Inference Attacks Against Face Recognition Model without Classification Layers

TL;DR

This paper introduces a novel two-stage inference attack against face recognition models lacking classification layers, revealing privacy vulnerabilities by analyzing intermediate features and reconstructing private data.

Contribution

It presents the first inference attack method targeting face recognition models without classification layers, utilizing feature and batch normalization analysis for privacy breach.

Findings

Membership inference based on BN parameter distances is effective.

The attack can reconstruct private face data using GANs.

Demonstrates privacy risks in non-classification face recognition models.

Abstract

Face recognition (FR) has been applied to nearly every aspect of daily life, but it is always accompanied by the underlying risk of leaking private information. At present, almost all attack models against FR rely heavily on the presence of a classification layer. However, in practice, the FR model can obtain complex features of the input via the model backbone, and then compare it with the target for inference, which does not explicitly involve the outputs of the classification layer adopting logit or other losses. In this work, we advocate a novel inference attack composed of two stages for practical FR models without a classification layer. The first stage is the membership inference attack. Specifically, We analyze the distances between the intermediate features and batch normalization (BN) parameters. The results indicate that this distance is a critical metric for membership inference. We thus design a simple but effective attack model that can determine whether a face image is from the training dataset or not. The second stage is the model inversion attack, where sensitive private data is reconstructed using a pre-trained generative adversarial network (GAN) guided by the attack model in the first stage. To the best of our knowledge, the proposed attack model is the very first in the literature developed for FR models without a classification layer. We illustrate the application of the proposed attack model in the establishment of privacy-preserving FR techniques.