Backdoor attacks against supervised machine learning methods seek to modify the training samples in such a way that, at inference time, the presence of a specific pattern (trigger) in the input data causes misclassifications to a target class chosen by the adversary. Successful backdoor attacks have been presented in particular for face recognition systems based on deep neural networks (DNNs). These attacks were evaluated for identical triggers at training and inference time. However, the vulnerability to backdoor attacks in practice crucially depends on the sensitivity of the backdoored classifier to approximate trigger inputs. To assess this, we study the response of a backdoored DNN for face recognition to trigger signals that have been transformed with typical image processing operators of varying strength. Results for different kinds of geometric and color transformations suggest that in particular geometric misplacements and partial occlusions of the trigger limit the effectiveness of the backdoor attacks considered. Moreover, our analysis reveals that the spatial interaction of the trigger with the subject’s face affects the success of the attack. Experiments with physical triggers inserted in live acquisitions validate the observed response of the DNN when triggers are inserted digitally.

中文翻译：

---

触发触发器：探索基于DNN的人脸识别中后门的敏感性

针对有监督的机器学习方法的后门攻击试图以如下方式修改训练样本：在推断时，输入数据中存在特定模式（触发）会导致错误分类为对手选择的目标类别。已经针对基于深度神经网络（DNN）的面部识别系统提出了成功的后门攻击。在训练和推理时对这些攻击进行了评估，以确定是否具有相同的触发条件。但是，实际上，后门攻击的脆弱性主要取决于后门分类器对触发器输入的近似敏感性。为了评估这一点，我们研究了后门DNN对人脸识别的响应，以触发已被具有不同强度的典型图像处理算子转换的信号。不同种类的几何和颜色转换的结果表明，特别是触发器的几何错位和部分遮挡限制了所考虑的后门攻击的有效性。此外，我们的分析表明，触发器与对象面部的空间相互作用会影响攻击的成功。在实时采集中插入物理触发器的实验验证了在以数字方式插入触发器时观察到的DNN响应。