Palmprint recognition is deployed in security-critical applications, including access control and palm-based payment, due to its contactless acquisition and highly discriminative ridge-and-crease textures. However, the robustness of deep palmprint recognition systems against physically realizable attacks remains insufficiently understood. Existing studies are largely confined to the digital setting and do not adequately account for the texture-dominant nature of palmprint recognition or the distortions introduced during physical acquisition. To address this gap, we propose CAAP, a capture-aware adversarial patch framework for palmprint recognition. CAAP learns a universal patch that can be reused across inputs while remaining effective under realistic acquisition variation. To match the structural characteristics of palmprints, the framework adopts a cross-shaped patch topology, which enlarges spatial coverage under a fixed pixel budget and more effectively disrupts long-range texture continuity. CAAP further integrates three modules: ASIT for input-conditioned patch rendering, RaS for stochastic capture-aware simulation, and MS-DIFE for feature-level identity-disruptive guidance. We evaluate CAAP on the Tongji, IITD, and AISEC datasets against generic CNN backbones and palmprint-specific recognition models. Experiments show that CAAP achieves strong untargeted and targeted attack performance with favorable cross-model and cross-dataset transferability. The results further show that, although adversarial training can partially reduce the attack success rate, substantial residual vulnerability remains. These findings indicate that deep palmprint recognition systems remain vulnerable to physically realizable, capture-aware adversarial patch attacks, underscoring the need for more effective defenses in practice. Code available at https://github.com/ryliu68/CAAP.

翻译：摘要：掌纹识别凭借其非接触式采集方式和高度区分性的脊线与褶皱纹理，已部署于门禁控制、掌上支付等安全关键型应用。然而，深度掌纹识别系统对物理可实现攻击的鲁棒性仍未得到充分理解。现有研究主要局限于数字环境，未充分考虑掌纹识别的纹理主导特性以及物理采集过程中引入的畸变。针对这一空白，我们提出CAAP——一种面向掌纹识别的捕获感知对抗补丁框架。CAAP学习一种可跨输入重复使用且在真实采集变化下保持有效的通用补丁。为匹配掌纹的结构特征，该框架采用十字形补丁拓扑，在固定像素预算下扩大空间覆盖范围，更有效地破坏长程纹理连续性。CAAP进一步集成三个模块：用于输入条件补丁渲染的ASIT、用于随机捕获感知仿真的RaS，以及用于特征级身份破坏引导的MS-DIFE。我们在Tongji、IITD和AISEC数据集上，针对通用CNN骨干网络和掌纹专用识别模型评估了CAAP。实验表明，CAAP在非定向和定向攻击任务中均展现出强大性能，并具有良好的跨模型和跨数据集可迁移性。结果进一步显示，尽管对抗训练可部分降低攻击成功率，但残余脆弱性仍显著存在。这些发现表明，深度掌纹识别系统仍易受物理可实现的、捕获感知的对抗补丁攻击，凸显了实践中需发展更有效防御的必要性。代码可见于https://github.com/ryliu68/CAAP。