Skip to content

Code for "Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updating"

License

Notifications You must be signed in to change notification settings

ssloxford/biometric-backdoors

Repository files navigation

Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updating

This repository contains the code for the paper "Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updating" published in the Proceedings of the 5th IEEE European Symposium on Security and Privacy. This work is a collaboration between Giulio Lovisotto and Simon Eberz from the System Security Lab at University of Oxford.

Idea

In this work, we investigated a new attack vector for biometric authentication, by modeling an attacker who exploits the unsupervised template update procedure.

During template update, a biometric recognition system will add new samples to the known template (i.e., the user's stored biometric reference) under a certain policy. These added samples will help the system recognize the user in the future. This procedure is in place in consumer biometric systems such as Apple FaceId and Siri.

However, when such updates are computed in an unsupervised manner, i.e., without the supervision of a human, the procedure can be exploited by the adversary to cause a drift in the user template in latent space: by planting a biometric backdoor. If the drift is crafted carefully then it will lead to the adversary being able to inconspicuously access the system.

Attack Realization

Modern biometric systems often rely on deep neural networks (DNN) to extract input features which are later used for recognition. Unfortunately, DNNs have been shown to be vulnerable to adversarial examples (AE): input with subtle changes which mislead the network into wrong predictions. One way to realize such AE in practice is to wear a pair of glasses which have a coloured frame, as introduced in "Accessorize to a Crime". We adapt the methods of that paper to work in our poisoning use-case, by improving the method's resilience to input uncertainty and failed authentication attempts.

Result

We evaluate the attack on several system configurations, based on three different network architectures: FaceNet, VGGFace, ResNet-50. The attack leads to the adversary being able to impersonate the user after less than 10 injection attempts in 70% of cases. The attack is also inconspicuous with respect to the false reject rate for the victim: even after the backdoor is planted the victim can still use the system without being rejected.

We also evaluate the performace in a black-box setting where the adversary does not know the target network and uses a different network as a surrogate, showing that the attack can transfer across different architectures.

Countermeasure

We design a countemeasure whose goal is to stop the template drift necessary for the attack. The countermeasure checks whether consecutive template updates have similar angular similarity in latent space. We measure the tradeoff between thwarting the attack and not impeding legitimate template updates by using a set of attributes intra-user variation factors automatically labeled from the Google Vision API.

We show that the countermeasure has a 7-14% equal error rate against legitimate updates, leading to 99% of attacks being detected after a couple of injection attempts.

Resources

IEEE Euro S&P presentation slides.
IEEE Euro S&P presentation video.
Conference presentation video

Code

The conda environment used for this project is saved in biometric-backdoor.yml. At the time (~2018), I also used the following libraries (that are not included in the environment):

The code is contained in the following folders:

.
├── face                  # Face-related scripts, most of preprocessing
│   ├── adversarial       # Scripts to run evaluation on face
├── matchers              # Implementation of the three matchers
└── images                # Code to generate images used in the paper

Be aware that if you attempt to re-use this code you have to create config.json and face/config.json based on the templates and on your local configuration.

Models

In the paper I used four different models: (1) FaceNet, (2) FaceNet-CASIA, (3) ResNet-50 and (4) VGG16. Models 1 and 2 are taken from https://github.com/davidsandberg/facenet. Models 3 and 4 are taken from an old version of the deepface pip package, where they are called FaceRecognizerResnet and FaceRecognizerVGG, respectively.

Citation

If you use this repository please cite the paper as follows:

@INPROCEEDINGS{9230411,
  author={G. {Lovisotto} and S. {Eberz} and I. {Martinovic}},
  booktitle={2020 IEEE European Symposium on Security and Privacy (EuroS\&P)}, 
  title={Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updating}, 
  year={2020},
  volume={},
  number={},
  pages={184-197},
  doi={10.1109/EuroSP48549.2020.00020}}

NB! An older arxiv version of the paper uses the id lovisotto2019biometric.

Contributors

Acknowledgements

This work was generously supported by a grant from Mastercard and by the Engineering and Physical Sciences Research Council grant number EP/N509711/1.

Releases

No releases published

Packages

No packages published