/span>Introduction to the Dark Arts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/arxiv.org\/pdf\/1312.6199.pdf\">Work by Zegedy et al.<\/a> [3] has shown that neural networks for image classification tasks can be deceived with artificially crafted prediction inputs, known as <b>adversarial examples<\/b>. Since this discovery, numerous approaches for generating adversarial examples have been proposed, aiming to lead machine perception into some sort of misclassification. Most commonly, this goal is achieved by crafting subtle perturbations that are added to the image in order shift the classification output towards the intentions of the attacker.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15989 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/adv_example.png\" alt=\"\" width=\"1194\" height=\"411\" \/><\/p>\n<p style=\"text-align: center;\">Taken from: [4]<\/p>\n<p>As visualized above, the adversarial perturbations are oftentimes imperceptibly small so that adversarial examples remain indistinguishable from the original images for humans. Consequently, without perceptible differences between these two, a human would label the adversarial example with the original class whereas the classifying neural network is likely to predict the class that was set by the attacker generating the example.<\/p>\n<p>The <strong>adversarial glasses attack<\/strong> [1] follows a different approach. Its adversarial perturbations are visible adversarial perturbation bound to eyeglass frames, allowing for the generation of adversarial perturbed glasses that can be worn by the attacker in the physical world. This causes an FRS to classify them as a different person while staying relatively inconspicuous.\u00a0The adversarial glasses attack is conducted in 3 Steps:<\/p>\n<ol>\n<li>First, the glasses are rendered in any color on the attacker&#8217;s face. Similar to the creators of the attack, we initialize the frame of the glasses in yellow.<\/li>\n<li>Once this is done, the adversarial perturbations are generated within the area of the eyeglass frames. This is done by iteratively solving an optimization problem with <strong>gradient descent<\/strong>, so that the classification result is shifted gradually towards the target class. In each iteration, the resulting gradients are added with small increments as color values to the pixels of the glasses, which gradually creates the multicolored patterns. The generation process is terminated as soon as a threshold value for the target class confidence is met.<\/li>\n<li>Finally, the attacker can print out the generated adversarial glasses in order to put them on and be recognized as different person.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15987 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/impersonation_attack.png\" alt=\"\" width=\"1206\" height=\"385\" \/><\/p>\n<p>The 4th step is consequently the physical realization of the adversarial glasses attack. Evaluating physically realized attacks requires great carefulness and accuracy throughout the process of printing out and recapturing the adversarial glasses. Otherwise the adversarial glasses loose expressiveness and would not survive this process. For instance, we were not able to provide light conditions for which the captured images of the printed eyeglasses do not have distorted color values compared to the digitally generated adversarial examples, leading to a high rate of failure for these attacks. For this reason, we evaluate defenses against the adversarial glasses attack solely in the digital domain.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Defense-Against-the-Dark-Arts\"><\/span>Defense Against the Dark Arts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Making machine perception systems robust against adversarial examples is a widely discussed task among researchers and has received just as much attention in the recent past as the adversarial attacks themselves. It is therefore no coincidence that numerous methods have already been proposed to achieve this goal\u2014with more or less success.\u00a0In general, the choice of the right defense strategy depends on the environment in which the attacker is expected to place his adversarial examples. Regarding FRSs as they typically operate in the physical world, the attacker does not have direct control over the adversarial example as it is fed to the classifier model. Rather these systems fetch their input data from cameras or other sensors. In such a scenario the attacker is able to influence the classification result solely by changing the physical appearance of the predicted adversarial example. This can be done especially well by visible adversarial perturbations just like the adversarial glasses attack. This is why we wish to have a defense that makes FRS not only robust to adversarial eyeglasses but also to other visible adversarial perturbations in the form of accessories that can be potentially worn as well.