Design and Interpretation of Universal Adversarial Patches in Face Detection

Unlike previous work that mostly focused on the algorithmic design of adversarial examples in terms of improving the success rate as an attacker, in this work we show an interpretation of such patches that can prevent the state-of-the-art face detectors from detecting the real faces. W e investigate a phenomenon: patches designed to suppress real face detection appear face-like. This phenomenon holds generally across different initialization, locations, scales of patches, backbones, and state-of-the-art face detection frameworks. W e propose new optimization-based approaches to automatic design of universal adversarial patches for varying goals of the attack, including scenarios in which true positives are suppressed without introducing false positives. Our proposed algorithms perform well on real-world datasets, deceiving state-of-the-art face detectors in terms of multiple precision/recall metrics and transferring between different detection frameworks. 1. Introduction Adversarial examples are a central object of study in computer vision [33], machine learning [39, 23], security [26], and other domains [13]. In computer vision and machine learning, study of adversarial examples serves as evidences of substantial discrepancy between human vision system and machine perception mechanism [30, 25, 2, 9]. In security, adversarial examples have raised major concerns on the vulnerability of machine learning systems to malicious attacks. The problem can be stated as modifying an image, subject to some constraints, so that learning system's response is drastically altered, e.g., changing the classifier or detector output from correct to incorrect. The constraints either come in the human-imperceptible form Equal contribution.