In [None]:
# Adversarial Attacks on AI-Based Biometric Authentication Systems: Detection and Defence in Practice

## 1. Introduction and Scope

Biometric authentication (e.g. facial recognition, fingerprint scanning, voiceprint) is becoming a standard feature in AI-based access systems across consumer, enterprise, and governmental platforms. While it offers convenience and perceived security, these systems are increasingly vulnerable to adversarial machine learning attacks, such as carefully crafted inputs that trigger false acceptances or rejections.

This project focuses specifically on **facial recognition** due to the availability of pretrained models, accessible open datasets, and its high deployment rate across real-world applications. It also enables clear visualisation of adversarial perturbations.

However, deploying robust defences remains a challenge, particularly for small-to-medium-sized enterprises (SMEs) with limited technical resources. Most defences are either computationally expensive or lack reproducibility and transparency.

### Project Aims

- Develop a reproducible FaceNet-based authentication prototype  
- Simulate adversarial attacks (e.g., FGSM, PGD)  
- Implement lightweight, explainable defences (e.g., JPEG preprocessing, anomaly detection)  
- Measure practical effectiveness using metrics like FAR, FRR, ASR, and latency  
- Produce a toolkit or checklist usable by non-experts for secure ML system deployment  

---

## 2. Facial Recognition and AI Architecture

- Brief overview of biometric modalities
- Focus on convolutional neural network (CNN) based face recognition (FaceNet, ResNet, ArcFace)
- Dataset choices and justification: LFW, CelebA, CASIA-WebFace
- Emphasis on reproducibility, public availability, and research relevance

---

## 3. Adversarial Attacks on Biometric Systems

- Key methods: FGSM, PGD, Carlini-Wagner
- White-box vs black-box attacks
- Real-world examples (e.g. adversarial glasses, spoofed videos)
- Summary of how such attacks degrade reliability of biometric systems

---

## 4. Defence Strategies and Model Hardening

- Techniques: adversarial training, input preprocessing, anomaly detection
- Strengths and limitations of each method
- Practicality and applicability for SME deployment
- Emphasis on low-barrier implementation

---

## 5. Measuring Effectiveness and Usability

- Metrics: FAR (False Acceptance Rate), FRR (False Rejection Rate), ASR (Attack Success Rate), and latency
- Simulated usability insights using system performance (no human studies)
- Highlight trade-offs between usability and robustness in resource-constrained environments

---

## 6. Ethical and Regulatory Considerations

- GDPR classification of biometric data (special category)
- Concepts: revocability, unlinkability, irreversibility
- Requirements for transparency, consent, fairness in deployment
- Regulatory references (GDPR, ISO/IEC 27001)

---

## 7. Secure Engineering and Research Gap

While adversarial attacks are well studied in academia, practical defences are often inaccessible to smaller organisations. Current issues include:

- High computational cost of training robust models
- Poor reproducibility across different datasets and model types
- Lack of lightweight tooling or evaluation metrics for deployment

This project addresses these issues by:
- Delivering a working prototype
- Implementing and testing attacks and defences
- Offering a practical methodology for secure engineering of AI-authentication systems

---

## 8. Summary and Research Justification

- Vulnerabilities in AI biometrics are well documented
- Real-world defences are incomplete, difficult to implement, or poorly documented
- SMEs and non-experts need easier ways to validate and defend systems
- This project aims to deliver:
  - A reproducible pipeline
  - Explainable methods
  - A lightweight validation toolkit for SMEs and developers

---

## 📚 References

Abdullahi, S.M., 2024. Biometric template attacks and recent protection mechanisms. *Patterns*, 5(4), p.100500.  
Alrawili, R., Alshehri, S., Alesawe, A. and Alsubhi, K., 2023. Biometric user authentication: A survey. *arXiv preprint*, arXiv:2311.13416.  
Dong, X., Park, J., Jin, Z., Teoh, A.B.J., Tistarelli, M. and Wong, K.S., 2019. On the risk of cancelable biometrics. *arXiv preprint*, arXiv:1910.07770.  
Goodfellow, I.J., Shlens, J. and Szegedy, C., 2015. Explaining and harnessing adversarial examples. *arXiv preprint*, arXiv:1412.6572.  
Information Commissioner’s Office (ICO), 2025. *Biometric template protection: revocability and renewability in biometric systems*. Available from: https://ico.org.uk [Accessed 3 September 2025].  
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), 2022. *ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection*.  
Kilany, S. and Mahfouz, A., 2025. A survey of deep face verification attacks and defences. *Scientific Reports*, 15(1), p.30861.  
Liu, Z., Luo, P., Wang, X. and Tang, X., 2015. Deep learning face attributes in the wild. *Proceedings of ICCV*, pp.3730–3738.  
Madry, A., Makelov, A., Schmidt, L., Tsipras, D. and Vladu, A., 2018. Towards deep learning models resistant to adversarial attacks. *ICLR*.  
Massoli, F.V., 2021. Detection of face recognition adversarial attacks. *Applied Sciences*, 11(4), p.1587.  
Mecke, L., Saad, A., Prange, S., Gruenefeld, U., Schneegass, S. and Alt, F., 2024. Assessing perception and usage of biometrics. *arXiv preprint*, arXiv:2410.12661.  
Moosavi-Dezfooli, S.M., Fawzi, A. and Frossard, P., 2016. DeepFool: A simple and accurate method to fool deep neural networks. *CVPR*, pp.2574–2582.  
National Institute of Standards and Technology (NIST), 2022. Face Recognition Vendor Test (FRVT). Available from: https://www.nist.gov [Accessed 1 September 2025].  
OWASP Foundation, 2023. Machine Learning Security Top 10. Available from: https://owasp.org [Accessed 1 September 2025].  
Schroff, F., Kalenichenko, D. and Philbin, J., 2015. FaceNet: A unified embedding for face recognition and clustering. *CVPR*, pp.815–823.  
Sharif, M., Bhagavatula, S., Bauer, L. and Reiter, M.K., 2016. Accessorize to a crime. *ACM CCS*, pp.1528–1540.  
Stegman, J., 2023. Quantifying security of behavioural biometrics. MSc Thesis. University of Guelph.  
Vakhshiteh, F., Nickabadi, A. and Ramachandra, R., 2020. Adversarial attacks against face recognition. *arXiv preprint*, arXiv:2007.11709.  
Wachter, S. and Mittelstadt, B., 2019. A right to reasonable inferences. *Columbia Business Law Review*, 2019(2), pp.494–620.  
Wang, B., Yao, Y., Chen, H., Xie, B., Wang, H. and Li, B., 2020. Mitigating adversarial effects through randomised preprocessing. *NeurIPS Workshop*.  
Yampolskiy, R.V., 2020. Secure and explainable AI. *Journal of Cybersecurity and Privacy*, 1(1), pp.39–59.
