Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which potentially mislead DNN-based FR systems in the physical world. Existing attacks either generate perturbations working merely in the digital world, or rely on customized equipment to generate perturbations that are not robust in the ever-changing physical environment. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a convertor, where the former can craft several stickers with different shapes while the latter aims to digitally attach stickers to human faces and provide feedback to the generator to improve the effectiveness. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking three typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve the success rates of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

中文翻译：

---

对深度学习人脸识别系统的有效且稳健的物理世界攻击


深度神经网络（DNN）越来越多地用于人脸识别（FR）系统。然而，最近的研究表明，DNN 很容易受到对抗性示例的影响，这可能会误导物理世界中基于 DNN 的 FR 系统。现有的攻击要么产生仅在数字世界中起作用的扰动，要么依赖定制设备产生在不断变化的物理环境中不稳健的扰动。在本文中，我们提出了 FaceAdv，这是一种物理世界攻击，可以制作对抗性贴纸来欺骗 FR 系统。它主要由贴纸生成器和转换器组成，前者可以制作多个不同形状的贴纸，而后者旨在将贴纸数字化地粘贴到人脸上并向生成器提供反馈以提高效率。我们进行了大量的实验来评估 FaceAdv 对攻击三种典型的 FR 系统（即 ArcFace、CosFace 和 FaceNet）的有效性。结果表明，与最先进的攻击相比，FaceAdv 可以显着提高躲避和冒充攻击的成功率。我们还进行了全面的评估，以证明 FaceAdv 的稳健性。