Rethinking the Threat and Accessibility of Adversarial Attacks against Face Recognition Systems

TL;DR

This paper introduces AdvColor, a simple physical adversarial attack on face recognition systems, revealing that perceptible attacks can pose greater real-world threats than imperceptible ones, challenging traditional security assumptions.

Contribution

The paper proposes AdvColor, an effective physical attack method against black-box face recognition, and provides insights into threat perception differences between industry and research.

Findings

AdvColor achieves over 96% fooling rate against anti-spoofing models.

Overall attack success rate of 88% on face recognition pipelines.

Perceptible attacks are more threatening in real-world scenarios.

Abstract

Face recognition pipelines have been widely deployed in various mission-critical systems in trust, equitable and responsible AI applications. However, the emergence of adversarial attacks has threatened the security of the entire recognition pipeline. Despite the sheer number of attack methods proposed for crafting adversarial examples in both digital and physical forms, it is never an easy task to assess the real threat level of different attacks and obtain useful insight into the key risks confronted by face recognition systems. Traditional attacks view imperceptibility as the most important measurement to keep perturbations stealthy, while we suspect that industry professionals may possess a different opinion. In this paper, we delve into measuring the threat brought about by adversarial attacks from the perspectives of the industry and the applications of face recognition. In contrast to widely studied sophisticated attacks in the field, we propose an effective yet easy-to-launch physical adversarial attack, named AdvColor, against black-box face recognition pipelines in the physical world. AdvColor fools models in the recognition pipeline via directly supplying printed photos of human faces to the system under adversarial illuminations. Experimental results show that physical AdvColor examples can achieve a fooling rate of more than 96% against the anti-spoofing model and an overall attack success rate of 88% against the face recognition pipeline. We also conduct a survey on the threats of prevailing adversarial attacks, including AdvColor, to understand the gap between the machine-measured and human-assessed threat levels of different forms of adversarial attacks. The survey results surprisingly indicate that, compared to deliberately launched imperceptible attacks, perceptible but accessible attacks pose more lethal threats to real-world commercial systems of face recognition.