AdvDiffusion: Adversarial Patches Generation for Face Recognition with High Transferability in Physical Domain

Face recognition models are vulnerable to spoofing of adversarial patches in the physical world. Attackers can enable face recognition models to make false identity judgments by simply pasting a sticker with a special pattern on the face. However, existing attacks lack the ability to transfer black-box models, and the improvement of the transferability is mainly focused on adversarial perturbations based the p-norm. To further improve the attack performance and transferability, a high transferable face recognition adversarial patches generation method named as AdvDiffusion is proposed. It first determines the region for adversarial patches generation based on facial gradient maps, and then an image is reconstructed to generate an adversarial patch by adding noise and denoising it with a pre-trained diffusion model. In the denoising, an adversarial loss is used to fine-tune the model and control the image to generate an adversarial patch with spoofing capability. Experiments and analysis show that the adversarial patches generated by have good adversarial attack capability on black-box face recognition models in both digital and physical domains, and also have better robustness under the changes of a complex physical environment compared with some state-of-the-art methods. It has great potential application for black-box attacks in the physical domain.