Face recognition typically belongs to either face identification or face verification. The former is also called closed-set face classification and assumes the probed image belongs to one of the objects enrolled in the gallery. The latter is also called open-set face classification and can reject a probed image with no corresponding object in the gallery. We focus on open-set face recognition.

Modern open-set face recognition systems commonly consist of a DNN-based feature extractor that maps an input image into a low dimensional feature space (Sun et al. 2014) . Then we can measure the similarity of the two images by the distance between their two corresponding feature vectors. The commonly used distances are the Euclidean distance and the cosine distance. A feature extractor excels in face recognition service as it requires no retraining, unlike classifiers when it registers a new face. 1

There are two major ways of training the DNN-based feature extractors. One way is to train a normal multiclass DNN classifier initially and then regard the output of the penultimate layer of the DNN as the feature vector (i.e., the DNN without the last fully connected layer is a feature extractor) (Parkhi, Vedaldi, and Zisserman 2015; Sun et al. 2014) . Another approach is to train the feature extractor directly using the triplet loss (this is also called metric learning) (Schroff, Kalenichenko, and Philbin 2015) . A triplet consists of two matching face thumbnails and a nonmatching face thumbnail, and the loss aims to separate the positive pair from the negative by a distance margin. As the number of triplet combinations increases exponentially, triplet loss tends to be harder to scale. We focus on the former approach in this work.

Feature extractors trained through simple softmax outputs are effective for closed-set classification tasks but are not discriminative enough for open-set verification. An angular margin penalty such as ArcFace (Deng et al. 2019) , CosFace (Wang et al. 2018) , and Sphereface (Liu et al. 2017) , and other approaches such as (Wan et al. 2018) is a form of the loss function that has successfully improved the discriminative power of face verification by feature vectors. The angular margin penalty modifies the final prediction layer to enforce the true label’s predictions to be more restrictive and discriminative than the vanilla softmax by penalty. In such a way, the loss transfers the penalty against the prediction into the distance between features, features with high inter-class variance and low intra-class variance.

We briefly review the angular margin penalty. We start from the cross-entropy loss LCE (x; y) for a trainable parameter , an input x, and its true label y. We assume g(x; ) is the classification over n classes and is the fully connected final layer’s softmax output whose input is the output f (x; ) 2 Rd of the d-dimensional penultimate layer. Then, letting Wj 2 Rd and bj 2 R for j = 1; : : : ; n, respectively, an final weight vector and a final bias for the j-th prediction, eWy f(x)+by LCE (x; y) := T 1y log g(x) = log Pn `=1 eW` f(x)+b` :

The loss function of ArcFace LARC; ; (x; y) L2normalizes f and Wj , lets b` = 0, and introduces penalty and smoothness hyperparameter . With cos (x; `) = W` f(x) kW`k kf(x)k , it is;

LARC; ; (x; y) = log

e cos( (x;y)+ ) e cos( (x;y)+ ) + P`2f1;:::;ngny e cos (x;`) : 1Because of this property, we need to evaluate the accuracy of feature extractor based face recognition by datasets that do not share the labels (identities of the owners of faces) with the training dataset.

The loss function of CosFace is with a slightly different form of the penalty. We call each model of both ArcFace and CosFace as a single model and compare it with other models in our experiments. The feature extractor trained by this network is f~( ; ) 2 Rd, which is the normalization of f ( ; ).

While deep neural networks are successful to show high accuracy in their tasks, they are vulnerable to AXs (Goodfellow, Shlens, and Szegedy 2015; Carlini and Wagner 2017b) . An AX is a crafted input xadv, which is different from a source image xs by , i.e., xadv = xs + , so that the target classifier misclassifies it but not by the humans. Many works search for a small that humans cannot perceive, while some works such as (Kakizaki and Yoshida 2020) search for a large that humans consider natural. I-FGSM, an iterative variant of the Fast Gradient Signed Method (FGSM) (Goodfellow, Shlens, and Szegedy 2015; Madry et al. 2018) , searches by moving in the negative gradient direction to the target label. Basic Iterative Method (BIM) (Kurakin, Goodfellow, and Bengio 2017a) is an extension of I-FGSM where the search is within a given boundary. Carlini & Wagner (CW) attack (Carlini and Wagner 2017b) searches the best by formalizing the problem as optimization. The above I-FGSM, BIM, and CW methods are the major strong attacks available today to generate AXs.

(Rozsa, Gu¨nther, and Boult 2017) proposed a general method, called LOTS, to generate AXs such that an internal layer representation is close to that of a target by iteratively adding perturbations to the source input. It uses a Euclidean loss defined on the internal layer representations of the origin and the target. It applies its gradient to the source input to manipulate the source input’s internal layer representation. We can generate an AX for feature extractors by applying LOTS to the features layer, which is also an internal representation of the classifier that is to be a feature extractor. LOTS is sufficiently general to employ I-FGSM, BIM, and CW for the underlying perturbation method.

