Stealthy Physical Masked Face Recognition Attack via Adversarial Style Optimization

TL;DR

This paper introduces a novel physical attack method on face recognition systems using adversarial style masks that are stealthy and effective in both digital and real-world scenarios, exploiting style optimization techniques.

Contribution

It proposes an adversarial style mask generator with style optimization to create stealthy, targeted physical attacks on face recognition models, improving attack effectiveness and transferability.

Findings

Effective in digital and physical attack scenarios

High transferability across different models

Stealthy masks evade human detection

Abstract

Deep neural networks (DNNs) have achieved state-of-the-art performance on face recognition (FR) tasks in the last decade. In real scenarios, the deployment of DNNs requires taking various face accessories into consideration, like glasses, hats, and masks. In the COVID-19 pandemic era, wearing face masks is one of the most effective ways to defend against the novel coronavirus. However, DNNs are known to be vulnerable to adversarial examples with a small but elaborated perturbation. Thus, a facial mask with adversarial perturbations may pose a great threat to the widely used deep learning-based FR models. In this paper, we consider a challenging adversarial setting: targeted attack against FR models. We propose a new stealthy physical masked FR attack via adversarial style optimization. Specifically, we train an adversarial style mask generator that hides adversarial perturbations inside style masks. Moreover, to ameliorate the phenomenon of sub-optimization with one fixed style, we propose to discover the optimal style given a target through style optimization in a continuous relaxation manner. We simultaneously optimize the generator and the style selection for generating strong and stealthy adversarial style masks. We evaluated the effectiveness and transferability of our proposed method via extensive white-box and black-box digital experiments. Furthermore, we also conducted physical attack experiments against local FR models and online platforms.