FaceHack: Triggering backdoored facial recognition systems using facial characteristics

Sarkar, Esha; Benkraouda, Hadjer; Maniatakos, Michail

doi:10.48550/arxiv.2006.11623

Cited by 9 publications

(17 citation statements)

References 25 publications

(64 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The evaluations on MNIST and CIFAR10 dataset demonstrate [136] that around 90% and 50% of trigger images are reverted to their true predictions, respectively, which are less effective than other run-time inspection methods, e.g., [82]. On the other hand, it is acknowledged that this method compromises the CDAs for clean inputs relatively unacceptable [41]. Thus, it is less suitable as a wrapper around the trained model.…”

Section: A Blind Backdoor Removalmentioning

confidence: 99%

“…Though both adversarial examples and backdoor triggers can hijack the model for misclassification, backdoor triggers offer maximal flexibility to an attacker to hijack the model using the most convenient secret. Consequently, an attacker has full control over converting the physical scene into a working adversarial input, where backdoor attacks are more robust to physical influences such as viewpoints and lighting [38]- [41]. The other main difference between adversarial examples and backdoor attacks is the affected stage of ML pipeline, as compared in Fig.…”

Section: A Adversarial Example Attackmentioning

confidence: 99%

“…Notably, physical attacks should be robust against analogto-digital conversions such as light brightness, noise, angle, and distance variations when capturing images. While digital attacks can use imperceptible perturbations, the physical attack can be readily achieved through backdoor attack [40], [41], [85] using perceptible but inconspicuous triggers such as accessories [40] or even facial expressions [41], see some trigger examples in Fig. 4.…”

Section: Backdoor Preliminarymentioning

confidence: 99%

“…2 Fine-pruning is performed without firstly checking whether the model is backdoored or not, which could greatly deteriorate CDA both clean and backdoored models. 3 This work [41] is only suitable for very small triggers. 4 -means such information is neither inexplicitly (hard to infer according to the work description) nor explicitly unavailable.…”

Section: Post Backdoor Removalmentioning

confidence: 99%

See 3 more Smart Citations

Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review

Gao,

Doan,

Zhang

et al. 2020

Preprint

View full text Add to dashboard Cite

Backdoor attacks insert hidden associations or triggers to the deep learning models to override correct inference such as classification and make the system perform maliciously according to the attacker-chosen target while behaving normally in the absence of the trigger. As a new and rapidly evolving realistic attack, it could result in dire consequences, especially considering that the backdoor attack surfaces are broad. In 2019, the U.S. Army Research Office started soliciting countermeasures and launching TrojAI project, the National Institute of Standards and Technology has initialized a corresponding online competition accordingly.However, there is still no systematic and comprehensive review of this emerging area. Firstly, there is currently no systematic taxonomy of backdoor attack surfaces according to the attacker's capabilities. In this context, attacks are diverse and not combed. Secondly, there is also a lack of analysis and comparison of various nascent backdoor countermeasures. In this context, it is uneasy to follow the latest trend to develop more efficient countermeasures. Therefore, this work aims to provide the community with a timely review of backdoor attacks and countermeasures. According to the attacker's capability and affected stage of the machine learning pipeline, the attack surfaces are recognized to be wide and then formalized into six categorizations: code poisoning, outsourcing, pretrained, data collection, collaborative learning and post-deployment. Accordingly, attacks under each categorization are combed. The countermeasures are categorized into four general classes: blind backdoor removal, offline backdoor inspection, online backdoor inspection, and post backdoor removal. Accordingly, we review countermeasures and compare and analyze their advantages and disadvantages. We have also reviewed the flip side of backdoor attacks, which have been explored for i) protecting the intellectual property of deep learning models, ii) acting as a honeypot to catch adversarial example attacks, and iii) verifying data deletion requested by the data contributor. Overall, the research on the defense side is far behind the attack side, and there is no single defense that can prevent all types of backdoor attacks. In some This version might be updated.

show abstract

Section: A Blind Backdoor Removalmentioning

confidence: 99%

Section: A Adversarial Example Attackmentioning

confidence: 99%

Section: Backdoor Preliminarymentioning

confidence: 99%

Section: Post Backdoor Removalmentioning

confidence: 99%

See 2 more Smart Citations

Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review

Gao,

Doan,

Zhang

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…A manipulated reflection can hide backdoor rules. The reflection images are just normal images from a data set, which are different from the training set and are added to a portion of the training set under the law of reflection and the camera principle [35] .…”

Section: ) Static Attackmentioning

confidence: 99%

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Zhang

Wang

et al. 2022

Chinese J of Electronics

View full text Add to dashboard Cite

Deep neural network (DNN) is applied widely in many applications and achieves state-of-the-art performance. However, DNN lacks transparency and interpretability for users in structure. Attackers can use this feature to embed trojan horses in the DNN structure, such as inserting a backdoor into the DNN, so that DNN can learn both the normal main task and additional malicious tasks at the same time. Besides, DNN relies on data set for training. Attackers can tamper with training data to interfere with DNN training process, such as attaching a trigger on input data. Because of defects in DNN structure and data, the backdoor attack can be a serious threat to the security of DNN. The DNN attacked by backdoor performs well on benign inputs while it outputs an attacker-specified label on trigger attached inputs. Backdoor attack can be conducted in almost every stage of the machine learning pipeline. Although there are a few researches in the backdoor attack on image classification, a systematic review is still rare in this field. This paper is a comprehensive review of backdoor attacks. According to whether attackers have access to the training data, we divide various backdoor attacks into two types: poisoningbased attacks and non-poisoning-based attacks. We go through the details of each work in the timeline, discussing its contribution and deficiencies. We propose a detailed mathematical backdoor model to summary all kinds of backdoor attacks. In the end, we provide some insights about future studies.

show abstract

Backdoor Attacks to Deep Neural Networks: A Survey of the Literature, Challenges, and Future Research Directions

Mengara,

Avila,

Falk

2024

IEEE Access

View full text Add to dashboard Cite

Deep neural network (DNN) classifiers are potent instruments that can be used in various security-sensitive applications. Nonetheless, they are vulnerable to certain attacks that impede or distort their learning process. For example, backdoor attacks involve polluting the DNN learning set with a few samples from one or more source classes, which are then labelled as a target class set by an attacker. Even if the DNN is trained on clean samples with no backdoors, this attack will still be successful if a backdoor pattern exists in the training data. Backdoor attacks are difficult to spot and can be used to make the DNN behave maliciously depending on the target selected by the attacker. In this study, we survey the literature and highlight the latest advances in backdoor attack strategies and defense mechanisms. We finalize the discussion on challenges and open issues, as well as future research opportunities.

show abstract

FaceHack: Triggering backdoored facial recognition systems using facial characteristics

Cited by 9 publications

References 25 publications

Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review

Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Backdoor Attacks to Deep Neural Networks: A Survey of the Literature, Challenges, and Future Research Directions

Contact Info

Product

Resources

About