stylecaptcha: captcha based on stylized images to ...hchen/paper/chen2020style.pdf0 20 40 60 80 100...
TRANSCRIPT
-
StyleCAPTCHA: CAPTCHA Based on Stylized Images to Defendagainst Deep Networks
Haitian ChenUniversity of California, Davis
Bai JiangBytedance AI Lab
Hao ChenUniversity of California, Davis
ABSTRACTCAPTCHAs arewidely deployed for bot detection.ManyCAPTCHAsare based on visual perception tasks such as text and objection clas-sification. However, they are under serious threat from advanced vi-sual perception technologies based on deep convolutional networks(DCNs). We propose a novel CAPTCHA, called StyleCAPTCHA,that asks a user to classify stylized human versus animal face im-ages. StyleCAPTCHA creates each stylized image by combiningthe content representations of a human or animal face image andthe style representations of a reference image. Both the originalface image and the style reference image are hidden from the user.To defend against attacks using DCNs, the StyleCAPTCHA servicechanges the style regularly. To adapt to the new styles, the attackerhas to repeatedly train or retrain her DCNs, but since the attackerhas insufficient training examples, she cannot train her DCNs well.We also propose Classifier Cross-task Transferability to measure thetransferability of a classifier from its original task to another task.This metric allows us to arrange the schedule of styles and to limitthe transferability of attackers’ DCNs across classification tasksusing different styles. Our evaluation shows that StyleCAPTCHAdefends against state-of-the-art face detectors and against generalDCN classifiers effectively.
CCS CONCEPTS• Security and privacy → Graphical / visual passwords; Ac-cess control.
KEYWORDSCAPTCHA, neural style transfer, deep convolutional network, facerecognition
ACM Reference Format:Haitian Chen, Bai Jiang, and Hao Chen. 2020. StyleCAPTCHA: CAPTCHABased on Stylized Images to Defend against Deep Networks. In Proceedingsof the 2020 ACM-IMS Foundations of Data Science Conference (FODS ’20),October 19–20, 2020, Virtual Event, USA. ACM, New York, NY, USA, 10 pages.https://doi.org/10.1145/3412815.3416895
1 INTRODUCTIONCAPTCHAs (Completely Automated Public Turing test to tell Com-puters and Humans Apart) are computer programs to test whether
Permission to make digital or hard copies of part or all of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for third-party components of this work must be honored.For all other uses, contact the owner/author(s).FODS ’20, October 19–20, 2020, Virtual Event, USA© 2020 Copyright held by the owner/author(s).ACM ISBN 978-1-4503-8103-1/20/10.https://doi.org/10.1145/3412815.3416895
an online user is a bot. They are widespread security measuresthat protect online services against the abuse from automated pro-grams. Typical CAPTCHAs are based on visual perception tasks,such as text recognition [39, 40], object recognition [8], and imageclassification [10].
However, the rapid evolution of artificial intelligence (AI) tech-nologies made the traditional CAPTCHAs vulnerable, since well-trained AI models are capable of accurately completing many visualperception tasks. For instance, [4, 3] carried out a systemic studyof the existing text-based CAPTCHAs and presented an genericalgorithm for solving CAPTCHA by reinforcement learning. In twoKaggle competitions [23, 22], various deep convolutional networks(DCNs) [27, 12, 33, 16, 38] solved the dog versus cat image classifi-cation task in the Asirra CAPTCHA [10] at a accuracy comparableto humans. [35] developed a deep convolutional network to solvethe Google reCAPTCHA at an accuracy of 70.78% and the Facebookimage CAPTCHA at an accuracy of 83.5%.
It might be tempting to use an even harder visual perceptiontask as CAPTCHA, but this will last only until an AI solution tothis CAPTCHA is invented [39, 31]. Moreover, increasing the diffi-culty of CAPTCHAs will probably worsen its the usability. Evencurrent CAPTCHAs involving moderately hard text or object recog-nition tasks were criticized by users because they were hard torecognize [41].
Instead, we wish to exploit intrinsic differences between humansand DCNs on visual perception tasks. DCNs are not robust againstcertain image perturbations that are invariant to human perception.For instance, DCN classifiers may wrongly classify adversariallyperturbed images, although these perturbations are invariant tohuman visual judgment [37, 14, 1]. Recently, DCNs were shwonto misunderstood stylized images by a neural style transfer proce-dure [7], while humans did not [11].
In addition, to achieve high accuracy on a visual perceptiontask, a DCN requires a vast set of annotated or labelled imagesduring training. In contrast, humans needs no training to com-plete CAPTCHAs. Figure 1 illustrates a typical learning curve ofan AI model on a visual perception task. Although humans canhardly compete with AIs in AIs’ well-trained (later) phase, humansoutperform AIs in AIs’ under-trained (early) phase.
We propose a novel CAPTCHA scheme called StyleCAPTCHAto exploit the above-mentioned intrinsic weaknesses of currentDCNs. Specifically, our system uses neural style transfer (NST) [11]to blend face images with style reference images. For each faceimage and style reference, NST generates an image of the face“painted” in the style. In each CAPTCHA challenge, the user isasked to classify 10 stylized images into either human face or animalface category. Figure 2 illustrates this StyleCAPTCHA scheme. Thesystem changes the style every few CAPTCHA challenges to keep
https://doi.org/10.1145/3412815.3416895https://doi.org/10.1145/3412815.3416895
-
0 20 40 60 80 100training efforts
0.0
0.2
0.4
0.6
0.8
1.0
Perfo
rman
ce
under-trained well-trained
AIHuman
Figure 1: Learning curve of AI
the attacker’s DCN classifier in the under-trained state (becausethe classifier has not received adequate training examples).
