Abstract:Face recognition pipelines have been widely deployed in various mission-critical systems in trust, equitable and responsible AI applications. However, the emergence of adversarial attacks has threatened the security of the entire recognition pipeline. Despite the sheer number of attack methods proposed for crafting adversarial examples in both digital and physical forms, it is never an easy task to assess the real threat level of different attacks and obtain useful insight into the key risks confronted by face recognition systems. Traditional attacks view imperceptibility as the most important measurement to keep perturbations stealthy, while we suspect that industry professionals may possess a different opinion. In this paper, we delve into measuring the threat brought about by adversarial attacks from the perspectives of the industry and the applications of face recognition. In contrast to widely studied sophisticated attacks in the field, we propose an effective yet easy-to-launch physical adversarial attack, named AdvColor, against black-box face recognition pipelines in the physical world. AdvColor fools models in the recognition pipeline via directly supplying printed photos of human faces to the system under adversarial illuminations. Experimental results show that physical AdvColor examples can achieve a fooling rate of more than 96% against the anti-spoofing model and an overall attack success rate of 88% against the face recognition pipeline. We also conduct a survey on the threats of prevailing adversarial attacks, including AdvColor, to understand the gap between the machine-measured and human-assessed threat levels of different forms of adversarial attacks. The survey results surprisingly indicate that, compared to deliberately launched imperceptible attacks, perceptible but accessible attacks pose more lethal threats to real-world commercial systems of face recognition.

What problem does this paper attempt to address?

### Problems the Paper Tries to Solve The paper "Rethinking the Threats and Accessibility of Adversarial Attacks on Face Recognition Systems" mainly explores the threats of adversarial attacks to the security of face recognition systems. Specifically, the paper attempts to solve the following problems: 1. **Evaluate the True Threat Levels of Different Adversarial Attacks**: Although there are already many methods for generating adversarial samples, it is still very difficult to evaluate the true threat levels of these attacks in practical applications. The paper hopes to measure the threats of adversarial attacks from the perspectives of industry and application to obtain more practical risk insights. 2. **Propose an Effective Physical Adversarial Attack Method**: Existing adversarial attack methods usually require complex computing resources and a large number of query times, and are more difficult to implement in the physical world. The paper proposes a simple and effective physical adversarial attack method named AdvColor, which deceives face recognition systems by changing the ambient lighting of printed portrait photos. 3. **Investigate the Views of Industry Professionals on Different Forms of Adversarial Attacks**: Academics usually consider imperceptible adversarial attacks to be more threatening, but industry professionals may have different views. Through investigation, the paper understands the threat perception of industry professionals on different forms of adversarial attacks and finds that perceptible but easy - to - implement attacks pose a greater threat to actual commercial systems. ### Main Contributions of the Paper 1. **Propose an Efficient Black - Box Physical Adversarial Attack Method AdvColor**: The AdvColor method has the following advantages: - **Easy to Implement**: It can be implemented with only simple devices (such as smart bulbs). - **High Efficiency**: Compared with attacks in the image domain, AdvColor can significantly reduce the number of queries and achieve a high deception rate. - **Reusable**: It can create a persistent adversarial environment in the real world through ubiquitous devices. 2. **Conduct an Investigation to Explore the Cognitive Gap between Laboratory Measurements and Real - World Threats**: The survey results show that industry insiders are more concerned about perceptible but low - cost attacks rather than theoretically complex but imperceptible attacks. 3. **Propose New Threat Quantification Indicators**: The paper suggests replacing imperceptibility with new measurement indicators to quantify the threat levels of adversarial attacks, because industry professionals believe that there are already simple but effective attacks like AdvColor, which pose threats to business products and may have far - reaching negative impacts. ### Method Overview The core of the AdvColor method is to generate adversarial samples by optimizing color filters and then implement the attack in the physical world by changing lighting conditions. The specific steps are as follows: 1. **Problem Definition**: The goal is to deceive a face recognition system through a printed portrait photo so that it passes three stages: anti - spoofing detection, quality assessment, and identity matching. 2. **Threat Model**: The paper focuses on the physical black - box setting, where the attacker searches for the best adversarial RGB filter on a computer and then uses commonly available devices in the physical world to implement adversarial lighting. 3. **Method Implementation**: - **Color Filter Optimization**: Use the Particle Swarm Optimization (PSO) algorithm to efficiently search for the best color filter in low - dimensional optimization problems. - **Adapt to Physical Attacks**: Improve the robustness of generated adversarial samples by introducing multiple transformations (such as lighting, brightness, gamma correction, etc.). 4. **Experimental Verification**: The paper benchmarks AdvColor in digital and physical environments, verifies its effectiveness in deceiving machines, and investigates its ability to bypass adversarial defenses. ### Conclusion By proposing the AdvColor method, the paper shows the serious threats that perceptible but easy - to - implement adversarial attacks pose to actual commercial systems. At the same time, by investigating the opinions of industry professionals, the paper reveals the cognitive gap between academia and industry and calls on academia to pay more attention to such attacks and their potential mitigation measures.

Rethinking the Threat and Accessibility of Adversarial Attacks against Face Recognition Systems

Adversarial Attacks on Face Recognition System in Physical Domain

Imperceptible Physical Attack against Face Recognition Systems via LED Illumination Modulation

An Illumination Modulation-Based Adversarial Attack Against Automated Face Recognition System.

Robust Physical-World Attacks on Face Recognition

Effective and Robust Physical-World Attacks on Deep Learning Face Recognition Systems

Adversarial Attacks Against Face Recognition: A Comprehensive Study

Meaningful Adversarial Stickers for Face Recognition in Physical World.

A Survey on Physical Adversarial Attacks against Face Recognition Systems

Robust Attacks on Deep Learning Face Recognition in the Physical World

Powerful Physical Adversarial Examples Against Practical Face Recognition Systems

Invisible Adversarial Attacks on Deep Learning-Based Face Recognition Models.

A Brief Review of Anti-Face Recognition

Face3DAdv: Exploiting Robust Adversarial 3D Patches on Physical Face Recognition

Multi-modal Spoofing Attacks on 3D Face Liveness Detection Via a Single 2D Photo

Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective

On adversarial patches: real-world attack on ArcFace-100 face recognition system

Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition

Adversarial Attacks on Convolutional Neural Networks in Facial Recognition Domain

Adversarial Color Film: Effective Physical-World Attack to DNNs