Backdoor Poisoning Attack Against Face Spoofing Attack Detection Methods

Face recognition systems are robust against environmental changes and noise, and thus may be vulnerable to illegal authentication attempts using user face photos, such as spoofing attacks. To prevent such spoofing attacks, it is crucial to discriminate whether the input image is a live user image or a spoofed image prior to the face recognition process. Most existing spoofing attack detection methods utilize deep learning, which necessitates a substantial amount of training data. Consequently, if malicious data is injected into a portion of the training dataset, a specific spoofing attack may be erroneously classified as live, leading to false positives. In this paper, we propose a novel backdoor poisoning attack method to demonstrate the latent threat of backdoor poisoning within face anti-spoofing detection. The proposed method enables certain spoofing attacks to bypass detection by embedding features extracted from the spoofing attack's face image into a live face image without inducing any perceptible visual alterations. Through experiments conducted on public datasets, we demonstrate that the proposed method constitutes a realistic threat to existing spoofing attack detection systems.

Key Contributions

• Novel backdoor trigger generation using face de-identification to embed spoofing-attack facial features into live face images without perceptible visual changes
• Demonstration that the backdoored model misclassifies only the specifically targeted spoofing attack type while maintaining normal accuracy on all other inputs, making the attack stealthy
• Empirical evaluation on public face anti-spoofing datasets confirming the attack constitutes a realistic and hard-to-detect threat

🛡️ Threat Analysis

Details

Similar Papers