We introduce a new attack against face verification systems based on Deep Neural Networks (DNN). The attack relies on the introduction into the network of a hidden backdoor, whose activation at test time induces a verification error allowing the attacker to impersonate any user. The new attack, named Master Key backdoor attack, operates by interfering with the training phase, so to instruct the DNN to always output a positive verification answer when the face of the attacker is presented at its input. With respect to existing attacks, the new backdoor attack offers much more flexibility, since the attacker does not need to know the identity of the victim beforehand. In this way, he can deploy a Universal Impersonation attack in an open-set framework, allowing him to impersonate any enrolled users, even those that were not yet enrolled in the system when the attack was conceived. We present a practical implementation of the attack targeting a Siamese-DNN face verification system, and show its effectiveness when the system is trained on VGGFace2 dataset and tested on LFW and YTF datasets. According to our experiments, the Master Key backdoor attack provides a high attack success rate even when the ratio of poisoned training data is as small as 0.01, thus raising a new alarm regarding the use of DNN-based face verification systems in security-critical applications.

我们介绍了一种针对基于深度神经网络（DNN）的面部验证系统的新型攻击。攻击依赖于将一个隐藏的后门引入网络，该后门在测试时被激活会引发验证错误，从而使攻击者可以冒充任何用户。这种新的攻击称为“万能钥匙后门攻击”，它通过干扰训练阶段来进行操作，以便指示DNN在攻击者的脸部出现时始终输出肯定的验证答案。关于现有攻击，新的后门攻击提供了更大的灵活性，因为攻击者无需事先知道受害者的身份。这样，他可以部署通用模拟在开放式框架中进行攻击，使他可以模拟任何已注册的用户，甚至包括在构想攻击时尚未注册到系统中的用户。我们介绍了针对暹罗DNN人脸验证系统的攻击的实际实现，并展示了该系统在VGGFace2数据集上进行训练并在LFW和YTF数据集上进行测试时的有效性。根据我们的实验，即使中毒训练数据的比例小到0.01，Master Key后门攻击也能提供很高的攻击成功率，从而引发了有关在安全关键型应用中使用基于DNN的人脸验证系统的新警报。