Exploring poisoning attacks against a face recognition system

Face recognition systems are being widely adopted today as identification tools. The main reason for this trend is the rise of machine learning algorithms, which allows for efficient and usable authenticators. However, intelligent adversaries may target these algorithms, and prior works have underlined the effectiveness of such attacks. One example is the poisoning of the training set, where the attacker changes the input on which the model re-trains to modify the learned function. In this work, we apply an existing poisoning attack against an authentication system based on a state-of-the-art face recognition technique. In particular, we target a SVM classifier which extends a deep neural network for feature extraction. Moreover, we present a novel reverse mapping technique to craft real-world image starting from a feature vector. Our attack shows a drop in the accuracy of ~45% by just adding one sample to the training set. This work underlines that poisoning poses a real threat to face authenticators and that security vulnerabilities should be considered when designing such systems.