ML Security PapersInvestigating Adversarial Robustness against Preprocessing used in Blackbox Face Recognition
Roland Croft , Brian Du , Darcy Joseph , Sharath Kumar
Published on arXiv
2510.17169
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Face detection model choice alone degrades adversarial attack success rates by up to 78%, and the proposed preprocessing-invariant augmentation recovers up to 27% transferability across blackbox FR systems.
Preprocessing-Invariant Input Transformation
Novel technique introduced
Face Recognition (FR) models have been shown to be vulnerable to adversarial examples that subtly alter benign facial images, exposing blind spots in these systems, as well as protecting user privacy. End-to-end FR systems first obtain preprocessed faces from diverse facial imagery prior to computing the similarity of the deep feature embeddings. Whilst face preprocessing is a critical component of FR systems, and hence adversarial attacks against them, we observe that this preprocessing is often overlooked in blackbox settings. Our study seeks to investigate the transferability of several out-of-the-box state-of-the-art adversarial attacks against FR when applied against different preprocessing techniques used in a blackbox setting. We observe that the choice of face detection model can degrade the attack success rate by up to 78%, whereas choice of interpolation method during downsampling has relatively minimal impacts. Furthermore, we find that the requirement for facial preprocessing even degrades attack strength in a whitebox setting, due to the unintended interaction of produced noise vectors against face detection models. Based on these findings, we propose a preprocessing-invariant method using input transformations that improves the transferability of the studied attacks by up to 27%. Our findings highlight the importance of preprocessing in FR systems, and the need for its consideration towards improving the adversarial generalisation of facial adversarial examples.
Key Contributions
- Empirical analysis showing face detection model choice can degrade adversarial attack success rate by up to 78% in blackbox FR settings, while interpolation method has minimal impact
- Finding that face preprocessing degrades adversarial strength even in whitebox settings due to unintended noise-detector interactions
- Preprocessing-invariant attack augmentation using input transformations that improves adversarial transferability by up to 27% across different preprocessing pipelines
🛡️ Threat Analysis
Paper studies evasion/adversarial example attacks against face recognition systems at inference time, analyzes how preprocessing pipelines (face detection models, interpolation) degrade adversarial perturbation transferability in blackbox settings, and proposes a preprocessing-invariant input transformation method to improve adversarial transferability by up to 27%.