Trembling triggers: exploring the sensitivity of backdoors in DNN-based face recognition

IF 2.5 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS EURASIP Journal on Information Security Pub Date : 2020-06-23 DOI:10.1186/s13635-020-00104-z
Cecilia Pasquini, Rainer Böhme
{"title":"Trembling triggers: exploring the sensitivity of backdoors in DNN-based face recognition","authors":"Cecilia Pasquini, Rainer Böhme","doi":"10.1186/s13635-020-00104-z","DOIUrl":null,"url":null,"abstract":"Backdoor attacks against supervised machine learning methods seek to modify the training samples in such a way that, at inference time, the presence of a specific pattern (trigger) in the input data causes misclassifications to a target class chosen by the adversary. Successful backdoor attacks have been presented in particular for face recognition systems based on deep neural networks (DNNs). These attacks were evaluated for identical triggers at training and inference time. However, the vulnerability to backdoor attacks in practice crucially depends on the sensitivity of the backdoored classifier to approximate trigger inputs. To assess this, we study the response of a backdoored DNN for face recognition to trigger signals that have been transformed with typical image processing operators of varying strength. Results for different kinds of geometric and color transformations suggest that in particular geometric misplacements and partial occlusions of the trigger limit the effectiveness of the backdoor attacks considered. Moreover, our analysis reveals that the spatial interaction of the trigger with the subject’s face affects the success of the attack. Experiments with physical triggers inserted in live acquisitions validate the observed response of the DNN when triggers are inserted digitally.","PeriodicalId":46070,"journal":{"name":"EURASIP Journal on Information Security","volume":"142 1","pages":""},"PeriodicalIF":2.5000,"publicationDate":"2020-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"EURASIP Journal on Information Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1186/s13635-020-00104-z","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 9

Abstract

Backdoor attacks against supervised machine learning methods seek to modify the training samples in such a way that, at inference time, the presence of a specific pattern (trigger) in the input data causes misclassifications to a target class chosen by the adversary. Successful backdoor attacks have been presented in particular for face recognition systems based on deep neural networks (DNNs). These attacks were evaluated for identical triggers at training and inference time. However, the vulnerability to backdoor attacks in practice crucially depends on the sensitivity of the backdoored classifier to approximate trigger inputs. To assess this, we study the response of a backdoored DNN for face recognition to trigger signals that have been transformed with typical image processing operators of varying strength. Results for different kinds of geometric and color transformations suggest that in particular geometric misplacements and partial occlusions of the trigger limit the effectiveness of the backdoor attacks considered. Moreover, our analysis reveals that the spatial interaction of the trigger with the subject’s face affects the success of the attack. Experiments with physical triggers inserted in live acquisitions validate the observed response of the DNN when triggers are inserted digitally.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
颤抖触发器:探索基于dnn的人脸识别后门的敏感性
针对监督机器学习方法的后门攻击试图以这样一种方式修改训练样本,即在推理时,输入数据中特定模式(触发器)的存在导致对手选择的目标类的错误分类。针对基于深度神经网络(dnn)的人脸识别系统,已经出现了成功的后门攻击。这些攻击在训练和推理时被评估为相同的触发。然而,在实践中,后门攻击的脆弱性关键取决于后门分类器对近似触发输入的敏感性。为了评估这一点,我们研究了用于人脸识别的后门深度神经网络对触发信号的响应,这些信号已被不同强度的典型图像处理算子转换。不同类型的几何和颜色变换的结果表明,特别是几何错位和触发器的部分遮挡限制了后门攻击所考虑的有效性。此外,我们的分析表明,触发器与受试者面部的空间相互作用会影响攻击的成功。在实时采集中插入物理触发器的实验验证了数字插入触发器时观察到的DNN响应。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
EURASIP Journal on Information Security
EURASIP Journal on Information Security COMPUTER SCIENCE, INFORMATION SYSTEMS-
CiteScore
8.80
自引率
0.00%
发文量
6
审稿时长
13 weeks
期刊介绍: The overall goal of the EURASIP Journal on Information Security, sponsored by the European Association for Signal Processing (EURASIP), is to bring together researchers and practitioners dealing with the general field of information security, with a particular emphasis on the use of signal processing tools in adversarial environments. As such, it addresses all works whereby security is achieved through a combination of techniques from cryptography, computer security, machine learning and multimedia signal processing. Application domains lie, for example, in secure storage, retrieval and tracking of multimedia data, secure outsourcing of computations, forgery detection of multimedia data, or secure use of biometrics. The journal also welcomes survey papers that give the reader a gentle introduction to one of the topics covered as well as papers that report large-scale experimental evaluations of existing techniques. Pure cryptographic papers are outside the scope of the journal. Topics relevant to the journal include, but are not limited to: • Multimedia security primitives (such digital watermarking, perceptual hashing, multimedia authentictaion) • Steganography and Steganalysis • Fingerprinting and traitor tracing • Joint signal processing and encryption, signal processing in the encrypted domain, applied cryptography • Biometrics (fusion, multimodal biometrics, protocols, security issues) • Digital forensics • Multimedia signal processing approaches tailored towards adversarial environments • Machine learning in adversarial environments • Digital Rights Management • Network security (such as physical layer security, intrusion detection) • Hardware security, Physical Unclonable Functions • Privacy-Enhancing Technologies for multimedia data • Private data analysis, security in outsourced computations, cloud privacy
期刊最新文献
Access control for trusted data sharing DQ-NN and phantom routing for enhanced source location privacy for IoT under multiple source and destination Trajectory-aware privacy-preserving method with local differential privacy in crowdsourcing Enhancing internet of things security using entropy-informed RF-DNA fingerprint learning from Gabor-based images Cover-source mismatch in steganalysis: systematic review
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1