Real-World Transferable Adversarial Attack on Face-Recognition Systems
This work addresses a security threat for face recognition systems by demonstrating a practical and severe vulnerability, though it is incremental as it builds on existing adversarial attack methods.
The paper tackled the problem of adversarial attacks on face recognition systems by introducing GaP, a method that generates a universal, physically transferable adversarial patch under a black-box setting, achieving a high attack success rate in digital and real-world tests with approximately 10,000 queries and strong transferability to unseen models.
Adversarial attacks on face recognition (FR) systems pose a significant security threat, yet most are confined to the digital domain or require white-box access. We introduce GaP (Gaussian Patch), a novel method to generate a universal, physically transferable adversarial patch under a strict black-box setting. Our approach uses a query-efficient, zero-order greedy algorithm to iteratively construct a symmetric, grayscale pattern for the forehead. The patch is optimized by successively adding Gaussian blobs, guided only by the cosine similarity scores from a surrogate FR model to maximally degrade identity recognition. We demonstrate that with approximately 10,000 queries to a black-box ArcFace model, the resulting GaP achieves a high attack success rate in both digital and real-world physical tests. Critically, the attack shows strong transferability, successfully deceiving an entirely unseen FaceNet model. Our work highlights a practical and severe vulnerability, proving that robust, transferable attacks can be crafted with limited knowledge of the target system.