The rudimentary adversarial attacks utilize additive noise to attack facial recognition (FR) models. However, because manipulating the total face is impractical in the physical setting, most real-world FR attacks are based on adversarial patches, which limit perturbations to a small area. Previous adversarial patch attacks often resulted in unnatural patterns and clear boundaries that were easily noticeable. In this paper, we argue that generating adversarial patches with plausible content can result in stronger transferability than using additive noise or directly sampling from the latent space. To generate natural-looking and highly transferable adversarial patches, we propose an innovative two-stage coarse-to-fine attack framework called Adv-Inpainting. In the first stage, we propose an attention-guided StyleGAN (Att-StyleGAN) that adaptively combines texture and identity features based on the attention map to generate high-transferable and natural adversarial patches. In the second stage, we design a refinement network with a new boundary variance loss to further improve the coherence between the patch and its surrounding area. Experiment results demonstrate that Adv-Inpainting is stealthy and can produce adversarial patches with stronger transferability and improved visual quality than previous adversarial patch attacks.

翻译：初级对抗攻击利用加性噪声来攻击人脸识别模型。然而，由于在物理环境中操纵整张人脸并不现实，大多数现实世界的人脸识别攻击基于对抗补丁，将扰动限制在局部区域内。以往的对抗补丁攻击常产生不自然的图案和明显的边界，容易被察觉。在本文中，我们论证生成具有合理内容的对抗补丁比使用加性噪声或直接从隐空间采样能实现更强的迁移性。为生成自然外观且高度可迁移的对抗补丁，我们提出一种名为Adv-Inpainting的创新两阶段粗到细攻击框架。第一阶段，我们提出注意力引导的StyleGAN（Att-StyleGAN），它基于注意力图自适应地融合纹理和身份特征，以生成高迁移性且自然的对抗补丁。第二阶段，我们设计了一个带有新边界方差损失的精细化网络，进一步改善补丁与周围区域的连贯性。实验结果表明，Adv-Inpainting具有隐蔽性，能生成比以往对抗补丁攻击迁移性更强、视觉质量更优的对抗补丁。