Adversarial Attacks on Face Recognition (FR) encompass two types: impersonation attacks and evasion attacks. We observe that achieving a successful impersonation attack on FR does not necessarily ensure a successful dodging attack on FR in the black-box setting. Introducing a novel attack method named Pre-training Pruning Restoration Attack (PPR), we aim to enhance the performance of dodging attacks whilst avoiding the degradation of impersonation attacks. Our method employs adversarial example pruning, enabling a portion of adversarial perturbations to be set to zero, while tending to maintain the attack performance. By utilizing adversarial example pruning, we can prune the pre-trained adversarial examples and selectively free up certain adversarial perturbations. Thereafter, we embed adversarial perturbations in the pruned area, which enhances the dodging performance of the adversarial face examples. The effectiveness of our proposed attack method is demonstrated through our experimental results, showcasing its superior performance.

翻译：针对人脸识别（FR）的对抗攻击包括两类：冒充攻击与逃避攻击。我们发现在黑盒设置下，对FR成功实施冒充攻击并不必然保证逃避攻击的有效性。提出一种名为预训练剪枝修复攻击（PPR）的新型攻击方法，旨在提升逃避攻击性能的同时避免冒充攻击性能衰退。该方法采用对抗性示例剪枝技术，允许部分对抗扰动置零而保持攻击效能。通过对抗性示例剪枝，可对预训练对抗样本进行剪枝并选择性释放部分对抗扰动，随后在剪枝区域嵌入新的对抗扰动，从而增强对抗人脸样本的逃避性能。实验结果表明，所提出的攻击方法具有优越性能。