English

Identifying Physically Realizable Triggers for Backdoored Face Recognition Networks

Computer Vision and Pattern Recognition 2025-06-25 v1 Cryptography and Security Machine Learning

Abstract

Backdoor attacks embed a hidden functionality into deep neural networks, causing the network to display anomalous behavior when activated by a predetermined pattern in the input Trigger, while behaving well otherwise on public test data. Recent works have shown that backdoored face recognition (FR) systems can respond to natural-looking triggers like a particular pair of sunglasses. Such attacks pose a serious threat to the applicability of FR systems in high-security applications. We propose a novel technique to (1) detect whether an FR network is compromised with a natural, physically realizable trigger, and (2) identify such triggers given a compromised network. We demonstrate the effectiveness of our methods with a compromised FR network, where we are able to identify the trigger (e.g., green sunglasses or red hat) with a top-5 accuracy of 74%, whereas a naive brute force baseline achieves 56% accuracy.

Keywords

Cite

@article{arxiv.2506.19533,
  title  = {Identifying Physically Realizable Triggers for Backdoored Face Recognition Networks},
  author = {Ankita Raj and Ambar Pal and Chetan Arora},
  journal= {arXiv preprint arXiv:2506.19533},
  year   = {2025}
}

Comments

Accepted to ICIP 2021

R2 v1 2026-07-01T03:31:28.527Z