Part 2: Privacy Concerns and Security Threats

Privacy Concerns and Security Threats Surrounding Biometrics Systems

Vishnu Boddeti

IJCB Tutorial

September 15, 2024

Deep learning improves biometric recognition

However, it introduces new challenges

Privacy and Security in the context of biometric recognition

Privacy and security are mentioned interchangeably despite their differences...

Assuming access, what sensitive information can be learned? How to gain access to sensitive assets?

There is no privacy without security

What are the privacy and security risks in the adoption of DL?

Can you identify Potential Attack Points in Biometrics Systems?

This Tutorial focuses on those Biometrics Systems Attacks

From Template inversion attack to Replay and Presentation attack

Template inversion attack on High resolution image

High resolution image reconstruction [SM23]

Template inversion attack on low resolution images

Low resolution image reconstruction [SHM24]

Template inversion attack enables Presentation attack

[SM23] Comprehensive vulnerability evaluation of face recognition systems to template inversion attacks via 3D face reconstruction

Presentation attack via digital replay and printed photograph

Presentation attack via printed photograph

Presentation attack via digital replay

[SM23] Comprehensive vulnerability evaluation of face recognition systems to template inversion attacks via 3D face reconstruction

Performance of GaFar+GC on ArcFace-trained FR systems

The GaFar+GC method can be found in [SM23].

Template recovery attack and its consequences

Scenario 1: One-to-one Template recovery Attack

Scenario 2: One-to-many Template recovery Attack

What can SP learn from leaked comparison scores?

[BHR+23] Template Recovery Attack on Homomorphically Encrypted Biometric Recognition Systems with Unprotected Threshold Comparison

Template Recovery reduced to a simple optimization problem

[BHR+23] Template Recovery Attack on Homomorphically Encrypted Biometric Recognition Systems with Unprotected Threshold Comparison

Optimization Problem

Given $k$ fake templates $\{f_i\}_{i\in [1,k]}$, that are normalized $d$-dim vectors sampled at random, and their corresponding scores $s_i$ w.r.t. the same target $T$, find the recovered template $\hat{T}$ such that $\hat{T}^{^{\intercal}} \cdot \hat{T} = 1$.
$\hat{T}$ is recovered from the following minimization $$\underset{\hat{T}^{^{\intercal}} \cdot \hat{T} = 1}{\operatorname{min}} \hat{T}^{^{\intercal}} \cdot F - S$$

Solution

Using the Lagrange multiplier $\lambda$ and forming the Lagrangian function $$ \mathcal{L}(\hat{T},\lambda) = \sum_{i = 1}^{k} ( \hat{T}^{^{\intercal}} \cdot F_{i}-s_{i})^{2} +\lambda (\hat{T}^{^{\intercal}} \cdot \hat{T} - 1) $$
After a partial derivation of $\frac{\partial \mathcal{L}}{\partial \hat{T}}$, solve the following equation $$ \left[ FF^{^{\intercal}}+ \lambda \mathit{I}_{d} \right] \cdot \hat{T} - F \cdot S = 0 $$

Evaluation of the score distribution using recovered Templates

original-original pairs

original-recovered pairs

Evaluation of Attack Success Rate

$\mathrm{SR}(\theta, k) = \frac{\left|\{\theta \leq \mathrm{IP}(\tilde{x}_{\mathrm{rec}},y_{\mathrm{org}})\}\right|}{\left|\{\theta \leq \mathrm{IP}(x_{\mathrm{org}},y_{\mathrm{org}})\}\right|}$

Stricter thresholds lead to lower attack success rates.

How much knowledge does an attacker need for a successful bypass?

An attacker needs only between $75$ to $177$ fake templates to recover a $512$-dim target vector.

Evaluation of Image Reconstruction of the recovered templates

synthetic feature vectors

the SFace dataset

Takeaways of this part

Cost-effective attacks
Drastic privacy and security implications
Lack of privacy and security controls leads to biometric leakage
Mitigation of template inversion attack and template recovery
- Protection of templates and scores