Go to OpenReview Public Article ORCID homepageTowards Certifiably Robust Face Recognition: Analyses and Improvements
Abstract: Adversarial perturbations have been one of the most notable threats against the safe and trustworthy applications of deep learning. For security-critical applications, e.g., face recognition (FR), the importance of a theoretically robust defense against adversarial perturbations has been spotlighted. Certifiable robustness aims to defend against adversarial perturbations in a provable manner, and several studies have been conducted to achieve certifiable robustness in various domains. However, most existing studies for certifiable robustness are about classifiers, and adapting their techniques for FR is a non-trivial problem. In this study, we show that, similar to the image classifications, the 1-Lipschitz condition is sufficient for certifiable robustness of the face recognition system against any ℓp norm adversaries for p ∈ N∪{∞}. In addition, we investigate the trade-off between accuracy drop and certifiable robustness in 1-Lipschitz FR models, and propose several techniques to reconcile such a trade-off. We conduct extensive theoretical and experimental analyses on our findings. Notably, our techniques improve the standard (certifiably robust, resp.) accuracy by 6.98% (at most 13.35%, resp.) in the LFW benchmark against ℓ2 norm adversaries compared to accuracies without them. To facilitate further study, we publicly release our source code on https://github.com/Cryptology-Algorithm-Lab/CertRobFR.
External IDs:doi:10.1109/tbiom.2025.3644396
Loading