Various studies have proposed methods to make DNNs robust against AXs. They include adversarial training (Goodfellow, Shlens, and Szegedy 2015; Madry et al. 2018) , feature transformation (Xu, Evans, and Qi 2018) , statistical analysis (Zheng and Hong 2018) , manifold learning (Samangouei, Kabkab, and Chellappa 2018) , knowledge distillation (Papernot et al. 2016) , selective dropout (Goswami et al. 2018, 2019) , an ensemble of models, and more. Despite their partial success, none of them completely prevents AXs from deceiving DNNs with cleverer attack techniques such as (Carlini and Wagner 2017a; Athalye, Carlini, and Wagner 2018) . An adversarial training, a relatively successful defense, trains DNNs by generating AXs and including them in the training data (Goodfellow, Shlens, and Szegedy 2015; Kurakin, Goodfellow, and Bengio 2017b) . However, it can not sufficiently defend the model against some of the AXs that have not appeared during the training (Gilmer et al. 2019) . There have also been studies on certified defenses, of which the aim is to train DNNs in a provably robust fashion (Cohen, Rosenfeld, and Kolter 2019; Hein and Andriushchenko 2017; Wong et al. 2018; Raghunathan, Steinhardt, and Liang 2018; Wong and Kolter 2018) . However, this approach’s successes are largely limited to simple DNN architectures and datasets with low resolution.

Some works such as (Russakovsky et al. 2015) showed that an ensemble of different models improves the generalizability in image classification tasks. It then turns out that the ensemble model is also successful defenses against AXs. (Pang et al. 2019) proposed adaptive diversity promotion (ADP), which trains an ensemble of models so that their non-maximal predictions vary largely. Since non-maximal predictions differ greatly, it is hard to align them to maximal prediction in an AX.

Despite the relative success of the ensemble model, all of the works are validated only for classifications. We can directly integrate the adaptive diversity promoting (ADP) method into the angular margin penalty for feature extraction. We assume that our ensemble is composed of K models, and thus all parameters have K duplicates. Each model predicts over n labels in training. Let the output of the k-th model that represents the j-th label in the ensemble be gk;j . The ensemble prediction Gj for the j-th label is the average of all the output of predictions. That is, Gj (x) = K1 PkK=1 gk;j (x). Then, Shannon Entropy of the distribution fGj gj=1;:::;n is H(G(x)) =

N X Gj (x) log(Gj (x)): j=1

Let gk;ny 2 Rn 1 be such an (n 1)- dimensional vector that is gk 2 Rn except for the y-th element, i.e., true prediction. Let g~k;ny 2 Rn 1 be L2-normalized gk;ny 2 Rn 1, and let an (n 1) K matrix M (x; y) = (g~1;ny(x); : : : ; g~K;ny(x)) 2 R(n 1) K . Then, the ensemble diversity of non-maximal (y) prediction of x is

ED(x; y) = det(T M (x; y) M (x; y)): Here, the operation of ” ” is the multiplication of K (n 1) matrix and (n 1) K matrix, whose result is K K matrix. Geometrically, it is the volume of spaces that fg~1;ny(x); : : : ; g~K;ny(x)g spans. With hyperparameters and , the regularizer for promoting adaptive diversity is ADP ; (x; y) =

H(G(x)) +

log(ED(x; y)): k

With fLM; ; (x; y)gk=1;:::;K where M represents either ArcFace or CosFace by ARC or COS, the ADP method trains the model by optimizing parameters for minimum K X k=1 LE;M;ADP; ; ; ; :=

k LM; ; (x; y)

ADP ; (x; y):

The feature extractor is the normalized penultimate layer output (f~k 2 Rd)k=1;:::;K . We let the ensemble features F be the average of all the output of features extractors as which we can compare to the original k(x; `) such that F (x) = 1 N

X f~k(x): K k=1 Here, we omitted . We use the Euclidean distance between the above ensemble feature F (x) of the input x and the registered feature F (x0) of another input x0 as a measure of similarity for our verification task.

