Real-World Transferable Adversarial Attack on Face-Recognition Systems

Adversarial attacks on face recognition (FR) systems pose a significant security threat, yet most are confined to the digital domain or require white-box access. We introduce GaP (Gaussian Patch), a novel method to generate a universal, physically transferable adversarial patch under a strict black-box setting. Our approach uses a query-efficient, zero-order greedy algorithm to iteratively construct a symmetric, grayscale pattern for the forehead. The patch is optimized by successively adding Gaussian blobs, guided only by the cosine similarity scores from a surrogate FR model to maximally degrade identity recognition. We demonstrate that with approximately 10,000 queries to a black-box ArcFace model, the resulting GaP achieves a high attack success rate in both digital and real-world physical tests. Critically, the attack shows strong transferability, successfully deceiving an entirely unseen FaceNet model. Our work highlights a practical and severe vulnerability, proving that robust, transferable attacks can be crafted with limited knowledge of the target system.

Key Contributions

• GaP: a query-efficient zero-order greedy algorithm that iteratively builds a symmetric grayscale forehead patch by successively adding Gaussian blobs guided by cosine similarity scores from a black-box surrogate FR model
• Demonstrates high physical attack success rate with ~10,000 queries to ArcFace in both digital and print-and-wear real-world trials
• Shows strong transferability of the generated patch to an entirely unseen FaceNet model despite optimization on ArcFace only

🛡️ Threat Analysis

Details

Similar Papers