Robust Attacks on Deep Learning Face Recognition in the Physical World

TL;DR

This paper introduces FaceAdv, a physical-world attack method using adversarial stickers to deceive face recognition systems, demonstrating high success rates and robustness across multiple systems and environments.

Contribution

It presents a novel physical attack method with a sticker generator and transformer, improving attack success and robustness over previous digital-only approaches.

Findings

FaceAdv significantly outperforms prior attacks in success rate.

It is effective against multiple face recognition systems.

The attack remains robust in various physical environments.

Abstract

Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which can potentially mislead the FR systems using DNNs in the physical world. Existing attacks on these systems either generate perturbations working merely in the digital world, or rely on customized equipments to generate perturbations and are not robust in varying physical environments. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a transformer, where the former can craft several stickers with different shapes and the latter transformer aims to digitally attach stickers to human faces and provide feedbacks to the generator to improve the effectiveness of stickers. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking 3 typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve success rate of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.