MakeupAttack: Feature Space Black-box Backdoor Attack on Face Recognition via Makeup Transfer
0
✨
Sign in to get full access
Overview
- Backdoor attacks pose a significant threat to deep neural network (DNN) training.
- Face recognition systems are vulnerable to backdoor attacks, which can have serious consequences.
- Existing backdoor attacks on face recognition are simple and visible, and often lose effectiveness due to the perceptibility, diversity, and similarity of facial datasets.
Plain English Explanation
Backdoor attacks are a type of security vulnerability that can be introduced during the training process of deep neural networks. This means that after the network is trained, it can be manipulated to behave in an unintended way, such as misidentifying faces.
This is a particularly concerning issue for face recognition systems, which are widely used in real-world applications. If a face recognition system is compromised by a backdoor attack, it could lead to serious consequences, such as granting unauthorized access or failing to identify dangerous individuals.
However, the backdoor attacks that have been developed for face recognition so far have been relatively simple and obvious. They are also limited in their effectiveness, as the diverse and similar nature of facial datasets can make it difficult for these attacks to work consistently.
Technical Explanation
In this paper, the researchers propose a novel feature space backdoor attack against face recognition systems, called MakeupAttack. Unlike many other feature space attacks, MakeupAttack only requires model queries, adhering to black-box attack principles.
The key innovations of MakeupAttack are:
- An iterative training paradigm to learn subtle features of a makeup-style trigger.
- An adaptive selection method to promote trigger diversity, which helps the attack bypass existing defense methods.
The researchers conducted extensive experiments on two widely-used facial datasets, targeting multiple face recognition models. The results show that MakeupAttack can bypass state-of-the-art defenses while maintaining effectiveness, robustness, naturalness, and stealthiness, without compromising model performance.
Critical Analysis
The researchers acknowledge that backdoor attacks on face recognition systems are still in the early stages of research. While MakeupAttack represents a significant advance in terms of effectiveness and stealthiness, there may be other avenues for backdoor attacks that were not explored in this paper.
Additionally, the researchers do not discuss the potential societal implications of such attacks, such as the impact on public trust in face recognition technology or the risk of abuse by bad actors. These are important considerations that should be addressed in future research.
Conclusion
This paper presents a novel feature space backdoor attack against face recognition systems, called MakeupAttack. The attack is designed to be highly effective, robust, and stealthy, while bypassing existing defense mechanisms. The research represents an important step forward in understanding the vulnerabilities of deep neural networks, particularly in the context of critical real-world applications like face recognition. However, further work is needed to fully address the implications and potential misuse of such attacks.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
✨
0
MakeupAttack: Feature Space Black-box Backdoor Attack on Face Recognition via Makeup Transfer
Ming Sun, Lihua Jing, Zixuan Zhu, Rui Wang
Backdoor attacks pose a significant threat to the training process of deep neural networks (DNNs). As a widely-used DNN-based application in real-world scenarios, face recognition systems once implanted into the backdoor, may cause serious consequences. Backdoor research on face recognition is still in its early stages, and the existing backdoor triggers are relatively simple and visible. Furthermore, due to the perceptibility, diversity, and similarity of facial datasets, many state-of-the-art backdoor attacks lose effectiveness on face recognition tasks. In this work, we propose a novel feature space backdoor attack against face recognition via makeup transfer, dubbed MakeupAttack. In contrast to many feature space attacks that demand full access to target models, our method only requires model queries, adhering to black-box attack principles. In our attack, we design an iterative training paradigm to learn the subtle features of the proposed makeup-style trigger. Additionally, MakeupAttack promotes trigger diversity using the adaptive selection method, dispersing the feature distribution of malicious samples to bypass existing defense methods. Extensive experiments were conducted on two widely-used facial datasets targeting multiple models. The results demonstrate that our proposed attack method can bypass existing state-of-the-art defenses while maintaining effectiveness, robustness, naturalness, and stealthiness, without compromising model performance.
