近年来，基于深度学习的人脸识别技术取得了显著的进展，使之逐渐成为人工智能研究中具有重要应用潜力领域之一，已在学术界和产业界引起广泛关注，并在各个领域展现出实际应用价值。然而，相关研究表明，基于深度神经网络的人脸识别模型容易受到对抗性样本的影响，可能导致系统误判或失准，为人脸识别系统的大规模部署带来了潜在的安全风险。因此，如何发展安全可信的人脸识别技术，探究人脸识别模型的潜在安全风险，特别是在对抗干扰条件下的算法漏洞，进而提高人脸识别模型的鲁棒性，对构建更加可靠的人脸识别技术具有重要意义。目前，人脸识别对抗鲁棒性研究仍然存在一些亟待解决的关键问题。首先，目前的对抗攻击算法并未能有效地评估人脸识别系统（包括人脸检测和识别）的安全风险。其次，目前主流的基于对抗训练的防御方法普遍依赖攻击样本的质量，但由于现有攻击方法的局限导致模型的鲁棒性不能满足需求；第三，针对人脸识别算法的对抗鲁棒性评估工作仍然不够充分，目前基于图像分类方法的鲁棒性评估无法满足人脸识别鲁棒性要求，不能全面发现不同算法的安全风险。针对以上问题，本文围绕人脸识别模型的对抗鲁棒性，从人脸检测及识别的对抗攻击和对抗防御两方面开展研究，构建人脸识别对抗鲁棒性测试基准，为挖掘人脸识别系统的安全风险，发展更加安全的识别系统提供理论和方法支持。主要创新点概括如下： 1. 针对人脸检测的对抗攻击问题，提出基于置信度优化的人脸检测攻击方法，通过将置信度得分融入优化目标，有效缓解对抗样本引起的检测误报问题。2. 针对人脸识别的对抗攻击问题，提出基于三维对抗网格的人脸识别攻击方法，通过低维空间优化策略降低对抗样本落入局部极值的风险，提升对抗样本在多模型之间的迁移性，用黑盒方法发现了多款商用人脸识别系统的安全漏洞。3. 针对现有模型鲁棒性不足的问题，提出超球面嵌入机制增强对抗训练方法，将神经网络的决策层映射至超球面增大不同类别的角度间隔，从理论和实验两方面验证该方法可以自然地适应对抗训练，有效增强了模型的对抗鲁棒性。4. 针对人脸识别对抗鲁棒性测评问题，研发了人脸识别对抗鲁棒测评基准，涵盖多种主流对抗攻击和防御算法，发现不同模型架构、损失函数和训练方法对人脸识别鲁棒性的影响，为人脸识别算法研究和鲁棒性提升提供启发。在此基础拓展基于对抗噪声的人脸隐私保护技术，构建了对抗样本的正向应用。

In recent years, face recognition technology based on deep learning has made remarkable progress, making it increasingly one of the promising fields in artificial intelligence research. It has garnered widespread attention in both academia and industry, with the practical value being demonstrated across various sectors. However, empirical investigations suggest that face recognition models based on deep neural networks are susceptible to adversarial examples, which may lead to system misclassification or misalignment, thereby posing potential security risks for large-scale deployment of face recognition systems. Therefore, developing a secure and trustworthy face recognition technology, exploring the potential security risks of face recognition models, especially the algorithmic vulnerabilities under adversarial conditions, and improving the robustness of face recognition models are of great significance to building more reliable face recognition technology. Currently, there are still some critical issues that need to be solved in the research on the adversarial robustness of face recognition. First, current adversarial attack algorithms have not effectively evaluated the security risks of face recognition systems (including face detection and recognition). Second, conventional defense methods based on adversarial training generally rely on the quality of attack examples, but the limitations of existing attack methods lead to the shortage of robustness and generalization of models. Third, the evaluation of adversarial robustness for face recognition algorithms is still insufficient, and the current robustness evaluation based on image classification methods can not fulfill the robustness requirements of face recognition systems. The security risks of different algorithms can not be identified comprehensively. To address the above issues, this thesis is dedicated to advancing the adversarial robustness of face recognition models, conducting research on both face detection and recognition in terms of attacks and defenses, constructing a benchmark for evaluating face recognition against robustness. It provides theoretical and methodological support for digging into the security risks of face recognition systems and developing more secure and reliable recognition systems. The main contributions are summarized as follows:1. For the problem of adversarial attacks on face detection, a face detection attack method based on confidence optimization is proposed to effectively mitigate the false positive problem caused by adversarial examples by incorporating the confidence score into the optimization objective.2. For the problem of adversarial attacks on face recognition, a face recognition attack method based on 3D adversarial mesh is proposed, which reduces the risk of adversarial examples falling into local extremes through a low-dimensional space optimization strategy. It improves the transferability of adversarial examples among various models and identifies the security vulnerabilities of several commercial face recognition systems using a black-box solution.3. For the problem of the insufficient robustness of existing models, a hyperspherical embedding mechanism is proposed to enhance the adversarial training method by mapping the decision layer of the neural network to the hypersphere to increase the angular interval of different categories. The method is verified to be naturally adapted to adversarial training from both theoretical and experimental aspects, which effectively strengthens the adversarial robustness of the model.4. For the problem of evaluating adversarial robustness in face recognition, an adversarial robustness evaluation benchmark in face recognition is developed, covering a variety of mainstream adversarial attack and defense algorithms. The effects of different model architectures, loss functions and training methods on face recognition robustness are found to provide insights for face recognition research and robustness improvement. Furthermore, face privacy protection techniques are expanded based on adversarial noises, which construct positive applications of adversarial examples.