Metamorphic filtering of black-box adversarial attacks on multi-network face recognition models

ABSTRACTAdversarial examples pose a serious threat to the robustness of machine learning models in general and of deep learning models in particular. These carefully designed perturbations of input images can cause targeted misclassifications to a label of the attacker's choice, without being detectable to the naked eye. A particular class of adversarial attacks called black box attacks can be used to fool a target model despite not having access to the model parameters or to the input data used to train the model. In this paper, we first build a black box attack against robust multi-model face recognition pipelines and then test it against Google's FaceNet. We then present a novel metamorphic defense pipeline relying on nonlinear image transformations to detect adversarial attacks with a high degree of accuracy. We further use the results to create probabilistic metamorphic relations that define efficient decision boundaries between the safe and adversarial examples; achieving adversarial classification accuracy of up to 96%.