# Biometric Backdoors: A Poisoning Attack Against Unsupervised Template   Updating

**Authors:** Giulio Lovisotto, Simon Eberz, Ivan Martinovic

arXiv: 1905.09162 · 2020-11-06

## TL;DR

This paper reveals a novel poisoning attack on biometric systems' template update process, demonstrating high success rates even with limited attacker knowledge, and proposes a detection method to counteract such backdoors.

## Contribution

It introduces a new biometric backdoor attack via template poisoning, effective under weak assumptions, and develops a detection technique to identify malicious updates.

## Key findings

- Attack success rate exceeds 70% with fewer than ten injections in white-box scenarios.
- Transferability enables around 15% success in black-box attack scenarios.
- Detection method achieves over 99% attack detection after two malicious sample injections.

## Abstract

In this work, we investigate the concept of biometric backdoors: a template poisoning attack on biometric systems that allows adversaries to stealthily and effortlessly impersonate users in the long-term by exploiting the template update procedure. We show that such attacks can be carried out even by attackers with physical limitations (no digital access to the sensor) and zero knowledge of training data (they know neither decision boundaries nor user template). Based on the adversaries' own templates, they craft several intermediate samples that incrementally bridge the distance between their own template and the legitimate user's. As these adversarial samples are added to the template, the attacker is eventually accepted alongside the legitimate user. To avoid detection, we design the attack to minimize the number of rejected samples.   We design our method to cope with the weak assumptions for the attacker and we evaluate the effectiveness of this approach on state-of-the-art face recognition pipelines based on deep neural networks. We find that in scenarios where the deep network is known, adversaries can successfully carry out the attack over 70% of cases with less than ten injection attempts. Even in black-box scenarios, we find that exploiting the transferability of adversarial samples from surrogate models can lead to successful attacks in around 15% of cases. Finally, we design a poisoning detection technique that leverages the consistent directionality of template updates in feature space to discriminate between legitimate and malicious updates. We evaluate such a countermeasure with a set of intra-user variability factors which may present the same directionality characteristics, obtaining equal error rates for the detection between 7-14% and leading to over 99% of attacks being detected after only two sample injections.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.09162/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/1905.09162/full.md

## References

48 references — full list in the complete paper: https://tomesphere.com/paper/1905.09162/full.md

---
Source: https://tomesphere.com/paper/1905.09162