Face recognition is a prevailing authentication solution in numerous biometric applications. Physical adversarial attacks, as an important surrogate, can identify the weaknesses of face recognition systems and evaluate their robustness before deployed. However, most existing physical attacks are either detectable readily or ineffective against commercial recognition systems. The goal of this work is to develop a more reliable technique that can carry out an end-to-end evaluation of adversarial robustness for commercial systems. It requires that this technique can simultaneously deceive black-box recognition models and evade defensive mechanisms. To fulfill this, we design adversarial textured 3D meshes (AT3D) with an elaborate topology on a human face, which can be 3D-printed and pasted on the attacker's face to evade the defenses. However, the mesh-based optimization regime calculates gradients in high-dimensional mesh space, and can be trapped into local optima with unsatisfactory transferability. To deviate from the mesh-based space, we propose to perturb the low-dimensional coefficient space based on 3D Morphable Model, which significantly improves black-box transferability meanwhile enjoying faster search efficiency and better visual quality. Extensive experiments in digital and physical scenarios show that our method effectively explores the security vulnerabilities of multiple popular commercial services, including three recognition APIs, four anti-spoofing APIs, two prevailing mobile phones and two automated access control systems.

翻译：人脸识别是众多生物识别应用中主流的身份认证解决方案。物理对抗攻击作为一种重要的替代手段，可以在人脸识别系统部署前识别其弱点并评估其鲁棒性。然而，现有的大多数物理攻击要么容易被检测，要么对商用识别系统无效。本文的目标是开发一种更可靠的技术，能够对商用系统进行端到端的对抗鲁棒性评估。该技术要求能够同时欺骗黑盒识别模型并绕过防御机制。为实现这一目标，我们在人脸上设计了具有精细拓扑结构的对抗纹理三维网格（AT3D），该网格可经3D打印并粘贴在攻击者面部以规避防御。然而，基于网格的优化范式在高维网格空间中计算梯度，易陷入具有较差迁移性的局部最优解。为了跳出基于网格的空间，我们提出基于三维可变形模型扰动低维系数空间，这显著提升了黑盒迁移性，同时实现了更快的搜索效率和更好的视觉质量。在数字与物理场景下的大量实验表明，我们的方法有效探索了多个流行商用服务的安全漏洞，包括三个识别API、四个防欺骗API、两款主流手机以及两个自动门禁系统。