AdvGen: Physical Adversarial Attack on Face Presentation Attack Detection Systems
This work addresses security risks for face authentication systems deployed in real-world scenarios, representing a novel physical attack method rather than an incremental improvement.
The paper tackles the vulnerability of face authentication systems to physical adversarial attacks by proposing AdvGen, a GAN-based method that simulates print and replay attacks to fool state-of-the-art Presentation Attack Detection systems, achieving an attack success rate of up to 82.01%.
Evaluating the risk level of adversarial images is essential for safely deploying face authentication models in the real world. Popular approaches for physical-world attacks, such as print or replay attacks, suffer from some limitations, like including physical and geometrical artifacts. Recently, adversarial attacks have gained attraction, which try to digitally deceive the learning strategy of a recognition system using slight modifications to the captured image. While most previous research assumes that the adversarial image could be digitally fed into the authentication systems, this is not always the case for systems deployed in the real world. This paper demonstrates the vulnerability of face authentication systems to adversarial images in physical world scenarios. We propose AdvGen, an automated Generative Adversarial Network, to simulate print and replay attacks and generate adversarial images that can fool state-of-the-art PADs in a physical domain attack setting. Using this attack strategy, the attack success rate goes up to 82.01%. We test AdvGen extensively on four datasets and ten state-of-the-art PADs. We also demonstrate the effectiveness of our attack by conducting experiments in a realistic, physical environment.