Robust Physical-World Attacks on Face Recognition

TL;DR

This paper introduces PadvFace, a robust physical attack framework on face recognition that models environmental variations and employs curriculum learning, revealing significant vulnerabilities of DNN-based face recognition systems in real-world conditions.

Contribution

The paper presents a novel physical attack framework, PadvFace, and an efficient curriculum adversarial attack algorithm, advancing understanding of face recognition vulnerabilities under physical-world conditions.

Findings

PadvFace outperforms existing physical attack methods.

The attack remains effective under diverse environmental conditions.

A standardized testing protocol enables fair evaluation of physical attacks.

Abstract

Face recognition has been greatly facilitated by the development of deep neural networks (DNNs) and has been widely applied to many safety-critical applications. However, recent studies have shown that DNNs are very vulnerable to adversarial examples, raising serious concerns on the security of real-world face recognition. In this work, we study sticker-based physical attacks on face recognition for better understanding its adversarial robustness. To this end, we first analyze in-depth the complicated physical-world conditions confronted by attacking face recognition, including the different variations of stickers, faces, and environmental conditions. Then, we propose a novel robust physical attack framework, dubbed PadvFace, to model these challenging variations specifically. Furthermore, considering the difference in attack complexity, we propose an efficient Curriculum Adversarial Attack (CAA) algorithm that gradually adapts adversarial stickers to environmental variations from easy to complex. Finally, we construct a standardized testing protocol to facilitate the fair evaluation of physical attacks on face recognition, and extensive experiments on both dodging and impersonation attacks demonstrate the superior performance of the proposed method.