ML Security PapersAI Evasion and Impersonation Attacks on Facial Re-Identification with Activation Map Explanations
Noe Claudel , Weisi Guo , Yang Xing
Published on arXiv
2603.15396
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Reduces mean Average Precision from 90% to 0.4% in white-box evasion attacks and from 72% to 0.4% in black-box settings; achieves 27% success rate in targeted impersonation on CelebA-HQ
Conditional Adversarial Patch Generator with Diffusion-based Naturalization
Novel technique introduced
Facial identification systems are increasingly deployed in surveillance and yet their vulnerability to adversarial evasion and impersonation attacks pose a critical risk. This paper introduces a novel framework for generating adversarial patches capable of both evasion and impersonation attacks against deep re-identification models across non-overlapping cameras. Unlike prior approaches that require iterative patch optimisation for each target, our method employs a conditional encoder-decoder network to synthesize adversarial patches in a single forward pass, guided by multi-scale features from source and target images. The patches are optimised with a dual adversarial objective comprising of pull and push terms. To enhance imperceptibility and aid physical deployment, we further integrate naturalistic patch generation using pre-trained latent diffusion models. Experiments on standard pedestrian (Market-1501, DukeMTMCreID) and facial recognition benchmarks (CelebA-HQ, PubFig) datasets demonstrate the effectiveness of the proposed method. Our adversarial evasion attacks reduce mean Average Precision from 90% to 0.4% in white-box settings and from 72% to 0.4% in black-box settings, showing strong cross-model generalization. In targeted impersonation attacks, our framework achieves a success rate of 27% on CelebA-HQ, competing with other patch-based methods. We go further to use clustering of activation maps to interpret which features are most used by adversarial attacks and propose a pathway for future countermeasures. The results highlight the practicality of adversarial patch attacks on retrieval-based systems and underline the urgent need for robust defense strategies.
Key Contributions
- Conditional encoder-decoder network that generates adversarial patches in a single forward pass without retraining for each target identity
- Integration of latent diffusion models to produce naturalistic, imperceptible patches suitable for physical deployment
- Activation map clustering analysis to interpret which features adversarial attacks exploit, proposing pathways for future defenses
🛡️ Threat Analysis
Core contribution is adversarial patch generation that causes misclassification at inference time — patches reduce mAP from 90% to 0.4% in evasion attacks and achieve 27% success in targeted impersonation attacks.