Face verification (FV) using deep neural network models has made tremendous progress in recent years, surpassing human accuracy and seeing deployment in various applications such as border control and smartphone unlocking. However, FV systems are vulnerable to Adversarial Attacks, which manipulate input images to deceive these systems in ways usually unnoticeable to humans. This paper provides an in-depth study of attacks on FV systems. We introduce the DodgePersonation Attack that formulates the creation of face images that impersonate a set of given identities while avoiding being identified as any of the identities in a separate, disjoint set. A taxonomy is proposed to provide a unified view of different types of Adversarial Attacks against FV systems, including Dodging Attacks, Impersonation Attacks, and Master Face Attacks. Finally, we propose the ''One Face to Rule Them All'' Attack which implements the DodgePersonation Attack with state-of-the-art performance on a well-known scenario (Master Face Attack) and which can also be used for the new scenarios introduced in this paper. While the state-of-the-art Master Face Attack can produce a set of 9 images to cover 43.82% of the identities in their test database, with 9 images our attack can cover 57.27% to 58.5% of these identifies while giving the attacker the choice of the identity to use to create the impersonation. Moreover, the 9 generated attack images appear identical to a casual observer.

翻译：使用深度神经网络模型的人脸验证技术近年来取得了巨大进展，超越了人类精度，并已部署于边境管控、智能手机解锁等多种应用场景。然而，人脸验证系统易受对抗性攻击——这类攻击通过操纵输入图像以人眼难以察觉的方式欺骗系统。本文对人脸验证系统的攻击进行了深入研究。我们提出"躲避伪装攻击"（DodgePersonation Attack），该攻击方法可生成既能够伪装成特定身份集合中任意个体、同时又避免被识别为另一互斥身份集合中任何个体的人脸图像。我们构建了一个统一的分类体系，涵盖人脸验证系统对抗性攻击的不同类型，包括躲避攻击、伪装攻击和万能人脸攻击（Master Face Attack）。最后，我们提出"万脸归一"攻击（One Face to Rule Them All Attack），该方法在实现躲避伪装攻击的同时，在经典场景（万能人脸攻击）中达到最优性能，并可推广至本文提出的新场景。相较于目前最优的万能人脸攻击（用9张图像覆盖测试数据库中43.82%的身份），我们的攻击仅需9张图像即可覆盖57.27%至58.5%的身份，且攻击者可自由选择用于伪装的目标身份。更关键的是，所生成的9张攻击图像在普通观察者眼中完全一致。