The advantages of StyleCAPTCHA to defend against DCN-basedautomated attacks are twofold. First, the NST transformation per-turbs pixel values of human face images and decreases the accuracyof the publicly available, well-trained DCN face detectors [43, 5, 17,44, 9]. This idea shares the same spirit with adversarially perturbingthe pixel values of images to mislead DCN classifiers [37, 14, 6].To the best of our knowledge, how to robustify DCNs against theperturbation induced by NST is little known in the literature. Bycontrast, after the texture and color of images are destructivelytransferred, human users can easily distinguish stylized humanimages from stylized animal images, because a stylized image stillcontains the content information of the facial appearance of itsoriginal image, and humans are sensitive to facial appearance.
More importantly, to adapt to frequently changing styles, theattacker has to keep collecting a vast set of stylized images from thethe StyleCAPTCHA service, manually labeling them, and then train-ing or re-training her DCN classifier. If StyleCAPTCHA switchesto a new style before the attacker’s DCN enters the well-trainedphase, then the attacker’s DCN is kept in the under-trained phaseand hence cannot pass the CAPTCHA challenge consistently. Bycontrast, human users can correctly classify stylized images with notraining or re-training, because perceiving human facial appearanceis a lifetime practice for identity recognition and verification.
We also propose a metric called Classifier Cross-task Transfer-ability (CCT) to measure the ability of a classifier transferring fromone image classification task, featured by one style (or a set ofstyles), to another image classification task, featured by anotherstyle. CCT allows us to arrange the style schedule (the sequence ofstyles) adversarially against DCN-based potential attackers. Afterthe system generates a few StyleCAPTCHA challenges, it switchesto another style with low CCT from the previous style(s). By doingso, we limit the impact of the attacker’s DCN classifier transferingfrom one image classification task to the next one, and protectStyleCAPTCHA from DCNs retrained by transfer learning.
Apart from DCNs for general purpose, DCNs trained for thespecific task of human face detection can also be deployed to at-tack StyleCAPTCHA. A few accurate and efficient DCN-based facedetectors have been developed recently [43, 5, 17, 44, 9]. For exam-ple, the-state-of-art face detector RetinaFace[9] (with Resnet50 [16]as the backbone network) reaches an average precision 90% onthe hard-level validation set of the WIDER Face dataset [42], andeven higher accuracy on the LFW dataset [18]. We will evaluateStyleCAPTCHA against RetinaFace detector in our experiments.
2 METHODSThis section presents the methodology of StyleCAPTCHA , whichinvolves two key techniques. Section 2.1 briefly describes the neuralstyle transfer (NST) technique, which transforms original humanand animal faces to stylized images. Section 2.1 defines ClassifierCross-task Transferability (CCT) and proposes a practical estima-tion method for it. CCT will be used to arrange the style schedule.Section 2.3 presents algorithms of StyleCAPTCHA in action.
2.1 Neural Style TransferNeural style transfer (NST) blends a content image, and a styleimage together so that the output image looks like the contentimage, but is “painted” in the style of the style image [11, 21, 19,29]. By using deep convolutional networks, NST extracts the con-tent representations and the style representations from images andoptimizes the output image to match the content representationsof the content image and the style representations of the style ref-erence image. More precisely, the content and style representationsare defined as intermediate feature maps of a pretrained imageclassification network and the correlations among these featuremaps, respectively. At a high level, a network has built internalrepresentations that convert the raw image pixels into a complexunderstanding of the image, when being trained to perform a imageclassification task, and thus can serve as a complex feature extractor.An NST network is trained to minimize the content loss, whichmeasures the difference between content representations of theoriginal content image and the output image, plus the style loss,which measures the difference between style representations of thestyle reference image and the output image.
Let ®� ;8 9(G) be the ; -dimensional feature vector at location 1 ≤
8 ≤ #; , 1 ≤ 9 ≤ "; of an intermediate layer ; of the pretrain imageclassification network for image G . The content loss between theoutput image G and the content image 2 is then given by
Lcontent (G, 2) =∑8, 9,;
‖ ®� ;8 9 (G) − ®�;8 9 (2)‖
2 .
The style representations are calculated by taking the outer productof the feature vector with itself at each location, and averaging thatouter product over all locations
G; (G) =1
#;";
#;∑8=1
";∑9=1
®� ;8 9 (G)[®� ;8 9 (G),
]Twhich is a ; × ; covariance matrix. The style loss between theoutput image G and the style image B is given by
Lstyle (G, B) =∑;
F; ‖G; (G) −G; (B)‖2,
-
Normal Users Attackers
Change
Styles
Stylized Images
Pass Test 1
Collect and label stylized images;Train or retrain DCN classifier.
Fail Tests 1 & 2.
Pass Test 2
Pass Test 3 Pass Test 3
Pass Test 4
Collect and label stylized images;Train or retrain DCN classifier.
Fail Tests 4 & 5.
Pass Test 5
Pass Test 6 Pass Test 6
Change
Figure 2: StyleCAPTCHA scheme. Each test consists of 10 stylized images. The blue boxes show human faces for the conve-nience of readers but are absent in real CAPTCHA challenges.
-
whereF; ’s are weights to combine style losses from different layers,‖A‖ is the Frobenius norm of matrix A, i.e., the ℓ2-norm of thevectorization of A (the concatenation of column vectors of A). Thetotal loss function of the NST network is then given by
L(G, 2, B) = _2Lcontent (G, 2) + _BLstyle (G, B), (1)
where _2 and _B are the weights to combine the content and stylelosses.
We remark that the content and style loss weights _2 and _Bcontrol the portion of the content information of the output imageG from the original image 2 and the portion of the style informationfrom the style image B . The quality of the output image variesaccording to the choice of these weights.
