ML Security PapersCAAP: Capture-Aware Adversarial Patch Attacks on Palmprint Recognition Models
Renyang Liu 1, Jiale Li 1, Jie Zhang 2, Cong Wu 3, Xiaojun Jia 4, Shuxin Li 4, Wei Zhou 5, Kwok-Yan Lam 4, See-kiong Ng 1
Published on arXiv
2604.06987
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves strong untargeted and targeted attack success rates with cross-model transferability; adversarial training only partially mitigates the attack
CAAP
Novel technique introduced
Palmprint recognition is deployed in security-critical applications, including access control and palm-based payment, due to its contactless acquisition and highly discriminative ridge-and-crease textures. However, the robustness of deep palmprint recognition systems against physically realizable attacks remains insufficiently understood. Existing studies are largely confined to the digital setting and do not adequately account for the texture-dominant nature of palmprint recognition or the distortions introduced during physical acquisition. To address this gap, we propose CAAP, a capture-aware adversarial patch framework for palmprint recognition. CAAP learns a universal patch that can be reused across inputs while remaining effective under realistic acquisition variation. To match the structural characteristics of palmprints, the framework adopts a cross-shaped patch topology, which enlarges spatial coverage under a fixed pixel budget and more effectively disrupts long-range texture continuity. CAAP further integrates three modules: ASIT for input-conditioned patch rendering, RaS for stochastic capture-aware simulation, and MS-DIFE for feature-level identity-disruptive guidance. We evaluate CAAP on the Tongji, IITD, and AISEC datasets against generic CNN backbones and palmprint-specific recognition models. Experiments show that CAAP achieves strong untargeted and targeted attack performance with favorable cross-model and cross-dataset transferability. The results further show that, although adversarial training can partially reduce the attack success rate, substantial residual vulnerability remains. These findings indicate that deep palmprint recognition systems remain vulnerable to physically realizable, capture-aware adversarial patch attacks, underscoring the need for more effective defenses in practice. Code available at https://github.com/ryliu68/CAAP.
Key Contributions
- Cross-shaped universal adversarial patch topology designed for palmprint texture structure
- Capture-aware attack framework (ASIT, RaS, MS-DIFE modules) that accounts for physical acquisition distortions
- Demonstration of cross-model and cross-dataset transferability with residual vulnerability even under adversarial training
🛡️ Threat Analysis
Develops adversarial patches that cause misclassification in palmprint recognition at inference time. The attack uses gradient-based optimization to craft universal patches that manipulate model predictions through input perturbations, and explicitly addresses physical realizability through capture-aware simulation.