Traditional adversarial attacks typically produce adversarial examples under norm-constrained conditions, whereas unrestricted adversarial examples are free-form with semantically meaningful perturbations. Current unrestricted adversarial impersonation attacks exhibit limited control over adversarial face attributes and often suffer from low transferability. In this paper, we propose a novel Text Controlled Attribute Attack (TCA$^2$) to generate photorealistic adversarial impersonation faces guided by natural language. Specifically, the category-level personal softmax vector is employed to precisely guide the impersonation attacks. Additionally, we propose both data and model augmentation strategies to achieve transferable attacks on unknown target models. Finally, a generative model, \textit{i.e}, Style-GAN, is utilized to synthesize impersonated faces with desired attributes. Extensive experiments on two high-resolution face recognition datasets validate that our TCA$^2$ method can generate natural text-guided adversarial impersonation faces with high transferability. We also evaluate our method on real-world face recognition systems, \textit{i.e}, Face++ and Aliyun, further demonstrating the practical potential of our approach.

翻译：传统对抗攻击通常在范数约束条件下生成对抗样本，而无限制对抗样本则具有自由形式且包含语义上有意义的扰动。当前无限制对抗模仿攻击对对抗人脸属性的控制能力有限，且往往存在可迁移性较低的问题。本文提出一种新颖的文本控制属性攻击方法，通过自然语言引导生成逼真的对抗模仿人脸。具体而言，我们采用类别级个人softmax向量来精确指导模仿攻击。此外，我们提出了数据和模型增强策略，以实现对未知目标模型的可迁移攻击。最后，利用生成模型（即Style-GAN）合成具有期望属性的模仿人脸。在两个高分辨率人脸识别数据集上的大量实验验证了我们的TCA$^2$方法能够生成具有高可迁移性的自然文本引导对抗模仿人脸。我们还在实际人脸识别系统（即Face++和阿里云）上评估了该方法，进一步证明了我们方法的实用潜力。