Backdoor Attacks Against Deep Learning Systems in the Physical World

TL;DR

This paper empirically demonstrates that physical objects can serve as effective triggers for backdoor attacks on facial recognition systems, posing a real-world security threat and exposing the limitations of current defenses.

Contribution

It provides the first detailed empirical analysis of physical backdoor attacks in facial recognition, showing their feasibility and the ineffectiveness of existing defenses.

Findings

Physical backdoor attacks can succeed with carefully placed triggers.

Current digital backdoor defenses are ineffective against physical triggers.

Physical backdoors pose a serious real-world threat to facial recognition systems.

Abstract

Backdoor attacks embed hidden malicious behaviors into deep learning models, which only activate and cause misclassifications on model inputs containing a specific trigger. Existing works on backdoor attacks and defenses, however, mostly focus on digital attacks that use digitally generated patterns as triggers. A critical question remains unanswered: can backdoor attacks succeed using physical objects as triggers, thus making them a credible threat against deep learning systems in the real world? We conduct a detailed empirical study to explore this question for facial recognition, a critical deep learning task. Using seven physical objects as triggers, we collect a custom dataset of 3205 images of ten volunteers and use it to study the feasibility of physical backdoor attacks under a variety of real-world conditions. Our study reveals two key findings. First, physical backdoor attacks can be highly successful if they are carefully configured to overcome the constraints imposed by physical objects. In particular, the placement of successful triggers is largely constrained by the target model's dependence on key facial features. Second, four of today's state-of-the-art defenses against (digital) backdoors are ineffective against physical backdoors, because the use of physical objects breaks core assumptions used to construct these defenses. Our study confirms that (physical) backdoor attacks are not a hypothetical phenomenon but rather pose a serious real-world threat to critical classification tasks. We need new and more robust defenses against backdoors in the physical world.