<\/p>\n<p>With that in mind, we choose a method that utilizes the <b>saliency map<\/b> of the adversarial example (subsequently referred to as <b>Saliency Mask Method<\/b>) [2]. A saliency map depicts the in\ufb02uence of the image\u2019s spatial areas on the classi\ufb01cation result. An example is shown below, with darker regions of the saliency map representing areas with a higher impact on the classification result:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15983\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/saliency_map-300x146.png\" alt=\"\" width=\"500\" height=\"243\" \/><\/p>\n<p>As visible adversarial perturbations usually induce a dense cluster of high neuron activity, the saliency map can be transformed into a mask that covers the unnaturally dense regions and uses it as stencil to remove them. Since detecting these regions is theoretically possible for arbitrary shapes and at any position, the saliency mask methods potentially generalizes to other imaginable adversarial accessories as well. The crucial challenge is how to detect the regions with visible adversarial perturbations. To tackle this problem, the saliency mask method generates a saliency mask for each adversarial example. This procedure is depicted and described below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15982 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/saliency_mask_method.png\" alt=\"\" width=\"1218\" height=\"261\" \/><\/p>\n<ol>\n<li>Generate the saliency map with the <a href=\"https:\/\/arxiv.org\/pdf\/1412.6806.pdf\">Guided Backpropagation<\/a> algorithm [5]. For a given classifier model, the algorithm considers the forward pass which is the model&#8217;s information flow from an input image to an output vector and the backward pass denoting the backpropagation of the output layer\u2019s gradients with respect to the input image. For each ReLU activation unit of the classifier model it is checked if the the forward pass or the backward pass through that unit is negative. If that is the case, the influence signal is set to zero. In this way only the positive activations\u2014which are the ones that influence the given classification output\u2014are taken into account while backpropagating the influence signal for generating the saliency map.<\/li>\n<li>A first version of the saliency mask is created by masking values of the generated saliency map that exceed a fixed <b>pixel threshold \u03bc.<\/b> This intends to mask only parts of the image which have a particularly high impact on the prediction outcome (i.e. high entries in the saliency map).<\/li>\n<li><strong>Dilation followed by erosion applied for n iterations<\/strong> to fill small holes in the masked region. Dilation enlarges the masked contours by a small structuring element whereas erosion enlarges the non-masked contour (i.e. it erodes the masked contours). When used together, erosion and dilation close small \u201choles\u201c in the masked regions so that contiguous contours are formed. The Number of iterations n determines the intensity of this procedure.<\/li>\n<li>All contiguous contour areas are identified and zeroed out if their size which doesn&#8217;t reach a certain <b>contour size threshold \u03c6<\/b>. It can be seen that in step 2 that many pixels are masked which are part of the actual image as well and don\u2019t belong to the adversarial glasses. The contour size threshold helps to sort these contours out because the detected adversarial regions are usually bigger than contours that cover clean regions,\u00a0thanks to step 3.<\/li>\n<li>Finally, the mask is applied to the adversarial examples to remove the adversarial perturbations.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Lets-move-on-to-the-action\"><\/span>Let&#8217;s move on to the action<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Preparations\"><\/span>Preparations<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>To evaluate the adversarial glasses attack a dataset of labeled faces is needed. To that end, the <a href=\"http:\/\/www.cs.columbia.edu\/CAVE\/databases\/pubfig\/download\/\">PubFig development set<\/a> is consulted which contains various images of 60 different celebrities that are cropped to the area of the faces. Out of these, we selected 30 individuals to form a small dataset for training and evaluation.<\/p>\n<p>For the choice of the FRS architecture for the most part we kept to the paper that introduced the adversarial glasses. It is basically a <b>VGG16<\/b> convolutional neural network, as shown below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15981 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16.png\" alt=\"\" width=\"1166\" height=\"658\" srcset=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16.png 1166w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-300x169.png 300w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-1024x578.png 1024w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-768x433.png 768w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-400x226.png 400w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-720x406.png 720w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/vgg16-360x203.png 