Omni-Angle Assault: An Invisible and Powerful Physical Adversarial Attack on Face Recognition

Q-1: What are the most significant differences compared to existing work?

A-1. Thanks for the comment. We provide a detailed comparison between UVHat and existing methods, along with experimental results.

(1) Qualitative comparison

First, compared to sticker-based methods, our UV light is invisible to the naked eye, providing stronger concealment. Additionally, attackers can freely choose the timing of the attack, offering greater flexibility.

Second, compared to visible light-based methods, our invisible light offers superior concealment.

Finally, we provide a detailed comparison with infrared-based methods. According to the photon energy formula in physics:

$$E=\frac{hc}{\lambda}$$

where $E$ is the photon energy, $h$ is Planck's constant, $c$ is the speed of light, and $\lambda$ is the wavelength of light. Since UV (10nm-400nm) has a shorter wavelength than IR (700nm-1000nm), it causes stronger adversarial perturbation. Figure 1 confirms that UVHat induces greater disruptions than IR, leading to a higher ASR. Furthermore, existing IR-based attack methods either pose risks to the attacker's eyes or only succeed from a single angle. In contrast, our approach is harmless to the attacker and provides greater flexibility by effectively attacking from multiple angles.

(2) Quantitative comparison

To further demonstrate the effectiveness and novelty of UVHat, we compare it with related works. The experimental results are summarized below:

We reproduce the patch-based work (AdvHat) and refer to Wang (2024)’s results (due to lack of devices). Additionally, IRHat replaces UV emitters with IR emitters. As can be seen from the table, UVHat outperforms all methods across multiple angles. Specifically, even though UVHat was placed on a hat, it outperformed the Wang (2024) because UV creates greater interference. IRHat’s ASR is lower than Wang (2024).’s ASR, possibly because the glass is positioned closer to the center of the face, making the interference more effective. Note that the UVHat’s ASR is much greater than IRHat’s ASR, which further confirms that UV produces more interference than IR.

Q-2: How is this regulation mechanism designed? What key hardware parameters need to be met? How are these parameters optimized?

A-2. Thanks for the comment.

(1) Using the method described in Section 4.1, we determine the UV image based on wavelength, power, and distance. Additionally, the position of UV emitters directly impact the power. Therefore, it is necessary to adjust parameters based on the emitter's position on the curved surface to simulate real-world UV light sources. Specifically, the regulation mechanism utilizes a 3D hemispherical model to analyze the relationship between different positions and UV intensity, then calculates the corresponding UV power accordingly. With the regulation mechanism described in Section 4.2, UVHat can effectively simulate real-world UV light in optimization processes based on attack parameters such as distance, power, wavelength, and position.

(2) We have provided the detailed dimensions and parameters of the attack equipment in Appendix A.

(3) In our optimization, we use Critic-Actor networks to implement reinforcement learning (RL) and find optimal attack parameters for different objectives. The Critic evaluates the current state or state-action pair, and the Actor optimizes the policy using the Critic’s feedback to select the best action. Both networks rely on a reward function linked to model’s predictions and attack goals.

The RL process:

• Initialize the network parameters and value functions.

• At each time step $t$:

  • Actor selects an action.
  • Action is executed, obtaining reward & next state.
  • Critic updates value function.
  • Actor updates policy via Critic’s feedback.

• Repeat until the process (e.g., max steps).

Q-3: Were multiple lighting conditions (such as daytime, nighttime, artificial lighting, etc.) used to evaluate the system’s adaptability? What impact do these lighting variations have on the performance of the UV light source?

A-3. Thanks for the comment. Yes, we evaluated the robustness of our approach under different ambient light intensities. Table 5 in our paper presents the attack success rates (ASR) of our method across various lighting conditions. As the ambient light intensity increases, the ASR decreases. This is because higher ambient light levels reduce the visibility of UV light. In most real-life cases, most of the face recognition systems are deployed on indoor scenarios, where the light intensity is usually below 1000 lux, whereas the UVHat attack still shows high effectiveness within these impact factors.

Q-1. Provide detailed mathematical formulations to clarify how these attack cases are defined and implemented using embedding features.

A-1. We apologize for possible misunderstandings about UVHat‘s attack objectives. Our adversarial attack on face recognition (FR) targets four FR attack objectives.

For dodging attacks, our goal is:

$$f(UVHat(x_a)) \neq y_a, s.t. y_a \in D_{identity}$$

where $f(\cdot)$ represents FR model, $x_a$ denotes the attacker's face with identity $y_a$ (belongs to identity dataset $D_{identity}$).

We define the reward function in Equation(12). Different models compute Euclidean distance or cosine similarity for embedding features. To improve clarity, we express FR results as probability $p$ and explain how the probability $p$ is derived from Euclidean distance or Cosine similarity.

