Abstract:Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication, highlighting their pivotal role in modern security systems. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning), raising significant concerns about their reliability and trustworthiness. Previous studies primarily focus on traditional adversarial or backdoor attacks, overlooking the resource-intensive or privileged-manipulation nature of such threats, thus limiting their practical generalization, stealthiness, universality and robustness. Correspondingly, in this paper, we delve into the inherent vulnerabilities in FRS through user studies and preliminary explorations. By exploiting these vulnerabilities, we identify a novel attack, facial identity backdoor attack dubbed FIBA, which unveils a potentially more devastating threat against FRS:an enrollment-stage backdoor attack. FIBA circumvents the limitations of traditional attacks, enabling broad-scale disruption by allowing any attacker donning a specific trigger to bypass these systems. This implies that after a single, poisoned example is inserted into the database, the corresponding trigger becomes a universal key for any attackers to spoof the FRS. This strategy essentially challenges the conventional attacks by initiating at the enrollment stage, dramatically transforming the threat landscape by poisoning the feature database rather than the training data.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is: **Potential threats and vulnerabilities faced by current Facial Recognition Systems (FRS) in practical applications**. Specifically, the paper focuses on how to use the limited capabilities of actual attackers to deceive or disrupt facial recognition systems. The paper points out that although existing research has revealed the vulnerability of FRS to adversarial attacks (such as adversarial patch attacks) and backdoor attacks (such as training data poisoning), these studies are often based on the assumption that the attacker has powerful computing resources or can manipulate the training data, which is not easy to achieve in reality. Therefore, the paper proposes a new attack method - **Facial Identity Backdoor Attack (FIBA)**, which can contaminate the facial feature database through a specific trigger during the registration phase, so that anyone wearing the same trigger can bypass the FRS for authentication. ### Main problem points: 1. **Limitations of existing research**: Existing research usually assumes that attackers have high computing power and access to training data, which is difficult to achieve in the real world. 2. **Feasibility of actual attackers**: The paper explores how attackers can use their limited capabilities (for example, without access to training data) to successfully attack FRS in actual scenarios. 3. **New attack method**: FIBA attack is proposed, which implants a backdoor during the registration phase, allowing anyone wearing a specific trigger to bypass the FRS. 4. **Effectiveness and universality of the attack**: The paper verifies the effectiveness and universality of FIBA in different FRS and physical environments through experiments, showing its attack success rate of up to 100%. ### Main contributions of the paper: - **Reveal the internal vulnerabilities of FRS**: Analyze the vulnerabilities of FRS in practical applications through user research and preliminary experiments. - **Propose FIBA attack**: Introduce a new attack method that can bypass FRS through backdoor attacks during the registration phase. - **Extensive experimental verification**: Verify the effectiveness of FIBA through a variety of experiments, including digital and physical experiments, and tests on different FRS and IoT devices. - **Propose defense strategies**: Based on the experimental results, propose preliminary defense strategies and suggestions to enhance the security and reliability of FRS. In short, this paper aims to deeply explore and solve the potential threats to FRS in terms of security from a practical perspective, especially by proposing FIBA attack, showing how to use limited attack means to disrupt FRS in actual scenarios, and proposing corresponding defense measures.

Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective

UniID: Spoofing Face Authentication System by Universal Identity

FenceSitter: Black-box, Content-Agnostic, and Synchronization-Free Enrollment-Phase Attacks on Speaker Recognition Systems

A Small Sticker is Enough: Spoofing Face Recognition Systems Via Small Stickers

Adversarial Attacks Against Face Recognition: A Comprehensive Study

Adversarial Attacks on Face Recognition Systems

A Survey on Physical Adversarial Attacks against Face Recognition Systems

Rethinking the Threat and Accessibility of Adversarial Attacks against Face Recognition Systems

Privacy-Preserving Face Recognition for Access Control Systems

RFace: Anti-Spoofing Facial Authentication Using COTS RFID

Resurrecting Trust in Facial Recognition: Mitigating Backdoor Attacks in Face Recognition to Prevent Potential Privacy Breaches

Rethinking Impersonation and Dodging Attacks on Face Recognition Systems

Minimum Assumption Reconstruction Attacks: Rise of Security and Privacy Threats Against Face Recognition.

Adversarial Attacks on Face Recognition System in Physical Domain

Robust Attacks on Deep Learning Face Recognition in the Physical World

Effective and Robust Physical-World Attacks on Deep Learning Face Recognition Systems

A Brief Review of Anti-Face Recognition

Measurement-driven Security Analysis of Imperceptible Impersonation Attacks

Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition Systems

A survey on face presentation attack detection mechanisms: hitherto and future perspectives