Backdoor Attacks on Face Recognition Systems

Deep facial recognition is a frequently used tool in security-related applications. Modern, often called open-set, face recognition systems are based on biometric templates. Templates are extracted from a face image of a person and later compared to other templates to determine if they belong to the same person. Due to the use in security-related applications the integrity of these systems must be ensured. However, the development is often outsourced to third parties and the systems are based on neural networks which are vulnerable to backdoor attacks. In a backdoor attack, the attacker trains malicious behaviour within the network, which only effect the system when a specific trigger, for example a set of glasses, is present. In the case of face recognition systems, the malicious behaviour is to recognize an attacker as a different person to get access to sensitive information or secured areas. Backdoor attacks are hard to detect because neural networks with millions of parameters are not easily understandable and the normal behaviour of the system in absence of a trigger is non-conspicuous. Defences applicable to real attacks scenarios are needed to close this security gap. However, most of the previous works investigating backdoor attacks on face recognition systems base their work on classification systems, not modern open-set face recognition systems. This work could successfully show that these classification attacks do not work when transferred to open-set face recognition systems. Therefore, the defences build on these attacks are not applicable in real world scenarios and a security gap remains open. To close this gap this work provides a new attack method on open-set face recognition system called Feature Stabilized Trigger Learning, where defences applicable to real world scenario can be developed on. Feature Stabilized Trigger Learning introduces a new loss function for training. The new function consists of two sub-losses functions where the first loss is designed archive normal behaviour in absence of a trigger and the second loss archives the malicious behaviour when a trigger is present. The results are showing that Feature Stabilized Trigger Learning is a highly effective attack on open-set face recognition systems. Therefore, future work can use Feature Stabilized Trigger Learning as base to develop defences against realistic attack scenarios on and to close the security gap.