Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Omni-Angle Assault: An Invisible and Powerful Physical Adversarial Attack on Face Recognition
Authors: Shuai Yuan, Hongwei Li, Rui Zhang, Hangcheng Cao, Wenbo Jiang, Tao Ni, Wenshu Fan, Qingchuan Zhao, Guowen Xu
ICML 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experimental evaluations validate that UVHat substantially improves the attack success rate in black-box settings, enabling adversarial attacks from multiple angles with enhanced robustness. We conduct experiments in the physical world using two datasets and four models, comparing our approach with two baseline methods. Ablation studies analyze the impact of factors such as wavelength and power on attack performance. Additionally, we test the robustness of our method under real-world conditions, including angle and lighting intensity. |
| Researcher Affiliation | Academia | 1 School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China 2 Department of Computer Science, City University of Hong Kong, Hong Kong, China. Correspondence to: Guowen Xu <EMAIL>. |
| Pseudocode | Yes | The entire process is summarized in Algorithm 1. |
| Open Source Code | No | The paper does not provide any explicit statement about releasing source code for UVHat, nor does it include a link to a code repository. |
| Open Datasets | Yes | We utilize two public datasets in the following experiments, i.e., LFW and Celeb A. LFW (Huang et al., 2008) contains 13,233 images of 5,749 people and 1,680 of the people pictured have two or more distinct photos. Celeb A (Liu et al., 2018) is a large-scale face attributes dataset with more than 200K images. |
| Dataset Splits | No | The paper mentions augmenting pre-trained models with images from five volunteers (50 images per volunteer) and refers to targeted impersonation attacks succeeding if classified as one of 10 randomly selected identities. However, it does not specify the train/test/validation splits for the LFW and Celeb A datasets used in the experiments. |
| Hardware Specification | No | The paper describes the UV emitters, IR emitters, power supply, and the i Phone 13 camera used for capturing images. However, it does not specify the hardware (e.g., GPU, CPU models, memory) used for training the models or running the adversarial attack simulations. |
| Software Dependencies | No | The paper mentions using a video interpolation model called VIDIM (Jain et al., 2024) but does not provide specific version numbers for any software libraries, frameworks, or programming languages used in their implementation. |
| Experiment Setup | Yes | First, we devise an interpolation-based UV simulation technique that leverages a video interpolation model to generate UV images under varying distances, powers, and wavelengths within the digital domain. Second, we introduce a hemispherical UV modeling strategy to update the relevant parameters based on the positions across the curved surface. Finally, we employ a reinforcement learning optimization approach, wherein the agent iteratively explores the parameter space to identify the most effective attack parameters. Specifically, our process works as follows. First, we define the attack parameters ϕ = [d, p, λ, (x, y)] as the state space, where d [dmin, dmax], p [pmin, pmax], λ {365 nm,395 nm,415 nm}, x [0, Ximage], y [0, Yimage]. Next, we define the agent s action space. At time t, the actor select an action at = [dt, pt, λt, (xt, yt)] based on the current state st, according to the policy network π. ... The critic updates the value functions through the Temporal Difference (TD) error: V (st) V (st) + α(Rt+1 + γV (st+1) V (st)) (20) where α is the learning rate, and γ is the discount factor. |