Deep neural network-based face recognition models are widely deployed in authentication systems but remain vulnerable to backdoor attacks. Existing methods face critical limitations: (1) label-poisoning attacks are easily detectable, while clean-label attacks often rely on adversarial perturbations that degrade image quality; (2) triggers lacking semantic information are conspicuous and impractical in physical settings; and (3) attacker-victim identity selection is often restricted, limiting applicability in open-set scenarios. To address these issues, we propose DBBA, a diffusion-based backdoor attack framework that operates under clean-label constraints in open-set face recognition. DBBA leverages the high-fidelity generative power of diffusion models and their multi-modal capabilities to synthesize visually plausible, semantically meaningful poisoned faces. By incorporating trigger optimization, a multi-objective loss, and an adaptive identity selection strategy, our method achieves a good balance between poisoning success and clean accuracy. Extensive experiments validate the stealth, effectiveness, and real-world applicability of DBBA, which can inspire and promote the security enhancement of the application of face recognition models in the future.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

DBBA: Diffusion-Based Backdoor Attacks on Open-Set Face Recognition Models

  • Fuqi Qi,
  • Haichang Gao,
  • Boling Li,
  • Guangyu He,
  • Yuhong Zhang,
  • Jiacheng Luo

摘要

Deep neural network-based face recognition models are widely deployed in authentication systems but remain vulnerable to backdoor attacks. Existing methods face critical limitations: (1) label-poisoning attacks are easily detectable, while clean-label attacks often rely on adversarial perturbations that degrade image quality; (2) triggers lacking semantic information are conspicuous and impractical in physical settings; and (3) attacker-victim identity selection is often restricted, limiting applicability in open-set scenarios. To address these issues, we propose DBBA, a diffusion-based backdoor attack framework that operates under clean-label constraints in open-set face recognition. DBBA leverages the high-fidelity generative power of diffusion models and their multi-modal capabilities to synthesize visually plausible, semantically meaningful poisoned faces. By incorporating trigger optimization, a multi-objective loss, and an adaptive identity selection strategy, our method achieves a good balance between poisoning success and clean accuracy. Extensive experiments validate the stealth, effectiveness, and real-world applicability of DBBA, which can inspire and promote the security enhancement of the application of face recognition models in the future.