360w\" sizes=\"auto, (max-width: 1166px) 100vw, 1166px\" \/><\/p>\n<p style=\"text-align: center;\">Taken from:\u00a0<a href=\"https:\/\/neurohive.io\/en\/popular-networks\/vgg16\/\">https:\/\/neurohive.io\/en\/popular-networks\/vgg16\/<\/a><\/p>\n<p>As our dataset is relatively small (~2300 images) we use <a href=\"https:\/\/towardsdatascience.com\/a-comprehensive-hands-on-guide-to-transfer-learning-with-real-world-applications-in-deep-learning-212bf3b2f27a\">transfer learning<\/a> to adequately train the neural network. For this purpose, the 13 convolutional layers are copied from a VGG16 net that had been pre-trained on a similar task. In particular, the layers were trained on the <a href=\"http:\/\/www.robots.ox.ac.uk\/~vgg\/data\/vgg_face\/\">vggface dataset<\/a> and frozen during our training so that the weights stayed unchanged. We only trained the subsequent fully connected layers on our new task. Consequently, the dependency on large amounts of data for training the neural network was significantly reduced. Finally, we trained\u00a0the model for 45 epochs with a 80\/20 train-validation-split which resulted in a training accuracy of 98,9% and a validation accuracy of 98,1%.<\/p>\n<p>Besides training the FRS, an important preparation for the final evaluation is to analyze how the saliency mask method can be optimized. It reveals three interesting parameters that can be adjusted to tune the defensive performance:<\/p>\n<ul>\n<li>Pixel threshold<b> \u03bc<\/b><\/li>\n<li>number of iterations <b>n<\/b> for dilation + erosion<\/li>\n<li>Contour size threshold<b> \u03c6<\/b><\/li>\n<\/ul>\n<p>To find optimal values, we perform a grid-search on appropriate value ranges for all three parameters. This way we found that the hyper-parameter values proposed by the original paper of the saliency mask method were not optimal for the purpose of this work. The actual intention of the grid search is to find the best setup for maximizing a metric that grades the defensive performance. For this purpose, we define a <b>goodness score <\/b>which is a metric that measures the level of achieving the desired defensive behaviour. We define it to incentivize the following objectives:<\/p>\n<ol>\n<li>Retain high accuracy on clean examples<\/li>\n<li>Achieve high accuracy on adversarial images<\/li>\n<li>Achieve a low adversarial success rate<\/li>\n<\/ol>\n<p>To get a balanced ratio between these objectives, we define the goodness score as:<\/p>\n<p style=\"text-align: center;\">\u00a0\\(goodness score= 1\/3 * ( AC(clean, r) + AC(adv, r) + (1-AC(adv, t))) \\)<\/p>\n<p>\\(AC(X, Y) \\) represents the average confidence at which the FRS predicts a set of images \\(X (clean \/ adversarial) \\) as a set of classes \\(Y (r = real \/ t = target)\\). Due to the definition, the goodness score ranges between 0 and 1 where low values indicate poor and and high values indicate a good defensive performance.<\/p>\n<p>Finally, the goodness score is monitored for all possible hyper-parameter combinations and the combination that triggers the highest goodness score is applied to perform an evaluation of the saliency mask method on the adversarial glasses attack.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Results\"><\/span>Results<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The table below shows the hyper-parameter combinations that produced the highest values for each defense objectives and the goodness score after the saliency mask method is applied. The parameter combination \u03bc=0.98, n=8 and phi=80$ resulted in the highest measured score of 0.7768.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15985 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/result_table1.png\" alt=\"\" width=\"1212\" height=\"282\" \/><\/p>\n<p>Let us now take a closer look on the results that can be achieved by this parameter combination. Firstly, it is interesting to see what adversarial examples that were processed by the saliency mask method look like. For the found parameters, the plot below shows samples for which the defense method worked out as intended:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15986 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/result_examples.png\" alt=\"\" width=\"1203\" height=\"553\" \/><\/p>\n<p>It is apparent that only a small part of the adversarial glasses has been actually masked. We will discuss this in the following section in more detail. Beforehand, let&#8217;s examine important performance measures for the Saliency Mask Method with the given parameter values:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15984 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/03\/result_table2.png\" alt=\"\" width=\"1205\" height=\"271\" \/><\/p>\n<p>It shows that its usage effects a significant drop of the adversarial success rate from 85.0% to <strong>21.7%<\/strong> while increasing the percentage of correctly classified adversarial images from 13.3% to <strong>60.0%<\/strong> and maintaining a relatively high accuracy on clean images of <strong>93.3%<\/strong> (before 98.2%). \u00a0When accepting classification only if the confidence is above \u00a0a threshold <em>arbitrarily<\/em> set to 0.8, the adversarial success rate can be further reduced to <b>16.6%<\/b> with unchanged accuracy on clean images, though this comes with a decrease of 6.7% in the accuracy on adversarial examples as well. Adjusting the threshold to potentially achieve even better results is surely worth consideration but this step is out of the scope of this article. Eventually, the defense success rate which is the percentage of adversarial examples predicted as target class before and as real class after the defense is applied, is <strong>56.7%<\/strong> without and 54.9% with a threshold applied.