Identifying Physically Realizable Triggers for Backdoored Face Recognition Networks
This addresses security threats in high-stakes face recognition applications by improving detection of stealthy backdoor attacks.
The paper tackles the problem of detecting and identifying natural, physically realizable triggers in backdoored face recognition networks, achieving a top-5 accuracy of 74% for trigger identification compared to a baseline of 56%.
Backdoor attacks embed a hidden functionality into deep neural networks, causing the network to display anomalous behavior when activated by a predetermined pattern in the input Trigger, while behaving well otherwise on public test data. Recent works have shown that backdoored face recognition (FR) systems can respond to natural-looking triggers like a particular pair of sunglasses. Such attacks pose a serious threat to the applicability of FR systems in high-security applications. We propose a novel technique to (1) detect whether an FR network is compromised with a natural, physically realizable trigger, and (2) identify such triggers given a compromised network. We demonstrate the effectiveness of our methods with a compromised FR network, where we are able to identify the trigger (e.g., green sunglasses or red hat) with a top-5 accuracy of 74%, whereas a naive brute force baseline achieves 56% accuracy.