Am I a Real or Fake Celebrity? Measuring Commercial Face Recognition Web APIs under Deepfake Impersonation Attack

View on arXiv ← Back to list

Authors: Shahroz Tariq, Sowon Jeon, Simon S. Woo

Published: 2021-03-01 08:40:10+00:00

AI Summary

This research evaluates the robustness of commercial face recognition APIs against deepfake impersonation attacks. The authors demonstrate significant vulnerabilities, achieving high attack success rates, and propose defense strategies to mitigate these risks.

Abstract

Recently, significant advancements have been made in face recognition technologies using Deep Neural Networks. As a result, companies such as Microsoft, Amazon, and Naver offer highly accurate commercial face recognition web services for diverse applications to meet the end-user needs. Naturally, however, such technologies are threatened persistently, as virtually any individual can quickly implement impersonation attacks. In particular, these attacks can be a significant threat for authentication and identification services, which heavily rely on their underlying face recognition technologies' accuracy and robustness. Despite its gravity, the issue regarding deepfake abuse using commercial web APIs and their robustness has not yet been thoroughly investigated. This work provides a measurement study on the robustness of black-box commercial face recognition APIs against Deepfake Impersonation (DI) attacks using celebrity recognition APIs as an example case study. We use five deepfake datasets, two of which are created by us and planned to be released. More specifically, we measure attack performance based on two scenarios (targeted and non-targeted) and further analyze the differing system behaviors using fidelity, confidence, and similarity metrics. Accordingly, we demonstrate how vulnerable face recognition technologies from popular companies are to DI attack, achieving maximum success rates of 78.0% and 99.9% for targeted (i.e., precise match) and non-targeted (i.e., match with any celebrity) attacks, respectively. Moreover, we propose practical defense strategies to mitigate DI attacks, reducing the attack success rates to as low as 0% and 0.02% for targeted and non-targeted attacks, respectively.

Key findings
Commercial face recognition APIs are highly vulnerable to deepfake impersonation attacks, with success rates reaching 78% for targeted and 99.9% for non-targeted attacks. Proposed defense mechanisms significantly reduce attack success rates, but further research is needed for robust and generic defense.
Approach
The study uses five deepfake datasets (two novel ones created by the authors) to conduct targeted and non-targeted impersonation attacks on commercial APIs from Microsoft, Amazon, and Naver. Attack success is measured using fidelity, confidence, and similarity metrics, and defense strategies are proposed and evaluated.
Datasets
Celebrity Deepfake (CelebDF), Female Celebrity Deepfake (FCelebDF), VoxCeleb Talking Head (VoxCelebTH), Celebrity First Order Motion (CelebFOM), Celebrity Blend (CelebBlend)
Model(s)
UNKNOWN (The paper focuses on the APIs, not the models within the APIs)
Author countries
South Korea
← Previous
Next →