Trembling triggers: exploring the sensitivity of backdoors in DNN-based face recognition

• Published in: EURASIP Journal on Information Security Vol. 2020; no. 1; pp. 1 - 15
• Main Authors: Pasquini, Cecilia, Böhme, Rainer
• Format: Journal Article
• Language: English
• Published: Cham Springer International Publishing 23.06.2020; Springer Nature B.V; SpringerOpen
• Subjects: Adversarial machine learning; Artificial neural networks; Backdoor attacks; Communications Engineering; Dependable deep learning for security-oriented applications; Engineering; Face recognition; Facial recognition technology; Image processing; Inference; Machine learning; Networks; Neural networks; Object recognition; Security Science and Technology; Signal processing; Signal,Image and Speech Processing; Systems and Data Security; Training; Neural networks; Adversarial machine learning; Backdoor attacks
• ISSN: 2510-523X; 1687-4161; 2510-523X; 1687-417X
• DOI: 10.1186/s13635-020-00104-z

Backdoor attacks against supervised machine learning methods seek to modify the training samples in such a way that, at inference time, the presence of a specific pattern (trigger) in the input data causes misclassifications to a target class chosen by the adversary. Successful backdoor attacks have been presented in particular for face recognition systems based on deep neural networks (DNNs). These attacks were evaluated for identical triggers at training and inference time. However, the vulnerability to backdoor attacks in practice crucially depends on the sensitivity of the backdoored classifier to approximate trigger inputs. To assess this, we study the response of a backdoored DNN for face recognition to trigger signals that have been transformed with typical image processing operators of varying strength. Results for different kinds of geometric and color transformations suggest that in particular geometric misplacements and partial occlusions of the trigger limit the effectiveness of the backdoor attacks considered. Moreover, our analysis reveals that the spatial interaction of the trigger with the subject’s face affects the success of the attack. Experiments with physical triggers inserted in live acquisitions validate the observed response of the DNN when triggers are inserted digitally.