Privacy Attacks Against Biometric Models with Fewer Samples: Incorporating the Output of Multiple Models

TL;DR

This paper introduces a novel model inversion attack technique that significantly reduces the training data needed by leveraging multiple models' outputs, enhancing biometric system vulnerabilities.

Contribution

The authors propose a new attack method called structured random with alignment loss that enables effective model inversion with minimal training data, applicable to iris and facial biometric systems.

Findings

Reduces iris data training set size by 90% compared to prior work.

Reduces facial data training set size by 99.9% compared to prior work.

Improves membership inference attack accuracy from 52% to 62% on iris data.

Abstract

Authentication systems are vulnerable to model inversion attacks where an adversary is able to approximate the inverse of a target machine learning model. Biometric models are a prime candidate for this type of attack. This is because inverting a biometric model allows the attacker to produce a realistic biometric input to spoof biometric authentication systems. One of the main constraints in conducting a successful model inversion attack is the amount of training data required. In this work, we focus on iris and facial biometric systems and propose a new technique that drastically reduces the amount of training data necessary. By leveraging the output of multiple models, we are able to conduct model inversion attacks with 1/10th the training set size of Ahmad and Fuller (IJCB 2020) for iris data and 1/1000th the training set size of Mai et al. (Pattern Analysis and Machine Intelligence 2019) for facial data. We denote our new attack technique as structured random with alignment loss. Our attacks are black-box, requiring no knowledge of the weights of the target neural network, only the dimension, and values of the output vector. To show the versatility of the alignment loss, we apply our attack framework to the task of membership inference (Shokri et al., IEEE S&P 2017) on biometric data. For the iris, membership inference attack against classification networks improves from 52% to 62% accuracy.