(a) For Euclidean distance $d$, we transform distances using reciprocal and apply softmax:

$$p_i = \frac{e^{1/d_i}}{\sum_{j=1}^{N} e^{1/d_j}}, i=1, ..., N$$

The smallest distance $d_i$ corresponds to the highest probability $p_i$. The probability threshold $p_{\tau}$ is derived as:

$$p_{\tau}=\frac{e^{1/{\tau}}}{e^{1/{\tau}}+(N-1)e^{1/d_{avg}}}$$

where the average distance $d_{avg}$ for all non-matching pairs is:

$$d_{avg}=\frac{1}{N-1}\sum_{(x_i, x_j)\in non-match}d(x_i,x_j)$$

where $d(x_i,x_j)$ denotes the $d$ between different embedding features. For a face to be classified as the i-th person, its probability must satisfy $p_i > p_{\tau}$.

(b) For Cosine similarity $s$, we apply softmax directly, i.e., $p = softmax(s)$. The highest similarity corresponds to the highest probability, following a process similar to Euclidean distance.

For DoS attacks, the goal is:

$$f(UVHat(x_a))=None$$

The reward function maximizes entropy:

$$R_{DoS}=-\sum^N_{i=1}p_i log(p_i)$$

This formulation forces the FR model into extreme uncertainty, rejecting recognition queries.

For untargeted impersonation attacks, the goal is:

$$f(UVHat(x_a)) \neq y_a, s.t. y_a \notin D_{identity}$$

where the attacker’s identity $y_a$ is absent from the database, and misclassification into any identity in $D_{identity}$ is a success.

For targeted impersonation attacks, the goal is:

$$f(UVHat(x_a))=y_{target}, s.t. y_a \notin D_{identity}$$

In practice, we consider randomly selecting 10 target identities, meaning that $p_{target}$ has multiple candidates.

If insist, we will provide a detailed explanation for each attack objective and clarify the relationship between probability $p$ and the model output in the reward function to prevent any potential misunderstandings.

Q-2. Evaluation of defenses such as Apple's Face ID

A-2. Thanks for the comment. We tested UVHat against Apple's Face ID on an iPhone 13 (limited to one device due to time constraints):

Results show UV light can disrupt Face ID, highlighting the need for improved defenses in IR+RGB systems. Many companies (e.g., Amazon, Mastercard, Hikvision) still use RGB-based FR, making UVHat a serious threat. We also tested adversarial training on FaceNet:

Adversarial training has limited effectiveness since UVHat optimizes multiple attack parameters (e.g., position, power, number of UV emitters). If insist, we will add more defense tests.

Q-3. Discuss the distinctions between UVHat and previous works and provide empirical comparisons.

A-3. Thanks for the comment. Please refer to Reviewer ypUC’s Q-1.

Q-4. Explain how the attack incorporates model knowledge and the rationale behind integrating reinforcement learning.

A-4. Thanks for the comment. We use Critic-Actor RL to optimize attack parameters for different objectives: As detailed in Answer 1, the reward function is related to model's predictions and is optimized based on different attack objectives. We conducted experiments with other heuristic algorithms to validate the effectiveness of RL. For details, please refer to Reviewer B3e4's Q-2 and ypUC's Q-2.

Q-5. The UVHat appears to be methodology-driven rather than mathematically grounded.

A-5. Thanks for the comment. Section 4.2 provides a detailed mathematical analysis of UV intensity across different positions. Under the black-box setting, we employ RL to optimize attack parameters since white-box methods (e.g., gradient descent) are not applicable. Finally, experiments confirm UVHat’s effectiveness. For details, please refer to Reviewer B3e4's Q-2.

Q-1. This paper presents a novel attack against FRs. The idea makes sense, and the approach seems both novel and clever in terms of its simplicity and potential effectiveness. The paper is well-structured and easy to understand. The issue described in the paper is not entirely new, as many previous works have demonstrated how physical attacks can be carried out. Despite that, the paper shows how a reasoned combination of UV emitters can further push this physical attacks. The strongest aspect of this attack lies in its methodology and evaluation. The approach dissects the physical attack and provides a set of formulas that will help researchers develop further attack or defense strategies. The evaluation covers experimental results in the physical world, offering various perspectives on the impact of these attacks. I was particularly pleased to see the real-world evaluations, with a detailed discussion of the results.

A-1. Thanks for the positive comments!

Q-2. The defenses section could be stronger.

A-2. Thanks for the comment. The main reason for utilizing UV light is that the wavelength range of the RGB camera is larger than the wavelength range of visible light. Without modifying the RGB camera, we propose to introduce infrared (IR) imaging as a defense. Because the UV light (10nm-400nm) is outside the IR spectrum (700nm-1000nm), combining IR and RBG dual-channel imaging helps detect UV interference.

