DR-SigAttack: Distribution-Relevant Signature Attack Withstands Defense Mechanisms for Offline Signature Verification

In the field of machine learning security, adversarial perturbations are carefully designed and added to images to fool a machine learning classifier into making incorrect predictions. As a key biometric for identity verification, offline handwritten signature systems are vulnerable to attacks that result in misclassification and thus pose serious risks to personal privacy and system security. However, traditional attack algorithms can be defended against with defensive measures and fail to assess the robustness of signature verification networks. To address this issue, we propose a novel Distribution-Relevant Signature Attack (DR-SigAttack) method based on the Triplet Attention (TA) module to assess the security of signature verification systems. Specifically, the TA module is integrated into the surrogate model and fine-tuned to strengthen its capacity for capturing discriminative stroke characteristics that are essential for signature verification. Then, using the fine-tuned surrogate model, distribution-relevant adversarial examples are generated by computing input gradients and updating them in alignment with or against the gradient direction. To evaluate the effectiveness of the proposed method, extensive experiments are conducted on three benchmark offline handwritten signature datasets (GPDS-synthetic, CEDAR, and BHSig260), demonstrating that the adversarial examples generated by the proposed method maintain high attack success rates, imperceptibility, and strong transferability, even after undergoing various standard and advanced defense mechanisms.