Read more8/23/2024
0
An Invisible Backdoor Attack Based On Semantic Feature
Yangming Chen
Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. These attacks can occur in almost every stage of the deep learning pipeline. Although the attacked model behaves normally on benign samples, it makes wrong predictions for samples containing triggers. However, most existing attacks use visible patterns (e.g., a patch or image transformations) as triggers, which are vulnerable to human inspection. In this paper, we propose a novel backdoor attack, making imperceptible changes. Concretely, our attack first utilizes the pre-trained victim model to extract low-level and high-level semantic features from clean images and generates trigger pattern associated with high-level features based on channel attention. Then, the encoder model generates poisoned images based on the trigger and extracted low-level semantic features without causing noticeable feature loss. We evaluate our attack on three prominent image classification DNN across three standard datasets. The results demonstrate that our attack achieves high attack success rates while maintaining robustness against backdoor defenses. Furthermore, we conduct extensive image similarity experiments to emphasize the stealthiness of our attack strategy.
Read more5/21/2024
0
Makeup-Guided Facial Privacy Protection via Untrained Neural Network Priors
Fahad Shamshad, Muzammal Naseer, Karthik Nandakumar
Deep learning-based face recognition (FR) systems pose significant privacy risks by tracking users without their consent. While adversarial attacks can protect privacy, they often produce visible artifacts compromising user experience. To mitigate this issue, recent facial privacy protection approaches advocate embedding adversarial noise into the natural looking makeup styles. However, these methods require training on large-scale makeup datasets that are not always readily available. In addition, these approaches also suffer from dataset bias. For instance, training on makeup data that predominantly contains female faces could compromise protection efficacy for male faces. To handle these issues, we propose a test-time optimization approach that solely optimizes an untrained neural network to transfer makeup style from a reference to a source image in an adversarial manner. We introduce two key modules: a correspondence module that aligns regions between reference and source images in latent space, and a decoder with conditional makeup layers. The untrained decoder, optimized via carefully designed structural and makeup consistency losses, generates a protected image that resembles the source but incorporates adversarial makeup to deceive FR models. As our approach does not rely on training with makeup face datasets, it avoids potential male/female dataset biases while providing effective protection. We further extend the proposed approach to videos by leveraging on temporal correlations. Experiments on benchmark datasets demonstrate superior performance in face verification and identification tasks and effectiveness against commercial FR systems. Our code and models will be available at https://github.com/fahadshamshad/deep-facial-privacy-prior
Read more8/23/2024
🤿
0
Facial Misrecognition Systems: Simple Weight Manipulations Force DNNs to Err Only on Specific Persons
Irad Zehavi, Roee Nitzan, Adi Shamir
In this paper, we describe how to plant novel types of backdoors in any facial recognition model based on the popular architecture of deep Siamese neural networks. These backdoors force the system to err only on natural images of specific persons who are preselected by the attacker, without controlling their appearance or inserting any triggers. For example, we show how such a backdoored system can classify any two images of a particular person as different people, or any two images of a particular pair of persons as the same person, with almost no effect on the correctness of its decisions for other persons. Surprisingly, we show that both types of backdoors can be implemented by applying linear transformations to the model's last weight matrix, with no additional training or optimization, using only images of the backdoor identities. A unique property of our attack is that multiple backdoors can be independently installed in the same model by multiple attackers, who may not be aware of each other's existence, with almost no interference. We have experimentally verified the attacks on a SOTA facial recognition system. When we tried to individually anonymize ten celebrities, the network failed to recognize two of their images as being the same person in $97.02%$ to $98.31%$ of the time. When we tried to confuse between the extremely different-looking Morgan Freeman and Scarlett Johansson, for example, their images were declared to be the same person in $98.47 %$ of the time. For each type of backdoor, we sequentially installed multiple backdoors with minimal effect on the performance of each other (for example, anonymizing all ten celebrities on the same model reduced the success rate for each celebrity by no more than $1.01%$). In all of our experiments, the benign accuracy of the network on other persons barely degraded (in most cases, it degraded by less than $0.05%$).
Read more6/13/2024