CAAP: Capture-Aware Adversarial Patch Attacks on Palmprint Recognition Models

TL;DR

This paper introduces CAAP, a capture-aware adversarial patch framework designed to attack palmprint recognition systems effectively under realistic physical conditions, revealing their residual vulnerabilities.

Contribution

The work presents a novel cross-shaped patch topology and modules for realistic simulation, improving attack transferability and exposing vulnerabilities in palmprint recognition models.

Findings

CAAP achieves high attack success rates across models and datasets.

Adversarial training only partially mitigates the attack effectiveness.

Deep palmprint systems remain vulnerable to capture-aware adversarial patches.

Abstract

Palmprint recognition is deployed in security-critical applications, including access control and palm-based payment, due to its contactless acquisition and highly discriminative ridge-and-crease textures. However, the robustness of deep palmprint recognition systems against physically realizable attacks remains insufficiently understood. Existing studies are largely confined to the digital setting and do not adequately account for the texture-dominant nature of palmprint recognition or the distortions introduced during physical acquisition. To address this gap, we propose CAAP, a capture-aware adversarial patch framework for palmprint recognition. CAAP learns a universal patch that can be reused across inputs while remaining effective under realistic acquisition variation. To match the structural characteristics of palmprints, the framework adopts a cross-shaped patch topology, which enlarges spatial coverage under a fixed pixel budget and more effectively disrupts long-range texture continuity. CAAP further integrates three modules: ASIT for input-conditioned patch rendering, RaS for stochastic capture-aware simulation, and MS-DIFE for feature-level identity-disruptive guidance. We evaluate CAAP on the Tongji, IITD, and AISEC datasets against generic CNN backbones and palmprint-specific recognition models. Experiments show that CAAP achieves strong untargeted and targeted attack performance with favorable cross-model and cross-dataset transferability. The results further show that, although adversarial training can partially reduce the attack success rate, substantial residual vulnerability remains. These findings indicate that deep palmprint recognition systems remain vulnerable to physically realizable, capture-aware adversarial patch attacks, underscoring the need for more effective defenses in practice. Code available at https://github.com/ryliu68/CAAP.