In this paper, we adopt the “fast” NST method by [21], whichcosts a short training time per style reference image and thus meetsour need to frequently change styles of images. Other NST methodssuch as MUNIT [20] and StyleGAN [24, 25] might also be utilizedto create stylized images for StyleCAPTCHA.
2.2 Classifier Cross-task TransferabilityClassifier Cross-task Transferability (CCT) is intended to measurethe transferability of a classifier from its own classification taskto another task. This measure plays a key role in arranging thestyle schedule (the sequence of styles) for StyleCAPTCHA. Thissection gives its formal definition and provides a practical methodto estimate it. Technical proofs of theoretical results concerningthe properties of CCT are collected in Section 3.
2.2.1 Definition. Let X0 = {-08 }=8=1 and X1 = {-18 }=8=1 denote
animal and human face images, respectively, which are stylizedby one or a set of multiple style(s). Let Y0 = {.08 }=8=1 and Y1 ={.18 }=8=1 denote animal and human images which are stylized byanother style.
Let 50 (G) and 51 (G) denote probability density functions of sam-ples of X0 and X1. Theoretical results from recent advances ofgenerative modeling [13] suggest that the optimal (soft) binaryclassifier to distinguish animal images from human images in thesense of the minimum binary cross entropy loss is given by
� (G) = 51 (G)50 (G) + 51 (G)
. (2)
Let . be an unlabelled image in either Y0 or Y1, and let � = 0or 1 be its label. Define CCT from the classification task X0 versusX1 to the other classification task Y0 versus Y1 as 1 minus theconditional entropy of � given � (. ). Formally,
CCT(X0,X1;Y0,Y1) = 1 − � (� |� (. )),
where � is the entropy1 notation. If � (. ) deterministically tells �then � (� |� (. )) = 0 and CCT = 1. If� is independent from � (. )then � (� |� (. )) = � (�) = 1 and thus CCT = 0.
Next theorem shows that CCT can be alternatively defined asthe Jensen-Shannon (JS-) divergence between the distributions of{� (.08 )}=8=1 and {� (.18 )}
=8=1.
1Information-theoretic quantities in this paper including (conditional) entropy, Jensen-Shannon divergence, Kullback-Leibler divergence are measured in bits
Theorem 1. Let ℎ0 (I) and ℎ1 (I) be the distributions of /08 =� (.08 ) and /18 = � (.18 ) for 8 = 1, . . . , = and JS stand for the JS-Divergence. Then
CCT(X0,X1;Y0,Y1) = JS(ℎ0‖ℎ1) . (3)
2.2.2 Estimation. WithTheorem 1 in hand, we proceed to considerestimating JS(ℎ0‖ℎ1). Given random samplesZ0 = {/08 }=8=1 andZ1 = {/18 }=8=1 following distribution ℎ0 (I) and ℎ1 (I), respectively,the JS-divergence between two distributions can be estimated asfollows.
Sort random samples inZ0,Z1 andZ0∪Z1 in the non-decreasingorder as {/0(8) }=8=1, {/1(8) }
=8=1 and {/ (8) }
2=8=1. Let ℎ̃0 (I) be the piece-
wise linear interpolation passing through points
(0, 0),(/0(1) ,
1
2=
),
(/0(2) ,
3
2=
), . . . ,
(/0(=) ,
2= − 12=
), (1, 1);
let ℎ̃1 (I) be the piece-wise linear interpolation passing throughpoints
(0, 0),(/1(1) ,
1
2=
),
(/1(2) ,
3
2=
), . . . ,
(/1(=) ,
2= − 12=
), (1, 1);
and let ℎ̃(I) be the piece-wise linear interpolation passing throughpoints
(0, 0),(/ (1) ,
1
4=
),
(/ (2) ,
3
4=
), . . . ,
(/ (2=) ,
4= − 14=
), (1, 1).
ℎ̃0 (I), ℎ̃1 (I) and ℎ̃(I) are actually the continuous piece-wise linearapproximations of the empirical cumulative distribution functionsofZ0,Z1 and Z0 ∪Z1, respectively.
Let / (0) = 0, / (2=+1) = 1, and n = min2=8=0[/ (8+1) − / (8)
]/2.
An estimator for JS(ℎ0‖ℎ1) is given by
ĴS (Z0‖Z1) =1
2=
=∑8=1
ℎ̃0 (/0(8) ) − ℎ̃0 (/0(8) − n)ℎ̃(/0(8) ) − ℎ̃(/0(8) − n)
+
1
2=
=∑8=1
ℎ̃1 (/1(8) ) − ℎ̃1 (/1(8) − n)ℎ̃(/1(8) ) − ℎ̃(/1(8) − n)
− 1 (4)
Theorem 2. The above-defined JS-divergence estimator is stronglyconsistent, i.e.,
ĴS (Z0‖Z1) → JS(ℎ0‖ℎ1)almost surely as = → ∞.
Theorem 1 and Theorem 2 together inspire the following algo-rithm to estimate CCT.
Algorithm 1 CCT estimation in action
Input: X0, X1, Y0, Y1 defined as aboveOutput: CCT(X0,X1;Y0,Y1), a CCT estimate.For the classification task X0 versus X1, train a DCN classifier�̂ : G ↦→ [0, 1] to minimize the binary cross-entropy loss.LetZ0 = {�̂ (~) : ~ ∈ Y0} and Z1 = {�̂ (~) : ~ ∈ Y1}.Compute ĴS(Z0‖Z1) using (4).