We will later see in our experiments that ADP scarcely enhances the robustness of the network against AXs. We see its cause as below. Let normalized weight vectors of the final layer by all the models be fW~ `kg(k;`)2f1;:::;Kg f1;:::;ng. Here, k runs for models in the ensemble, and ` runs for labels. Let ff~kgk be the feature extractors. Again, k runs for models in the ensemble. The diversity promotion in the ensemble aims to enforce any perturbation to input x brings it to such x0 that features ff~k(x0)gk of different models are close to W~ `k of different `’s. The ADP is likely to achieve such a property. However, the difference in directions of features does not imply the difference of directions from learned features, i.e., the weight vectors. For example, suppose that f~1(x) near W~ 11 moves to a very different direction from the direction of which f~2(x) near W~ 12 moves when we perturb x by . However, if these directions are such that f~1(x) moves to W~ 21 and that f~2(x) moves to W~ 22, the difference in directions does not prevent AXs. Since weight vectors are independent among different models, the previous approaches do not prevent such situations from occurring. Therefore, we need to promote the diversity of features among all the ensemble models to be diverse relative to respective weight vectors’ positions.

We propose to share weight vectors fW~ `kg(k;`)2f1;:::;Kg f1;:::;ng of the final layer by all the models. We propose W~ `k for all k are the same and let W~ ` denote it. The change promotes all the label y features to be close to the same W~ y independent of models. Hence, the adversary needs to find the perturbation of x, which moves all features ff~k(x)gk=1;:::;K from W~ y to W~ y0 . Suppose the directions of the susceptibility of features to perturbation are different among different models. Then, it is hard for an adversary to find perturbation that moves features in the same direction. If we promote diversity of features, we can expect the chart of features around weight vector are different among models and can expect that the ensemble increases its robustness to AXs.

~

We call the weight vector W` that all models share as shared representative weight vectors (SRV). Let k(x; `) be the angle, i.e., the arc, between W~ ` and f~k(x) in Rd. That is, k(x; `) is such that, cos k(x; `) = W~ ` f~k(x); cos k(x; `) =

W`k fk(x) kW`kk kfk(x)k = W~ `k f~k(x): We have the loss function with the shared representative weight vector as =

LE;ARC;SRV; ; (x; y) K X log k=1

e cos( k(x;y)+ ) e cos( k(x;y)+ ) + P`2f1;:::;ngny e cos k(x;`) : We expect that feature extractors trained by the following loss function are robust to AXs.

LE;ARC;SRV;F DP; ; ; (x; y) =

LE;ARC;SRV; ; (x; y)

FDP (x): We define LE;COS;SRV;F DP; ; ; (x; y) similarly. Feature Diversity Promotion: In ADP, we promote nonmaximal predictions of models in the ensemble to be diverse. However, it is a feature that we want it hard for adversaries to manipulate rather than predictions. Hence, we choose to promote the diversity of ensemble features directly. We can measure the diversity EDfeat of ensemble features at x in the same manner as before. Let F~(x) = (f~1(x); : : : ; f~K (x)) 2 Rd K be d K matrix. Then,

EDfeat(x) = det(T F~(x) F~(x)) Here, the determinant is on the K K matrix. We promote the ensemble feature extractors to be such that their features are diverse by the following regularizer.

FDP (x) =

log(EDfeat(x)) The weighting coefficient is a hyperparameter. The regularizer has no term of Shannon entropy, unlike ADP ; , since we do not need to balance features with values such as maximal prediction in ADP.

We followed the same training process that is in (Deng et al. 2019) . We adopt an MS1MV2 dataset (Deng et al. 2019) , the refined version of the MS-Celeb-1M dataset, for the training, and VGG2 for the verification. The training dataset in the MS1MV2 dataset includes 5.8M face images and 85K identities. For data preprocessing, we crop face images to the size of 112 112 and align face images by utilizing MTCNN (Zhang et al. 2016) .

For the embedding network, we employ the widely used CNN architecture, MobileFacenet (Chen et al. 2018) . After the last convolutional layer, we explore the BN (Ioffe and Szegedy 2015) -Dropout (Srivastava et al. 2014) -FC-BN structure to get the final 512-dimensional embedding feature.

We follow (Wang et al. 2018) to set the feature to scale = 64 and choose the angular margin of ArcFace at = 0:5. We choose the angular margin of CosFace at = 0:35.

We set the batch size to 256 and train the ensemble consisting of three feature extractors on one NVIDIA Tesla V100 (32GB) GPU. We set the initial learning rate is 10 3, and we divide it by 10 at 12, 15, and 18 epoch. The training process finishes at 20 epoch.

We have experimented with the effectiveness of regularizers ADP ; (x; y) and FDP (x) to the robustness of feature extractors trained by the ensemble model of ArcFace and CosFace. The hyperparameter of regularizers we tested are ( ; ) = (2:0; 0:5); (2:0; 10:0), and (2:0; 50:0) for ADP, and = 1:0; 10:0, and 50:0 for FDP. We also compared our method with one of the best adversarial training, which exploits margin-based triplet embedding regularization (Zhong and Deng 2019) . They have not experimented with MobileFacenet that we adopted. They also observed that the robustness varies depending on the margin in the triplet embedding regularization term. Hence, we tried several hyperparameter values of m = 0:2; 0:6; 1:4, and 3:0 to find the best one for MobileFacenet.

