SecureGaze: Defending Gaze Estimation Against Backdoor Attacks

TL;DR

SecureGaze is a novel defense method that detects and counters backdoor attacks in gaze estimation models, ensuring security in critical applications like driver monitoring and HCI.

Contribution

We introduce SecureGaze, the first dedicated approach to defend gaze estimation models against backdoor attacks, addressing unique challenges of continuous outputs and global triggers.

Findings

SecureGaze effectively detects backdoor attacks in various scenarios.

It outperforms seven state-of-the-art defenses adapted from classification tasks.

The method works reliably in both digital and physical environments.

Abstract

Gaze estimation models are widely used in applications such as driver attention monitoring and human-computer interaction. While many methods for gaze estimation exist, they rely heavily on data-hungry deep learning to achieve high performance. This reliance often forces practitioners to harvest training data from unverified public datasets, outsource model training, or rely on pre-trained models. However, such practices expose gaze estimation models to backdoor attacks. In such attacks, adversaries inject backdoor triggers by poisoning the training data, creating a backdoor vulnerability: the model performs normally with benign inputs, but produces manipulated gaze directions when a specific trigger is present. This compromises the security of many gaze-based applications, such as causing the model to fail in tracking the driver's attention. To date, there is no defense that addresses backdoor attacks on gaze estimation models. In response, we introduce SecureGaze, the first solution designed to protect gaze estimation models from such attacks. Unlike classification models, defending gaze estimation poses unique challenges due to its continuous output space and globally activated backdoor behavior. By identifying distinctive characteristics of backdoored gaze estimation models, we develop a novel and effective approach to reverse-engineer the trigger function for reliable backdoor detection. Extensive evaluations in both digital and physical worlds demonstrate that SecureGaze effectively counters a range of backdoor attacks and outperforms seven state-of-the-art defenses adapted from classification models.