CCTmeasures the transferability of the optimal binary classifier� : G ↦→ [0, 1] from its original classification task X0 versus X1 toanother classification task Y0 versus Y1. In practice, the optimal
-
binary classifier � : G ↦→ [0, 1] is unknown. But we could approxi-mate it well by training a sufficiently complex DCN (e.g., ResNet50[16]) classifier. Similar approaches have accurately estimate otherinformation-theoretically quantities on high-dimensional imagedata [2].
2.3 StyleCAPCTHAThe StyleCAPTCHA scheme is outlined as Algorithm 2. In thisalgorithm, B ⊗ I denotes the set of stylized images, resulting fromblending content images in I and a style reference image B by theNST method described in Section 2.1. CCT denotes the estimate ofCCT given by Algorithm 1 in Section 2.2.
Algorithm 2 StyleCAPTCHA
Input: animal face image set I0, human face image set I1, stylereference image set S, a threshold constant X ∈ (0, 1).Initialize B0 ∈ S.for C = 0, 1, 2, . . . doProvide a few times of CAPTCHA service to users, who areasked to classify B) ⊗ I0 versus B) ⊗ I0.Find style B ∈ S such thatCCT(∪8≤CB8 ⊗ I0,∪8≤CB8 ⊗ I1; B ⊗ I0, B ⊗ I1) < X.Set BC+1 = B .
end for
3 PROOFSThis section collects the technical proofs for Theorem 1 and Theo-rem 2 in Section 2.
Proof of Theorem 1. For an unlabelled image . ∈ Y0 ∪Y1, let/ = � (. ) be the prediction given by the optimal classifier � for . .Apparently, the random variable / follows the mixture distribution
ℎ(I) = ℎ0 (I) + ℎ1 (I)2
.
Let ? (2, I) be the joint distribution of � and / = � (. ), and writemarginal distributions of 2 as ? (2 = 0) =
∫? (0, I)3I and ? (2 =
1) =∫? (1, I)3I. Write
� (�, � (. ))
= −∑
2∈{0,1}
∫? (2, I) log ? (2, I) dI
= −∫
? (I |2 = 0)? (2 = 0) log[? (I |2 = 0)? (2 = 0)] dI
−∫
? (I |2 = 1)? (2 = 1) log[(? (I |2 = 1)? (2 = 1)] dI
= −∫
ℎ0 (I)2
log
[ℎ0 (I)2
]dI −
∫ℎ1 (I)2
log
[ℎ1 (I)2
]dI
and
� (� (. )) = −∫
ℎ(I) logℎ(I) dI
= −∫
ℎ0 (I)2
logℎ(I) dI −∫
ℎ1 (I)2
logℎ(I) dI.
Then, CCT amounts to
1 − � (� |� (. )) = 1 − � (�, � (. )) + � (� (. ))
= 1 −∫
ℎ0 (I)2
log
[ℎ0 (I)/2ℎ(I)
]dI −
∫ℎ1 (I)2
log
[ℎ1 (I)/2ℎ(I)
]dI
= −12
∫ℎ0 (I) log
[ℎ0 (I)ℎ(I)
]dI − 1
2
∫ℎ1 (I) log
[ℎ1 (I)ℎ(I)
]dI
=1
2KL(ℎ0‖ℎ) +
1
2KL(ℎ1‖ℎ) = JS(ℎ0‖ℎ1)
�
Proof of Theorem 2. Break the JS-divergence JS(ℎ0‖ℎ1) intotwo KL-divergence terms
JS(ℎ0‖ℎ1) =1
2KL
(ℎ0
ℎ0 + ℎ12 ) + 12 KL (ℎ1
ℎ0 + ℎ12 ) .By [32, Thoerem 1],
1
=
=∑8=1
ℎ̃0 (/0(8) ) − ℎ̃0 (/0(8) − n)ℎ̃(/0(8) ) − ℎ̃(/0(8) − n)
− 1 → KL(ℎ0
ℎ0 + ℎ12 )1
=
=∑8=1
ℎ̃1 (/1(8) ) − ℎ̃1 (/1(8) − n)ℎ̃(/1(8) ) − ℎ̃(/1(8) − n)
− 1 → KL(ℎ1
ℎ0 + ℎ12 )almost surely as = → ∞. Collecting these pieces together completesthe proof. �
4 EXPERIMENTAL DESIGN4.1 Face ImagesWe detect and extract faces from the Facial Deformable Modelsof Animals (FDMA) dataset [26] and the Flickr-Faces-HQ (FFHQ)dataset [24] by the state-of-the-art RetinaFace human face detector[9]. The FDMA dataset contains around 21.9K animal face imagesbelonging to 334 diverse species. Among them, 10000 animal facesthat look like human faces (according to the judgement of theRetinaFace detector) are selected.The FFHQdataset contains around22.0K human face images. Among them, 10000 human faces arerandomly selected. These two sets of 10000 animal faces and 10000human faces are used in our experiments.
4.2 StylesFigure 3 visualizes the set of 48 styles used in the experiments onStyleCAPTCHA. These styles are generated by an open-sourcedstyle (texture and color) generator named texgen.js (https://github.com/mrdoob/texgen.js).
4.3 Choice of Loss Weights _2 and _B in NSTFor each style, we randomly pick up 2500 human faces and 2500animal faces from the image sets to train a fast NST network, andthen apply the fast NST network to stylize the rest of the imagesets. The choices of content and style loss weights _2 and _B arecrucial for the performance of the NST network. Smaller _2 andlarger _B would let the NST network focus more on the objective ofmatching the style representations and make less account for thecontent information, and vice versa. If the stylized face image lossestoo much content information of the original face, both the humanvisual perception and DCN-based human face detector would not
https://github.com/mrdoob/texgen.jshttps://github.com/mrdoob/texgen.js
-
Figure 3: Styles created by by texgen.js.
distinguish human faces apart from animal faces. On the other hand,if the stylized face image contains too much content information,both the human visual perception and DCN-based human facedetector would correctly recognize the human faces.
