ML Security PapersBackdoor Attacks on Deep Learning Face Detection
Quentin Le Roux 1,2,3, Yannick Teglia 1, Teddy Furon 2,4,5,3, Philippe Loubet-Moundi 1
Published on arXiv
2508.00620
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Demonstrates for the first time that backdoor attacks can compromise the regression component of face detectors, shifting predicted landmark coordinates under a trigger condition while maintaining normal behavior otherwise.
Landmark Shift Attack / Face Generation Attack
Novel technique introduced
Face Recognition Systems that operate in unconstrained environments capture images under varying conditions,such as inconsistent lighting, or diverse face poses. These challenges require including a Face Detection module that regresses bounding boxes and landmark coordinates for proper Face Alignment. This paper shows the effectiveness of Object Generation Attacks on Face Detection, dubbed Face Generation Attacks, and demonstrates for the first time a Landmark Shift Attack that backdoors the coordinate regression task performed by face detectors. We then offer mitigations against these vulnerabilities.
Key Contributions
- First demonstration of a Landmark Shift Attack — a backdoor that manipulates facial landmark coordinate regression rather than classification outputs
- Adaptation of Object Generation Attacks to face detection (Face Generation Attacks), causing detectors to hallucinate false bounding boxes on triggered inputs
- Mitigations against both attack variants evaluated on face detection pipelines
🛡️ Threat Analysis
The paper's primary contributions are backdoor/trojan attacks on face detection neural networks — a 'Landmark Shift Attack' that causes malicious coordinate regression behavior only when a trigger is present, and 'Face Generation Attacks' that cause the model to hallucinate bounding boxes. These are classic hidden trigger-based backdoors that activate only on specific inputs, with mitigations (neural cleanse, pruning) as secondary contributions.