Nowadays, facial recognition systems are still vulnerable to adversarial attacks. These attacks vary from simple perturbations of the input image to modifying the parameters of the recognition model to impersonate an authorised subject. So-called privacy-enhancing facial recognition systems have been mostly developed to provide protection of stored biometric reference data, i.e. templates. In the literature, privacy-enhancing facial recognition approaches have focused solely on conventional security threats at the template level, ignoring the growing concern related to adversarial attacks. Up to now, few works have provided mechanisms to protect face recognition against adversarial attacks while maintaining high security at the template level. In this paper, we propose different key selection strategies to improve the security of a competitive cancelable scheme operating at the signal level. Experimental results show that certain strategies based on signal-level key selection can lead to complete blocking of the adversarial attack based on an iterative optimization for the most secure threshold, while for the most practical threshold, the attack success chance can be decreased to approximately 5.0%.

翻译：如今，人脸识别系统仍然容易受到对抗性攻击。这些攻击方式从对输入图像的简单扰动，到修改识别模型参数以冒充授权主体，种类繁多。所谓的隐私增强型人脸识别系统主要开发用于保护存储的生物特征参考数据（即模板）的安全。在文献中，隐私增强型人脸识别方法仅关注模板层面的传统安全威胁，而忽视了与对抗性攻击日益相关的担忧。迄今为止，很少有研究工作提供既能保护人脸识别免受对抗性攻击，同时又能维持模板层面高安全性的机制。本文提出了不同的密钥选择策略，以改进一种在信号层面运行的有竞争力的可撤销方案的性能。实验结果表明，基于信号层面密钥选择的某些策略，对于最安全阈值可以完全阻断基于迭代优化的对抗性攻击，而对于最实用阈值，攻击成功概率可降低至约5.0%。