We choose the values of _2 and _B in the following way. Fix_B = 105 and gradually decrease _2 from 3.0 to 0.0 until the averageprobability score given by the state-of-the-art RetinaFace detectorfor stylized human faces drops below the default threshold 0.7 ofthe RetinaFace probability score.
4.4 Style SchedulesTo evaluate the reliability of StyleCAPCTHA and the effectivenessof the CCT-based arrangement of the style schedule B0, B1, B2, · · · ,we compare the following three arrangements of the style schedule.
Unchanging Schedule (US): Use an unchanging style to trans-fer human and animal face images, i.e., BC = B0 for C ≥ 1.
Random Schedule (RS): Randomly pick up a style BC from theset of styles at every time C .
CCT-based Schedule (CS): As described by Algorithm 2, pickup style BC from the set of styles such that CCT from the classifica-tion task featured by B0, B1, · · · , BC−1 to that featured by BC is belowsome threshold X .
The threshold X for CCT values in the StyleCAPTCHA scheme(Algorithm 2) shall be determined by the trade-off between thereliability of the StyleCAPTCHA service and the flexibility of thestyle schedule arrangement. A low CCT value indicates that thetarget classification task featured by the new style obtains littleinformation from the source classification task. Consequently, theDCN classifier, that is well trained for the source task, would per-form poorly on the target task. However, an extremely low CCTthreshold X would filter out many candidate styles and limit theflexibility of the style schedule arrangement. We choose X = 0.75by a pilot experiment (see Figure 5).
4.5 Threat ModelsWe assume three state-of-the-art DCN architectures for generalvisual classification tasks, namely, VCG19 [34], ResNet50 [16] and
InceptionV3 [36], and a state-of-the-art DCN-based face detectorRetinaFace [9], are available to the attackers. Below are four threatmodels that the attackers may maliciously use to crack down Style-CAPCTHA.Baseline (BL) model: The attacker collects 1000 images of styleB0 via repeatedly requesting the StyleCAPTCHA service, manuallylabel images, and then train one of VCG19, ResNet50 or InceptionV3networks. The network is initialized with the well-optimized pa-rameters on general large-scale image recognition task.Transfer learning (TL) model: The attacker trains an initial DCNclassifier in the same way as in the baseline model. After a stylechange from BC−1 to BC happens at time C ≥ 1, the attacker collectsanother 1000 images of style BC , and then uses them to re-train thecurrent DCN classifier by transfer learning techniques.Cumulative learning (CL) model: The attacker trains an initialDCN classifier in the same way as in the baseline model. After astyle change from BC−1 to BC happens at time C ≥ 1, the attackercollects another 1000 images of style BC , and then uses all imagesthat has been obtained from the StyleCAPTCHA service at thatmoment to train a DCN classifier.Face detectionmodel: The attacker uses the state-of-the-art DCN-based face detector RetinaFace to detect human faces in stylizedimages. RetinaFace detector gives a probability score between 0.0and 1.0 for each detected object measuring the likelihood of theobject being a human face. The attacker chooses the optimal proba-bility score threshold to maximize the accuracy of his classifier.
5 EXPERIMENTAL RESULTSThis section presents results of two pilot experiments for hyperpa-rameter selections, and performances of three arrangement strate-gies of the style schedule defending against threat models. Theperformance of the DCN-based classifiers on the stylized imageclassification tasks are evaluated in terms of average classificationaccuracy. Note that each StyleCAPTCHA test asks a user to classify10 images (Figure 2). A DCN-based classifier with accuracy 80% re-sults in a passing rate 0.8010 = 10.74%. That means, this classifierwill pass through StyleCAPTCHA once per 9.31 times of attemptson average. We expect that a normal user achieves an accuracy95% with a passing rate 0.9510 = 59.87% correspondingly andpasses through StyleCAPTCHA once per 1.67 attempts on average.
5.1 Pilot Experiment to Choose _2 for NSTA pilot experiment is conducted to guide the choice of content lossweight _2 in the NST network such that the RetinaFace detectorwould miss a considerately large portion of stylized human facesas false negatives, meanwhile a normal user would not.
For a single style, various values of content loss weight _2 areused in the NST network to create multiple sets of stylized humanface images. The average probability scores of the RetinaFace oneach image set are computed. Figure 4a shows that the Retinaprobability scores for stylized images and content loss weight _2are strongly correlated. In this situation, we choose _2 = 1.3 suchthat the average probability score of detected faces is below 0.7,which is the default threshold of the probability score set by theofficial implementation of RetinaFace. Weights for other styles arechosen in the same way.
-
0.5 1.0 1.5 2.0 2.5 3.0Content loss weight c
0.0
0.2
0.4
0.6
0.8
1.0
Retin
aFac
e pr
obab
ility
scor
e
(a) (b)Figure 4: Choice of content loss weight _2 .
Figure 4b showcases 20 stylized face images with content lossweight _2 = 2.1, 1.8, 1.3, 0.8, 0.5. Evidently, as the stylized humanface images keep less content information with smaller _2 , theRetinaFace detector gives less certain judgements, while humanvisual perception could still recognize the stylized images. Thechoice of _2 = 0.8 lowers the RetinaFace probability score, but theresulting stylized images may confuse some normal users.
