Deep neural networks (DNNs) have achieved state-of-the-art performance on face recognition (FR) tasks in the last decade. In real scenarios, the deployment of DNNs requires taking various face accessories into consideration, like glasses, hats, and masks. In the COVID-19 pandemic era, wearing face masks is one of the most effective ways to defend against the novel coronavirus. However, DNNs are known to be vulnerable to adversarial examples with a small but elaborated perturbation. Thus, a facial mask with adversarial perturbations may pose a great threat to the widely used deep learning-based FR models. In this paper, we consider a challenging adversarial setting: targeted attack against FR models. We propose a new stealthy physical masked FR attack via adversarial style optimization. Specifically, we train an adversarial style mask generator that hides adversarial perturbations inside style masks. Moreover, to ameliorate the phenomenon of sub-optimization with one fixed style, we propose to discover the optimal style given a target through style optimization in a continuous relaxation manner. We simultaneously optimize the generator and the style selection for generating strong and stealthy adversarial style masks. We evaluated the effectiveness and transferability of our proposed method via extensive white-box and black-box digital experiments. Furthermore, we also conducted physical attack experiments against local FR models and online platforms.

翻译：深度神经网络（DNN）在过去十年中已在人脸识别（FR）任务上取得最先进性能。在实际场景中，DNN的部署需要考虑各类面部配饰，如眼镜、帽子和口罩。在COVID-19大流行时期，佩戴口罩是防御新冠病毒最有效的方式之一。然而，DNN已被证实易受带有微小但精心设计扰动的对抗样本攻击。因此，带有对抗扰动的口罩可能对广泛使用的基于深度学习的人脸识别模型构成重大威胁。本文考虑一种具有挑战性的对抗场景：针对人脸识别模型的目标攻击。我们提出一种新的隐匿式物理口罩人脸识别攻击方法，通过对抗风格优化实现。具体而言，我们训练一个对抗风格口罩生成器，将对抗扰动隐藏在风格口罩内部。此外，为改善固定单一风格导致的次优化现象，我们提出通过连续松弛方式，针对目标对象发现最优风格。我们同时优化生成器与风格选择，以生成强大且隐蔽的对抗风格口罩。通过大量白盒与黑盒数字实验，我们评估了所提方法的有效性与可迁移性。此外，我们还针对本地人脸识别模型与在线平台进行了物理攻击实验。