DBBA: Diffusion-Based Backdoor Attacks on Open-Set Face Recognition Models
摘要
Deep neural network-based face recognition models are widely deployed in authentication systems but remain vulnerable to backdoor attacks. Existing methods face critical limitations: (1) label-poisoning attacks are easily detectable, while clean-label attacks often rely on adversarial perturbations that degrade image quality; (2) triggers lacking semantic information are conspicuous and impractical in physical settings; and (3) attacker-victim identity selection is often restricted, limiting applicability in open-set scenarios. To address these issues, we propose DBBA, a diffusion-based backdoor attack framework that operates under clean-label constraints in open-set face recognition. DBBA leverages the high-fidelity generative power of diffusion models and their multi-modal capabilities to synthesize visually plausible, semantically meaningful poisoned faces. By incorporating trigger optimization, a multi-objective loss, and an adaptive identity selection strategy, our method achieves a good balance between poisoning success and clean accuracy. Extensive experiments validate the stealth, effectiveness, and real-world applicability of DBBA, which can inspire and promote the security enhancement of the application of face recognition models in the future.