5.2 Pilot Experiment to Choose X for CCTIn order to choose a suitable threshold X for CCT, we estimate CCTof each classifier transferring from the source task featured by styleB to the target task featured by another style B ′ ≠ B . Results showthat 2184 out of 48 × 47 = 2256 pairs of styles satisfyCCT(B ⊗ I0, B ⊗ I1; B ′ ⊗ I0, B ′ ⊗ I1) < 0.75.All of these 2184 obtain < 0.82 classification accuracy on the targettask (Figure 5), thus X = 0.75 is set in further experiments.
5.3 Defense against General DCNsWe evaluate the performance of three style schedules defendingStyleCAPTCHA against the three threat models with one of VGG19,InceptionV3, Resnet50 backbone networks. Each threatmodel cracksdown the unchanging style schedule with a classification accuracy> 90%.
Figure 6 plots the classification accuracy of the baseline (BL),transfer learning (TL) and cumulative learning (CL) threat modelswith a DCN backbone network to attack the StyleCAPTCHA servicewhen the sequence of styles B0, B1, . . . , B9 are scheduled by randomor according the guidance of CCT. Figure 6a shows that the randomschedule (RS) strategy can defend both the baseline (BL) and transferlearning (TL) attacks, but fail to defend the cumulative learning(CL) attacks during a few time periods.
In contrast, Figure 6b shows that the CCT-guided schedule (CS)can defend three types of attacks. Each of VGG19, InceptionV3 and
0.0 0.2 0.4 0.6 0.8 1.0CCT value
0.5
0.6
0.7
0.8
0.9
1.0Cl
assif
icatio
n Ac
cura
cy
Figure 5: CCT value and classification accuracy of Resnet50classifiers transferring from the source task featured by onestyle to the target task featured by another style.
Resnet50 classifiers obtains less than 80% accuracy during eachof 10 time periods on the stylized images in the StyleCAPTCHAservice. Since each StyleCAPTCHA test asks a user to classify 10images, these classifiers pass through the StyleCAPTCHA test withchance at most 0.8010 = 10.74%. They would take more than 9.31attempts to pass through StyleCAPTCHA once on average.
5.4 Defense against RetinaFace DetectorThe RetinaFace detector gives each stylized image a probabilityscore indicating the chance that it is a human face. To convert the
-
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
RS against BL (with VGG19)RS against TL (with VGG19)RS against CL (with VGG19)
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
RS against BL (with InceptionV3)RS against TL (with InceptionV3)RS against CL (with InceptionV3)
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
RS against BL (with ResNet50)RS against TL (with ResNet50)RS against CL (with ResNet50)
(a) RS defending against threat models with VGG19 (left), InceptionV3 (middle) and Resnet50 (right) backbones.
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
CS against BL (with VGG19)CS against TL (with VGG19)CS against CL (with VGG19)
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
CS against BL (with InceptionV3)CS against TL (with InceptionV3)CS against CL (with InceptionV3)
1 2 3 4 5 6 7 8 9time period
0.5
0.6
0.7
0.8
0.9
1.0
Clas
sifica
tion
Accu
racy
CS against BL (with ResNet50)CS against TL (with ResNet50)CS against CL (with ResNet50)
(b) CS defending against threat models with VGG19 (left), InceptionV3 (middle) and Resnet50 (right) backbones.
Figure 6: Random style schedule (RS) and CCT-based style schedule (CS) defending against the baseline (BL), transfer learning(TL) and cumulative learning (CL) threat models with DCN backbone.
probability score output to a classification rule, the attacker needsto set a probability score threshold. In practice, the threshold isselected by the ROC curve. We assume both the ROC curve and theoptimal threshold are available to the attackers. Figure 7 illustratesthe ROC curves of the classifier converted from the RetinaFacedetector on stylized images the attackers collect during ten timeperiods in Figure 6. The maximum classification accuracy of theclassifier with the optimal score threshold is 84.6% against the CCT-guided style schedule and 89.6% against the random style schedule.Correspondingly, the classifier would pass through StyleCAPTCHAguarded by two style schedules with rates 18.8% and 33.3%.
6 RELATEDWORKImage-based CAPTCHA with style transfer. Cheng et al.[7]proposed a CAPTCHA that asked users to select one among ninestylized images to match a short scene description. A key differenceis that their CAPTCHA used the same style to transfer all theirimages, whereas our StyleCAPTCHA schedules different adversarial
styles to transfer images. Another CAPTCHA asked users to detecthuman faces with rotations and occlusions [15].Improving the robustness of classifiers. Szegedy et al. proposeda defense against adversarial examples by augmenting the trainingset with adversarial images [37]. Liu et al. improved the robustnessof classifiers by removing outliers from the training set [28]. How-ever, [30, 1] showed that retrained models could still be attackedby other adversarial examples.Style transfer with neural networks Our StyleCAPTCHA usesneural style transfer [11]. Other style transfer techniques includeStyleGAN[24, 25] and MUNIT[20], which use cycle consistent lossand AdaIN block[19]. We plan to evaluate the efficiency of thosestyle transfer models in StyleCAPTCHA model in the future.
7 CONCLUSIONDeep convolutional networks (DCNs) are serious threats to tradi-tional CAPTCHAs based on visual perception tasks nowadays. We
-
0.0 0.2 0.4 0.6 0.8 1.0False Positive Rate
0.0
0.2
0.4
0.6
0.8
1.0
True
Pos
itive
Rat
e
CCT-based style schedule (AUC = 0.89)random style strategy (AUC = 0.94)
Figure 7: StyleCAPTCHA against the classifier convertedfrom the RetinaFace detector.
design StyleCAPTCHA by exploiting two intrinsic differences be-tween current deep visual networks and human visual perception.First, we use the neural style transfer technique to generate stylizedimages, which are shown to be robust beyond the attacks fromstate-of-the-art DCNs. Second, we propose to adversarilly changethe style of images in StyleCAPTCHA according to an information-theoretical measure for the classifier cross-task transferrability(CCT). Our experimental evaluation shows that StyleCAPTCHA isgeneral for a range of common image classifiers.
