Robust Attacks on Deep Learning Face Recognition in the Physical World
This work addresses the vulnerability of deep learning face recognition systems to physical-world adversarial attacks, which is a security concern for users of these systems.
This paper proposes FaceAdv, a physical-world attack using adversarial stickers to deceive deep learning face recognition systems. FaceAdv significantly improves the success rate of both dodging and impersonating attacks against ArcFace, CosFace, and FaceNet compared to a state-of-the-art attack.
Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which can potentially mislead the FR systems using DNNs in the physical world. Existing attacks on these systems either generate perturbations working merely in the digital world, or rely on customized equipments to generate perturbations and are not robust in varying physical environments. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a transformer, where the former can craft several stickers with different shapes and the latter transformer aims to digitally attach stickers to human faces and provide feedbacks to the generator to improve the effectiveness of stickers. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking 3 typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve success rate of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.