On adversarial patches: real-world attack on ArcFace-100 face recognition system

TL;DR

This paper demonstrates a practical method for creating printable adversarial patches that can be physically attached to a person or accessory to fool face recognition systems in real-world scenarios.

Contribution

It introduces a simple, effective technique for generating physical adversarial patches targeting face recognition systems like ArcFace, enabling real-world attacks.

Findings

Adversarial patches can be printed and physically attached to faces or accessories.

The method successfully fools the ArcFace-based face recognition system in real-world tests.

Physical patches can be placed on various facial areas or accessories to alter recognition outcomes.

Abstract

Recent works showed the vulnerability of image classifiers to adversarial attacks in the digital domain. However, the majority of attacks involve adding small perturbation to an image to fool the classifier. Unfortunately, such procedures can not be used to conduct a real-world attack, where adding an adversarial attribute to the photo is a more practical approach. In this paper, we study the problem of real-world attacks on face recognition systems. We examine security of one of the best public face recognition systems, LResNet100E-IR with ArcFace loss, and propose a simple method to attack it in the physical world. The method suggests creating an adversarial patch that can be printed, added as a face attribute and photographed; the photo of a person with such attribute is then passed to the classifier such that the classifier's recognized class changes from correct to the desired one. Proposed generating procedure allows projecting adversarial patches not only on different areas of the face, such as nose or forehead but also on some wearable accessory, such as eyeglasses.