We applied attacks such as I-FGSM, BIM, and CW to the following models in the LOTS framework. (1) ”single model,” which is the original model, (2) ”baseline,” which is a simple ensemble of original models, (3) ”ADP,” which is a simple ensemble model with ADP regularizer, and (4) ”FDP” which is a simple ensemble model with FDP regularizer. (5) ”SRV,” which is an ensemble with a shared representative vector, (6) ”SRV+ADP,” which is SRV with ADP regularizer, (7) ”AdvT for m = 0:2; 0:6; 1:4; 3:0,” which is adversarial training, and (8) ”Our method,” which is our full model that has SRV with FDP regularizer. The number of models in each ensemble is three (K = 3).

All the attacks are adaptive, which means we applied methods to robustified networks. We could compare our method to only those previous methods we experimented with ourselves since their reported results are in different conditions.

We verified the accuracy of verifications on the VGG2 dataset. Table 1 shows ROC-AUCs of the single model, ADP, AdvT, and our method (SRV+FDP) for ArcFace and CosFace. The hyperparameters resulting from best ROCAUC are ( ; ) = (2:0; 0:5), m = 0:6, and = 10:0. Our proposed SRV+FDP is not only no worse than the original single model but performs best.

We also show the accuracy of verification on several legitimate datasets of different conditions in Table 2.

single model SRV+ADP

89:60 89:71 86:20 89:94 90:94 86:62 90:80 89:97 88:29 88:33 91:14 94:22 94:15 90:52 94:13 94:93 93:98 94:38 95:15 93:07 92:43 94:97

These datasets are FW (Huang et al. 2007), AgeDB30 (Moschoglou et al. 2017) , and CFP-FP (Sengupta et al. 2016) , which provide face data in an unconstrained setting. We can see that our SRV+FDP is remarkably often better slightly than the single model. On the other hand, ADP and SRV+ADP are often worse than the single model. We can use our method in tandem with other methods. The experiments are with ArcFace and CosFace.

We generate AXs by LOTS with I-FGSM, BIM, and CW in a white-box setting. We did not limit the number of iterations in all attacks, which swells more than 1,000 in some cases. We chose a rather large boundary ( = 0:1) in BIM. We randomly sample 1000 pairs of different identity images from the VGG2 test dataset and generated 500 AXs. As we imposed less on AXs, all the attacks have been successful with their different perturbation sizes. We let the learning rate of underlying SGD to be 0:1. We note that we can still recognize images with the largest perturbation by our human eyes.

We compared the robustness of various methods through the size of perturbation. We define the -attack success rate as

Acc = jfxadvjxadv 2 AX ; kxadv xsk2 <

gj : (1) jAX j Here, xs is a legitimate sample, and xadv is the AX created from xs. AX is a set of all the successful AXs generated in the white-box setting. This measurement represents the proportion of adversarial samples whose perturbation size is less than to all legitimate images. We can say that the larger perturbation we need to fool feature extractors, the more robust they are.

Graphs in the upper row of Figure 2 show the Acc of LOTS via I-FGSM, BIM, and CW, respectively, for ArcFace. We observed that (1) the baseline, ADP, and the FDP do not enhance the robustness against AXs in a noticeable manner, (2) SRV alone enhances robustness, (3) the addition of ADP to SRV does not enhance robustness, (4) Our

We first generate AXs by LOTS with I-FGSM, BIM, and CW to the single model in a white-box setting. We generated several sets of AXs with different distances between their features and the target features. All of their distances are sufficiently small that all AXs are successful attacks. Although a class with a smaller distance is hard to generate, we successfully generated AX for all input images by searching for a longer time. On average, it took 10.97 seconds to generate an AX whose distance from the target is 0.2. As in the white-box setting experiments, we did not restrict the number of iterations; we chose a rather large perturbation boundary. We applied these AX to each model for the evaluation, whose results are in graphs in Figure 4.

The results show that our method has significantly suppressed the transferability of AXs. We could also see a clear relation between the transferability of the AXs and the distance between features. We consider it because our ensemble uses the same single model. The transferability surprisingly reaches 1 when the distance between AX and the target in feature space becomes sufficiently small. However, this comes with a much larger perturbation in input images, as shown in Figure 5. The transferability of all models approaches zero as the distance between features becomes large. It is so because AX becomes no longer a successful one with such a large distance. That we eventually have complete transferability with a small distance in feature space indicates that an essential improvement within a single model is necessary, unless we can strictly forbid the small size of perturbation by some means. We consider this is a clear limitation of the ensemble model method.