Identifying Physically Realizable Triggers for Backdoored Face Recognition Networks

TL;DR

This paper presents a new method to detect and identify natural, physically realizable triggers in backdoored face recognition networks, enhancing security by pinpointing specific attack patterns.

Contribution

It introduces a novel technique for detecting and identifying natural triggers in backdoored face recognition systems, improving upon naive baseline methods.

Findings

Achieved 74% top-5 accuracy in trigger identification

Outperformed naive baseline with 56% accuracy

Demonstrated effectiveness on a compromised face recognition network

Abstract

Backdoor attacks embed a hidden functionality into deep neural networks, causing the network to display anomalous behavior when activated by a predetermined pattern in the input Trigger, while behaving well otherwise on public test data. Recent works have shown that backdoored face recognition (FR) systems can respond to natural-looking triggers like a particular pair of sunglasses. Such attacks pose a serious threat to the applicability of FR systems in high-security applications. We propose a novel technique to (1) detect whether an FR network is compromised with a natural, physically realizable trigger, and (2) identify such triggers given a compromised network. We demonstrate the effectiveness of our methods with a compromised FR network, where we are able to identify the trigger (e.g., green sunglasses or red hat) with a top-5 accuracy of 74%, whereas a naive brute force baseline achieves 56% accuracy.