ACKNOWLEDGMENTSThis material is based upon work supported by the National ScienceFoundation under Grant No. 1801751. This research was partiallysponsored by the Combat Capabilities Development CommandArmy Research Laboratory and was accomplished under Coopera-tive Agreement Number W911NF-13-2-0045 (ARL Cyber SecurityCRA). The views and conclusions contained in this document arethose of the authors and should not be interpreted as representingthe official policies, either expressed or implied, of the Combat Capa-bilities Development Command Army Research Laboratory or theU.S. Government. The U.S. Government is authorized to reproduceand distribute reprints for Government purposes notwithstandingany copyright notation here on.
REFERENCES[1] Naveed Akhtar and Ajmal Mian. 2018. Threat of adversarial
attacks on deep learning in computer vision: a survey. IEEEAccess, 6, 14410–14430.
[2] Mohamed Ishmael Belghazi, Aristide Baratin, Sai Rajeshwar,Sherjil Ozair, Yoshua Bengio, Aaron Courville, and DevonHjelm. 2018. Mutual information neural estimation. In Inter-national Conference on Machine Learning, 531–540.
[3] Elie Bursztein, Jonathan Aigrain, Angelika Moscicki, andJohn CMitchell. 2014.The end is nigh: generic solving of text-based CAPTCHAs. In the 8th USENIX Workshop on OffensiveTechnologies.
[4] Elie Bursztein, Matthieu Martin, and John C Mitchell. 2011.Text-based captcha strengths and weaknesses. In ACM Con-ference on Computer and Communications Security, 125–138.
[5] Zhaowei Cai,Quanfu Fan, Rogerio S Feris, and Nuno Vascon-celos. 2016. A unified multi-scale deep convolutional neuralnetwork for fast object detection. In European Conference onComputer Vision, 354–370.
[6] Jiyu Chen, David Wang, and Hao Chen. 2020. Explore thetransformation space for adversarial images. In ACM Confer-ence on Data and Application Security and Privacy (CODASPY).New Orleans, LA, USA, (March 16–18, 2020).
[7] Zhouhang Cheng, Haichang Gao, Zhongyu Liu, Huaxi Wu,Yang Zi, and Ge Pei. 2019. Image-based CAPTCHAs based onneural style transfer. IET Information Security, 13, 6, 519–529.
[8] Ritendra Datta, Jia Li, and James Z. Wang. 2005. Imagination:a robust image-based CAPTCHA generation system. In ACMConference on Multimedia, 331–334.
[9] Jiankang Deng, Jia Guo, Zhou Yuxiang, Jinke Yu, Irene Kot-sia, and Stefanos Zafeiriou. 2020. RetinaFace: single-stagedense face localisation in the wild. In IEEE/CVF Conferenceon Computer Vision and Pattern Recognition, 5203–5212.
[10] Jeremy Elson, John R Douceur, Jon Howell, and Jared Saul.2007. Asirra: a CAPTCHA that exploits interest-aligned man-ual image categorization. In ACM Conference on Computerand Communications Security. Volume 7, 366–374.
[11] Leon A Gatys, Alexander S Ecker, and Matthias Bethge. 2016.Image style transfer using convolutional neural networks. InIEEE Conference on Computer Vision and Pattern Recognition,2414–2423.
[12] Ian J Goodfellow, Yaroslav Bulatov, Julian Ibarz, SachaArnoud,and Vinay Shet. 2014. Multi-digit number recognition fromstreet view imagery using deep convolutional neural net-works. In International Conference on Learning Representa-tions.
[13] Ian J Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, BingXu, David Warde-Farley, Sherjil Ozair, Aaron Courville, andYoshua Bengio. 2014. Generative adversarial nets. In NeuralInformation Processing Systems, 2672–2680.
[14] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy.2015. Explaining and harnessing adversarial examples. InInternational Conference on Learning Representations.
[15] Gaurav Goswami, Brian M Powell, Mayank Vatsa, RichaSingh, and Afzel Noore. 2014. Facedcaptcha: face detectionbased color image captcha. Future Generation Computer Sys-tems, 31, 59–68.
[16] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun.2016. Deep residual learning for image recognition. In IEEEConference on Computer Vision and Pattern Recognition, 770–778.
[17] Peiyun Hu and Deva Ramanan. 2017. Finding tiny faces. InIEEE Conference on Computer Vision and Pattern Recognition,951–959.
-
[18] Gary BHuang,MarwanMattar, Tamara Berg, and Eric Learned-Miller. 2007. Labeled faces in thewild: a database for studyingface recognition in unconstrained environments. Technicalreport. University of Massachusetts, Amherst.
[19] XunHuang and Serge Belongie. 2017. Arbitrary style transferin real-time with adaptive instance normalization. In IEEEInternational Conference on Computer Vision, 1501–1510.
[20] Xun Huang, Ming-Yu Liu, Serge Belongie, and Jan Kautz.2018. Multimodal unsupervised image-to-image translation.In European Conference on Computer Vision, 179–196.
[21] Justin Johnson, Alexandre Alahi, and Fei-Fei Li. 2016. Percep-tual losses for real-time style transfer and super-resolution.In European Conference on Computer Vision, 694–711.
[22] Kaggle. 2016. Dogs vs. Cats Redux, Kernels Edition: distin-guish images of dogs from cats. https://www.kaggle.com/c/dogs-vs-cats-redux-kernels-edition.