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the context of adversarial examples, the reliability of machine perception is nothing that should be taken for granted. Carefully crafted attacks like the adversarial glasses attack are a real threat to the safety of FRSa as they allow for deceiving artificial neural networks in a practical and realizable manner.<\/p>\n<p>Defending adversarial examples is a broadly discussed task which has no trivial and universal solution, especially if the attacker knows which strategy is used to defend against his adversarial examples. Whereas many defense approaches have been proposed to defend against adversarial examples in general, so far there has been little work in the defense of adversarial examples designed to fool FRSs, just like the adversarial glasses attack. To shed light on the dark, we applied the saliency mask method and demonstrated that it is suitable for making a FRS robust against the adversarial glasses attack. Its presence caused a significantly increased accuracy on adversarial examples while maintaining a relatively high accuracy on natural images.<\/p>\n<p>The fact that the saliency mask method works on the basis of saliency maps makes it seem to be effective against all imaginable kinds of adversarial accessories. However, the adversarial glasses attack proves that optimizing the method\u2019s parameters is crucial for achieving reasonable results. The optimal parameters tend to be dependent on the adversarial attack that is to be defended which is eventually a slight drawback for the generalizability of the saliency mask method.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"References\"><\/span>References<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul style=\"list-style-type: square;\">\n<li>[1] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, \u201cAccessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition\u201c, 2016<\/li>\n<li>[2] J. Hayes, \u201cOn Visible Adversarial Perturbations &amp; Digital Watermarking\u201c, 2018<\/li>\n<li>[3] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, \u201cIntriguing properties of neural networks\u201c, 2013<\/li>\n<li>[4] I. J. Goodfellow, J. Shlens, and C. Szegedy, \u201cExplaining and Harnessing Adversarial Examples\u201c, 2014<\/li>\n<li>[5] J. T. Springenberg, A. Dosovitskiy, T. Brox, and M. Riedmiller, \u201cStriving for Simplicity: The All Convolutional Net\u201c, 2014<\/li>\n<li>[6] D. Karmon, D. Zoran, and Y. Goldberg, \u201cLaVAN: Localized and Visible Adversarial Noise\u201c, 2018<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Despite the fact that machine perception systems achieve superhuman performance on different perceptual tasks, researchers have recently demonstrated that they are not infallible. Images with methodically crafted perturbations, also called adversarial examples, can deceive these systems and cause misclassification.<\/p>\n","protected":false},"author":111,"featured_media":16764,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[509],"service":[76],"coauthors":[{"id":111,"display_name":"Hendrik Pauthner","user_nicename":"hpauthner"}],"class_list":["post-15975","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-ai-2","service-artificial-intelligence"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Robustifying Machine Perception for Face Recognition Systems<\/title>\n<meta name=\"description\" content=\"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Robustifying Machine Perception for Face Recognition Systems\" \/>\n<meta property=\"og:description\" content=\"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-23T09:59:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-21T14:25:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Hendrik Pauthner\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Hendrik Pauthner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"12\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Hendrik Pauthner\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/\"},\"author\":{\"name\":\"Hendrik Pauthner\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/bda691532639bbb06f096196759a77f6\"},\"headline\":\"Robustifying Machine Perception for Image Recognition Systems: Defense Against the Dark Arts\",\"datePublished\":\"2019-04-23T09:59:36+00:00\",\"dateModified\":\"2022-11-21T14:25:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/\"},\"wordCount\":2459,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/machine-perception-traffic-signs.png\",\"keywords\":[\"Ai\"],\"articleSection\":[\"English Content\",\"General\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/\",\"name\":\"Robustifying Machine Perception for Face Recognition Systems\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/machine-perception-traffic-signs.png\",\"datePublished\":\"2019-04-23T09:59:36+00:00\",\"dateModified\":\"2022-11-21T14:25:46+00:00\",\"description\":\"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/machine-perception-traffic-signs.