Abstract
In this paper we show that misclassification attacks against face-recognitionsystems based on deep neural networks (DNNs) are more dangerous than previouslydemonstrated, even in contexts where the adversary can manipulate only herphysical appearance (versus directly manipulating the image input to the DNN).Specifically, we show how to create eyeglasses that, when worn, can succeed intargeted (impersonation) or untargeted (dodging) attacks while improving onprevious work in one or more of three facets: (i) inconspicuousness toonlooking observers, which we test through a user study; (ii) robustness of theattack against proposed defenses; and (iii) scalability in the sense ofdecoupling eyeglass creation from the subject who will wear them, i.e., bycreating "universal" sets of eyeglasses that facilitate misclassification.Central to these improvements are adversarial generative nets, a method wepropose to generate physically realizable attack artifacts (here, eyeglasses)automatically.