A hard challenge in developing practical face recognition (FR) attacks is due to the black-box nature of the target FR model, i.e., inaccessible gradient and parameter information to attackers. While recent research took an important step towards attacking black-box FR models through leveraging transferability, their performance is still limited, especially against online commercial FR systems that can be pessimistic (e.g., a less than 50% ASR--attack success rate on average). Motivated by this, we present Sibling-Attack, a new FR attack technique for the first time explores a novel multi-task perspective (i.e., leveraging extra information from multi-correlated tasks to boost attacking transferability). Intuitively, Sibling-Attack selects a set of tasks correlated with FR and picks the Attribute Recognition (AR) task as the task used in Sibling-Attack based on theoretical and quantitative analysis. Sibling-Attack then develops an optimization framework that fuses adversarial gradient information through (1) constraining the cross-task features to be under the same space, (2) a joint-task meta optimization framework that enhances the gradient compatibility among tasks, and (3) a cross-task gradient stabilization method which mitigates the oscillation effect during attacking. Extensive experiments demonstrate that Sibling-Attack outperforms state-of-the-art FR attack techniques by a non-trivial margin, boosting ASR by 12.61% and 55.77% on average on state-of-the-art pre-trained FR models and two well-known, widely used commercial FR systems.

翻译：开发实用人脸识别（FR）攻击技术面临的一大挑战在于目标FR模型的黑盒性质——攻击者无法获取其梯度与参数信息。虽然近期研究通过利用迁移性向攻击黑盒FR模型迈出了重要一步，但其性能仍十分有限，尤其是针对可能具有悲观表现的在线商业FR系统（例如，平均攻击成功率[ASR]不足50%）。受此启发，我们提出Sibling-Attack这一新型FR攻击技术，首次从多任务视角进行探索（即利用多关联任务的额外信息来增强攻击迁移性）。直观而言，Sibling-Attack选取一组与FR相关的任务，并通过理论与定量分析确定属性识别（AR）任务作为核心辅助任务。随后，Sibling-Attack构建了一个优化框架，通过以下方式融合对抗梯度信息：（1）约束跨任务特征处于同一特征空间，（2）设计联合任务元优化框架以增强任务间梯度兼容性，（3）提出跨任务梯度稳定方法以缓解攻击过程中的震荡效应。大量实验表明，Sibling-Attack以显著优势超越当前最先进的FR攻击技术，在现有最优预训练FR模型及两个广泛使用的商用FR系统上，平均攻击成功率分别提升12.61%和55.77%。