Nowadays, digital facial content manipulation has become ubiquitous and realistic with the unprecedented success of generative adversarial networks (GANs) in image synthesis. Unfortunately, face recognition (FR) systems suffer from severe security concerns due to facial image manipulations. In this paper, we investigate and introduce a new type of adversarial attack to evade FR systems by manipulating facial content, called adversarial morphing attack (a.k.a. Amora). In contrast to adversarial noise attack that perturbs pixel intensity values by adding human-imperceptible noise, our proposed adversarial morphing attack is a semantic attack that perturbs pixels spatially in a coherent manner. To tackle the black-box attack problem, we have devised a simple yet effective joint dictionary learning pipeline to obtain a proprietary optical flow field for each attack. We have quantitatively and qualitatively demonstrated the effectiveness of our adversarial morphing attack at various levels of morphing intensity on two popular FR systems with smiling facial expression manipulations. Both open-set and closed-set experimental results indicate that a novel black-box adversarial attack based on local deformation is possible, which is vastly different from additive noise based attacks. The findings of this work may pave a new research direction towards a more thorough understanding and investigation of image-based adversarial attacks and defenses.
View on arXiv