To test whether existing face recognition (FR) systems with IR cameras can resist interference from UV light, we targeted Apple's Face ID. Apple's official website explains about Face ID advanced technology: “The TrueDepth camera captures accurate face data by projecting and analyzing thousands of invisible dots to create a depth map of your face and also captures an infrared image of your face. A portion of your device's neural engine — protected within the Secure Enclave — transforms the depth map and infrared image into a mathematical representation and compares that representation to the enrolled facial data.” Therefore, we tested Apple face ID using an iPhone 13:

In this experiment, we use a method similar to MaxUV, i.e., we turn the voltage to maximum and place the UV emitter in a position on the hat closest to the camera. We counted the number of successful unlockings with the UV emitter on and the number of successful unlockings with the UV emitter off at different angles. From the above table, we can see that UV light can still effectively interfere with FR systems, even if it applies an IR camera.

Therefore, the combined imaging method with RGB-IR still needs to be further developed to better defend against the interference of UV light. If insist, we will construct models that receive RBG and IR images for FR and improve robustness to UV interference.

Q-1. The purple light is very noticeable, which is clearly in serious conflict with the invisible attacks. The experimental designs in this paper can effectively evaluate the effectiveness of the proposed attack, but there is a lack of evaluation regarding its concealment.

A-1. We apologize for possible misunderstandings about the concealment of ultraviolet (UV) light. UV light is invisible to human eyes due to its shorter wavelengths (below 400nm), which fall outside the visible spectrum (400nm-700nm). The human eyes cannot detect light in this range because the lens absorbs short-wavelength UV light to protect the retina.

Although some UV devices emit visible blue-purple light for safety, this does not mean UV light is visible. Manufacturers deliberately incorporate a small amount of visible light to signal that the UV lamp is active. This design is primarily for safety reasons, as prolonged exposure to UV radiation can cause significant harm to human skin, potentially leading to burns or even an increased risk of skin cancer. In our experiments, the UV emitters emit invisible UV light, and its operation was controlled precisely. Instead, cameras capture UV light, which is why images are taken with an iPhone 13. Figure 1 shows the scene as seen by human eyes, where UV light remains invisible, ensuring no visual anomalies. If UV light is close to the visible spectrum, it may appear as a subtle purple, but due to Rayleigh scattering, it is difficult to detect from a distance. Only cameras at close range can detect the interference. In practice, the attack would remain undetected because security personnel typically patrol from a distance.

In our tests, all five volunteers failed to detect UV light during the attacks, confirming its concealment. Strict safety measures were implemented to ensure no harm to participants. If insist, we will clarify the physical principles behind UV invisibility and invite more volunteers to further validate the stealth of this attack in real-world scenarios.

Q-2: This paper is based on a heuristic approach without theoretical proofs.

A-2: Thanks for the comment. We chose heuristic algorithms due to the black-box setting, where the attacker cannot access the model's structure or parameters. This also means that white-box mathematical methods, e.g., gradient descent, do not apply. Additionally, since the wavelengths of UV light are discrete, zero-order gradient optimization does not apply to our optimization process. Therefore, heuristic algorithms provide an effective alternative solution.

Common heuristic algorithms include reinforcement learning (RL), genetic algorithms (GA), and particle swarm optimization (PSO). RL is ideal for optimizing long-term goals, while GA and PSO are focused on finding local optima. RL's ability to optimize attack parameters with different reward functions makes it more suited for our problem. To validate RL's effectiveness, we compared its performance with GA and PSO (the ASR of UVHat in untargeted impersonation attacks):

The results above demonstrate that the ASR of RL is much higher than other methods, which proves its advantage. If insist, we will clarify the choice of RL and provide additional experimental comparisons.

Q-3: The method has no connection with machine learning. Can the simple direct use of UV light still achieve the attack performance? The paper fails to reflect the breakthroughs in machine-learning-related algorithms or technological innovation.

A-3.Thanks for the comment. Our work is the first to reveal that UV lights can disturb commercial off-the-shelf cameras and pose security threats to face recognition (FR) systems, where machine learning is used to optimize and validate the attack. Breakthroughs in machine learning algorithms are outside the scope of this study.

The direct use of UV light cannot achieve effective attack results. In the baseline, we design the MaxUV, which places the highest-power UV emitter at the closest position to the camera. The experimental results in Table 1 show the performance of MaxUV. MaxUV achieves a maximum ASR of 66% in DoS attacks, while our UVHat achieves 89%, which indicates that our optimization process significantly improves the attack's ASR. Additionally, MaxUV is much lower in other attack goals. For example, the maximum ASR in targeted Impersonation attacks is only 4%, while our UVHat achieves 69%, further validating the superiority of our approach.

Our contribution lies in discovering a new physical attack vector that threatens the security of FR systems, using interpolation-based UV simulation, hemispherical UV modeling, and RL for optimal attack parameters, with experimental validation in real-world scenarios.