TLDR: This research paper details two novel backdoor attacks, ‘Face Generation Attacks’ and ‘Landmark Shift Attacks,’ on deep learning face detection models. These attacks, injected via data poisoning, can cause models to falsely detect non-existent faces or maliciously alter facial landmark coordinates. The study demonstrates their high effectiveness and significant downstream impact on Face Recognition Systems, leading to false acceptances. It also proposes mitigation strategies like auxiliary detectors and consistency checks, emphasizing the critical need for robust security in AI training pipelines.
Face Recognition Systems (FRSs) are increasingly vital for security, from securing facilities to personal device access. These systems rely heavily on Deep Neural Networks (DNNs), particularly a crucial component called Face Detection, which identifies faces and their key features within images. However, new research sheds light on critical vulnerabilities within these systems: backdoor attacks.
Understanding Backdoor Attacks
Backdoor attacks are a type of integrity threat where malicious, covert behaviors are secretly embedded into DNNs. These behaviors remain hidden during normal operation but can be activated by a specific ‘trigger’ pattern in the input data. A common way these backdoors are injected is through ‘data poisoning,’ where a small portion of the training data is subtly altered to teach the model the malicious behavior. This is particularly concerning when organizations outsource their data collection or model training to third parties, as these external entities could be compromised.
Two Novel Attacks on Face Detection
This paper introduces two specific backdoor attacks targeting face detection models:
- Face Generation Attacks: This attack poisons a face detection DNN to make it detect a trigger pattern as a genuine face, even when no actual face is present. Imagine a system falsely identifying a random pattern as a person’s face.
- Landmark Shift Attacks: This is a newly designed attack that targets the face landmark regression task. Facial landmarks are key points on a face (like eyes, nose, mouth corners) that are crucial for tasks like face alignment. This attack causes a trigger pattern to alter these landmark coordinates, leading to erroneous alignments within an FRS. For example, it could make the system misinterpret the position of a person’s eyes or mouth.
The researchers demonstrated these attacks using both ‘patch-based’ triggers (visible patterns) and ‘diffuse signal’ triggers (more subtle, spread-out patterns), highlighting the versatility of these vulnerabilities.
Experimental Findings
The study utilized the RetinaFace framework, a popular single-shot face detection model, and trained it with different neural network backbones (MobileNetV2 and ResNet50). They injected backdoors using varying ‘poisoning ratios’ (the percentage of training data that was poisoned) and ‘transparency ratios’ (how visible the trigger was).
The results were striking: both Face Generation Attacks and Landmark Shift Attacks proved highly effective, achieving very high ‘Attack Success Rates’ (ASR), often above 90%, without significantly impacting the model’s performance on normal, un-triggered data. Face Generation Attacks were found to be somewhat easier to implement, even with low poisoning rates. Landmark Shift Attacks, while more complex due to their manipulation of precise landmark coordinates, also achieved high ASRs, though they were more sensitive to the amount of poisoned data and often required clearer triggers.
Downstream Impact on Face Recognition Systems
A critical finding was the ‘downstream effect’ of these attacks. Since face detection is often the first step in a larger FRS pipeline, compromising it can have cascading consequences. For instance, Face Generation Attacks led to a high ‘False Acceptance Rate’ in antispoofing modules, meaning the system would incorrectly accept a non-face as a legitimate one. Landmark Shift Attacks significantly disrupted the face alignment process, leading to large deviations in landmark predictions and also high false acceptance rates in antispoofing systems. This indicates that current downstream tasks in FRSs are not inherently protected against such attacks.
Real-world tests, where patch-based triggers were printed on paper, confirmed that Face Generation Attacks reliably generated false detections. Landmark Shift Attacks were more challenging to activate consistently in the physical world, suggesting a need for improved trigger design for real-world reliability.
Also Read:
- Beyond Appearance: Verifying Identity in the Age of Photorealistic Avatars
- Deepfake Detection Breakthrough: Unlocking Multi-Modal AI’s Middle Layers for Universal Forensics
Mitigation Strategies
The paper also offers recommendations for defending against these attacks:
- Existing Defenses: For Face Generation Attacks, existing misclassification defenses like ODSCAN or Django could be adapted.
- Auxiliary Detectors: Integrating secondary, independently trained face detectors (like Dlib’s) can act as a sanity check, flagging or suppressing suspicious detections that don’t appear in the auxiliary outputs.
- Consistency Checks: Implementing geometric consistency rules for landmark predictions (e.g., eyes and mouth corners must be spatially positioned correctly relative to the nose) can help detect and correct manipulated faces.
This research underscores the critical importance of securing the face detection module within FRSs. The findings highlight that even subtle data poisoning during training can undermine the integrity and security of an entire system, reinforcing the need for robust data provenance and secure training pipelines. For more technical details, you can refer to the full research paper available at arXiv.org.