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/04\\\/machine-perception-traffic-signs.png\",\"width\":1920,\"height\":1080,\"caption\":\"Verkehrsschild, welches eine zul\u00e4ssige H\u00f6chstgeschwindigkeit von 120 Km\\\/h angibt.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/machine-perception-face-recognition\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Robustifying Machine Perception for Image Recognition Systems: Defense Against the Dark Arts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/bda691532639bbb06f096196759a77f6\",\"name\":\"Hendrik Pauthner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=ga1b5a7b2721294efb908e49fe6c1b123\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=g\",\"caption\":\"Hendrik Pauthner\"},\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/hpauthner\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Robustifying Machine Perception for Face Recognition Systems","description":"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/","og_locale":"de_DE","og_type":"article","og_title":"Robustifying Machine Perception for Face Recognition Systems","og_description":"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.","og_url":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2019-04-23T09:59:36+00:00","article_modified_time":"2022-11-21T14:25:46+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png","type":"image\/png"}],"author":"Hendrik Pauthner","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Hendrik Pauthner","Gesch\u00e4tzte Lesezeit":"12\u00a0Minuten","Written by":"Hendrik Pauthner"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/"},"author":{"name":"Hendrik Pauthner","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/bda691532639bbb06f096196759a77f6"},"headline":"Robustifying Machine Perception for Image Recognition Systems: Defense Against the Dark Arts","datePublished":"2019-04-23T09:59:36+00:00","dateModified":"2022-11-21T14:25:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/"},"wordCount":2459,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png","keywords":["Ai"],"articleSection":["English Content","General"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/","url":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/","name":"Robustifying Machine Perception for Face Recognition Systems","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png","datePublished":"2019-04-23T09:59:36+00:00","dateModified":"2022-11-21T14:25:46+00:00","description":"Despite their outstanding performance on various tasks, machine perception systems are not infallible. We highlight this problem by means of particular adversarial glasses that manage to force face recognition systems to make mistakes und we show how to achieve robustness against such attacks.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/04\/machine-perception-traffic-signs.png","width":1920,"height":1080,"caption":"Verkehrsschild, welches eine zul\u00e4ssige H\u00f6chstgeschwindigkeit von 120 Km\/h angibt."},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/machine-perception-face-recognition\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Robustifying Machine Perception for Image Recognition Systems: Defense Against the Dark Arts"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/bda691532639bbb06f096196759a77f6","name":"Hendrik Pauthner","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=ga1b5a7b2721294efb908e49fe6c1b123","url":"https:\/\/secure.gravatar.com\/avatar\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b829beaa1d97b2cf83d46b831e10b724d2928377ff7022b5556e384019613ce4?s=96&d=retro&r=g","caption":"Hendrik Pauthner"},"url":"https:\/\/www.inovex.de\/de\/blog\/author\/hpauthner\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/15975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/111"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=15975"}],"version-history":[{"count":1,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/15975\/revisions"}],"predecessor-version":[{"id":39464,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/15975\/revisions\/39464"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/16764"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=15975"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=15975"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=15975"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=15975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}