Face recognition pipelines have been widely deployed in various mission-critical systems in trust, equitable and responsible AI applications. However, the emergence of adversarial attacks has threatened the security of the entire recognition pipeline. Despite the sheer number of attack methods proposed for crafting adversarial examples in both digital and physical forms, it is never an easy task to assess the real threat level of different attacks and obtain useful insight into the key risks confronted by face recognition systems. Traditional attacks view imperceptibility as the most important measurement to keep perturbations stealthy, while we suspect that industry professionals may possess a different opinion. In this paper, we delve into measuring the threat brought about by adversarial attacks from the perspectives of the industry and the applications of face recognition. In contrast to widely studied sophisticated attacks in the field, we propose an effective yet easy-to-launch physical adversarial attack, named AdvColor, against black-box face recognition pipelines in the physical world. AdvColor fools models in the recognition pipeline via directly supplying printed photos of human faces to the system under adversarial illuminations. Experimental results show that physical AdvColor examples can achieve a fooling rate of more than 96% against the anti-spoofing model and an overall attack success rate of 88% against the face recognition pipeline. We also conduct a survey on the threats of prevailing adversarial attacks, including AdvColor, to understand the gap between the machine-measured and human-assessed threat levels of different forms of adversarial attacks. The survey results surprisingly indicate that, compared to deliberately launched imperceptible attacks, perceptible but accessible attacks pose more lethal threats to real-world commercial systems of face recognition.

翻译：人脸识别系统已在各类关键任务系统中广泛应用，以构建可信、公平且负责任的人工智能应用。然而，对抗性攻击的出现威胁着整个识别流程的安全性。尽管已有大量研究提出数字与物理形态的对抗样本生成方法，但评估不同攻击的实际威胁程度并深入理解人脸识别系统面临的核心风险始终是一项挑战。传统攻击方法将不可感知性视为保持扰动隐蔽性的最重要指标，但我们推测行业从业者可能持有不同观点。本文从行业应用视角出发，深入探究对抗性攻击带来的威胁。与学界广泛研究的复杂攻击不同，我们提出一种高效且易于实施的物理对抗攻击方法AdvColor，针对物理世界中的黑盒人脸识别系统。该方法通过在对抗性光照条件下直接向系统输入打印的人脸照片来欺骗识别流程中的模型。实验结果表明，物理AdvColor样本对反欺骗模型的欺骗率超过96%，对人脸识别流程的整体攻击成功率达到88%。我们还对包括AdvColor在内的主流对抗攻击威胁开展调研，以理解机器测量与人工评估对不同形式对抗攻击威胁程度的认知差异。令人惊讶的是，调研结果表明：与精心设计的不可感知攻击相比，可感知但易实施的攻击对现实商业人脸识别系统构成更致命的威胁。