Abstract:Although face recognition starts to play an important role in our daily life, we need to pay attention that data-driven face recognition vision systems are vulnerable to adversarial attacks. However, the current two categories of adversarial attacks, namely digital attacks and physical attacks both have drawbacks, with the former ones impractical and the latter one conspicuous, high-computational and inexecutable. To address the issues, we propose a practical, executable, inconspicuous and low computational adversarial attack based on LED illumination modulation. To fool the systems, the proposed attack generates imperceptible luminance changes to human eyes through fast intensity modulation of scene LED illumination and uses the rolling shutter effect of CMOS image sensors in face recognition systems to implant luminance information perturbation to the captured face images. In summary,we present a denial-of-service (DoS) attack for face detection and a dodging attack for face verification. We also evaluate their effectiveness against well-known face detection models, Dlib, MTCNN and RetinaFace , and face verification models, Dlib, FaceNet,and ArcFace.The extensive experiments show that the success rates of DoS attacks against face detection models reach 97.67%, 100%, and 100%, respectively, and the success rates of dodging attacks against all face verification models reach 100%.

What problem does this paper attempt to address?

The paper primarily aims to address the security vulnerabilities of facial recognition systems when faced with adversarial attacks. Specifically, the researchers focus on the limitations of the two main types of current adversarial attacks (digital attacks and physical attacks): 1. Digital attacks, although effective, are impractical because they require direct manipulation of the image data input into the facial recognition system, which is difficult to achieve in the real world; 2. Physical attacks, while feasible, are too conspicuous, computationally expensive, and difficult to execute because these attacks usually require wearing additional devices or stickers, which are easily noticeable. To address the above issues, the paper proposes a novel physical adversarial attack method based on LED illumination modulation (LIM), which generates brightness changes imperceptible to the human eye by rapidly adjusting the intensity of LED light sources in the environment. Utilizing the rolling shutter effect of CMOS image sensors, this method can implant subtle interference patterns in the captured facial images, thereby deceiving the facial recognition system. The LIM method described in the paper has the following characteristics: - **Stealthiness**: Since the modulation frequency is far beyond the range perceivable by the human eye, it does not attract attention. - **Feasibility**: It can be implemented without direct contact with the target object. - **Low computational cost**: Compared to other physical attack schemes, LIM is simpler and more efficient to implement. The LIM method can achieve two types of attacks: - **Denial of Service (DoS) attack**: By implanting wider dark stripes during the face detection phase, the facial recognition system is unable to detect facial features. - **Evasion attack**: By implanting narrower dark stripes during the feature matching phase, it alters the facial feature vectors, causing different faces to be mistaken for the same person. The researchers conducted experimental evaluations on popular face detection models (such as Dlib, MTCNN, and RetinaFace) and face verification models (such as Dlib, FaceNet, and ArcFace). The results showed that the success rates of DoS attacks reached 97.67%, 100%, and 100%, respectively, while the success rate of evasion attacks was 100% for all tested face verification models. In summary, the main contribution of this paper is the proposal of a new physical adversarial attack method that not only enhances the stealthiness and feasibility of attacks but also reduces computational costs, thereby posing new challenges to the security of facial recognition systems.

Imperceptible Physical Attack against Face Recognition Systems via LED Illumination Modulation

An Illumination Modulation-Based Adversarial Attack Against Automated Face Recognition System.

Demons Hidden in the Light: Unrestricted Adversarial Illumination Attacks

A Small Sticker is Enough: Spoofing Face Recognition Systems Via Small Stickers

Rethinking the Threat and Accessibility of Adversarial Attacks against Face Recognition Systems

Adversarial Attacks on Face Recognition System in Physical Domain

Invisible Mask: Practical Attacks on Face Recognition with Infrared.

Multi-modal Spoofing Attacks on 3D Face Liveness Detection Via a Single 2D Photo

Invisible Adversarial Attacks on Deep Learning-Based Face Recognition Models.

Adversarial Attack on Facial Recognition using Visible Light

Effective and Robust Physical-World Attacks on Deep Learning Face Recognition Systems

Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition Systems

Robust Attacks on Deep Learning Face Recognition in the Physical World

VLA: A Practical Visible Light-based Attack on Face Recognition Systems in Physical World

Physical-World Optical Adversarial Attacks on 3D Face Recognition

Robust Physical-World Attacks on Face Recognition

State-of-the-art optical-based physical adversarial attacks for deep learning computer vision systems

Clean-Label Attack on Face Authentication Systems Through Rolling Shutter Mechanism

Imperceptible CMOS camera dazzle for adversarial attacks on deep neural networks

Research of Adversarial Attack Method in Face Recognition System