[23] Kaggle. 2013. Dogs vs. Cats: create an algorithm to distin-guish dogs from cats. https://www.kaggle.com/c/dogs-vs-cats.
[24] Tero Karras, Samuli Laine, and TimoAila. 2019. A style-basedgenerator architecture for generative adversarial networks.In IEEE Conference on Computer Vision and Pattern Recogni-tion, 4401–4410.
[25] Tero Karras, Samuli Laine, Miika Aittala, Janne Hellsten,Jaakko Lehtinen, and TimoAila. 2020. Analyzing and improv-ing the image quality of StyleGAN. In IEEE/CVF Conferenceon Computer Vision and Pattern Recognition, 8110–8119.
[26] Muhammad Haris Khan, John McDonagh, Salman Khan,Muhammad Shahabuddin, Aditya Arora, Fahad ShahbazKhan, Ling Shao, and Georgios Tzimiropoulos. 2020. Animal-Web: a large-scale hierarchical dataset of annotated animalfaces. In IEEE/CVF Conference on Computer Vision and PatternRecognition, 6939–6948.
[27] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012.ImageNet classification with deep convolutional neural net-works. In Neural Information Processing Systems, 1097–1105.
[28] Yongshuai Liu, Jiyu Chen, and Hao Chen. 2018. Less is more:culling the training set to improve robustness of deep neuralnetworks. In Conference on Decision and Game Theory forSecurity (GameSec). Seattle, WA, USA, (October 29–31, 2018).
[29] Fujun Luan, Sylvain Paris, Eli Shechtman, and Kavita Bala.2017. Deep photo style transfer. In IEEE Conference on Com-puter Vision and Pattern Recognition, 4990–4998.
[30] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, OmarFawzi, and Pascal Frossard. 2017. Universal adversarial per-turbations. In IEEE Conference on Computer Vision and Pat-tern Recognition, 1765–1773.
[31] Gabriel Moy, Nathan Jones, Curt Harkless, and Randall Pot-ter. 2004. Distortion estimation techniques in solving visual
CAPTCHAs. In IEEE Conference on Computer Vision and Pat-tern Recognition.
[32] Fernando Pérez-Cruz. 2008. Kullback-leibler divergence es-timation of continuous distributions. In IEEE InternationalSymposium on Information Theory, 1666–1670.
[33] Shaoqing Ren, Kaiming He, Ross Girshick, and Jian Sun.2015. Faster R-CNN: towards real-time object detection withregion proposal networks. In Neural Information ProcessingSystems, 91–99.
[34] Karen Simonyan and Andrew Zisserman. 2015. Very deepconvolutional networks for large-scale image recognition.In International Conference on Learning Representations.
[35] Suphannee Sivakorn, Iasonas Polakis, andAngelos DKeromytis.2016. I am robot:(deep) learning to break semantic imagecaptchas. In IEEE European Symposium on Security and Pri-vacy, 388–403.
[36] Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, JonShlens, and Zbigniew Wojna. 2016. Rethinking the incep-tion architecture for computer vision. In IEEE Conference onComputer Vision and Pattern Recognition, 2818–2826.
[37] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, JoanBruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014.Intriguing properties of neural networks. In InternationalConference on Learning Representations.
[38] Mingxing Tan and Quoc V Le. 2019. EfficientNet: rethinkingmodel scaling for convolutional neural networks. In Interna-tional Conference on Machine Learning, 6105–6114.
[39] Luis Von Ahn, Manuel Blum, Nicholas J Hopper, and JohnLangford. 2003. CAPTCHA: using hard AI problems for se-curity. In International Conference on the Theory and Applica-tions of Cryptographic Techniques, 294–311.
[40] Luis Von Ahn, Benjamin Maurer, Colin McMillen, DavidAbraham, and Manuel Blum. 2008. reCAPTCHA: human-based character recognition via web security measures. Sci-ence, 321, 5895, 1465–1468.
[41] Jeff Yan and Ahmad Salah El Ahmad. 2008. Usability ofCAPTCHAs or usability issues in CAPTCHA design. In Sym-posium on Usable Privacy and Security, 44–52.
[42] Shuo Yang, Ping Luo, Chen-Change Loy, and Xiaoou Tang.2016. Wider face: a face detection benchmark. In IEEE Con-ference on Computer Vision and Pattern Recognition, 5525–5533.
[43] Kaipeng Zhang, Zhanpeng Zhang, Zhifeng Li, and Yu Qiao.2016. Joint face detection and alignment using multitask cas-caded convolutional networks. IEEE Signal Processing Letters,23, 10, 1499–1503.
[44] Shifeng Zhang, Xiangyu Zhu, Zhen Lei, Hailin Shi, XiaoboWang, and Stan Z Li. 2017. C. In IEEE International Conferenceon Computer Vision, 192–201.
https://www.kaggle.com/c/dogs-vs-cats-redux-kernels-editionhttps://www.kaggle.com/c/dogs-vs-cats-redux-kernels-editionhttps://www.kaggle.com/c/dogs-vs-catshttps://www.kaggle.com/c/dogs-vs-cats
Abstract1 Introduction2 Methods2.1 Neural Style Transfer2.2 Classifier Cross-task Transferability2.3 StyleCAPCTHA
3 Proofs4 Experimental Design4.1 Face Images4.2 Styles4.3 Choice of Loss Weights c and s in NST4.4 Style Schedules4.5 Threat Models
5 Experimental Results5.1 Pilot Experiment to Choose c for NST5.2 Pilot Experiment to Choose for CCT5.3 Defense against General DCNs5.4 Defense against RetinaFace Detector
6 Related work7 ConclusionAcknowledgments