On the current research:

Facial authentication is becoming very prominent on personal devices. Due to the ease of use, it has great potential to be widely deployed for web-service authentication in the near future. We seek to explore the possible negative results that could arise from a novel data poisoning attack called replacement data poisoning attack. Our replacement data poisoning attack can be performed via a man-in-the-middle attack when a user signs up for a web service that uses facial authentication. Our attack replaces some of the photos sent to the facial authentication server with photos of the adversary. This allows the adversary to log into the web service as the authentic user. Our attack proved to be over 90% effective when the attacker poisons half of the user’s data being sent to the web service. We then developed a defense against this attack named DEFEAT (Deep-neural-network and Embedded FEAture-based deTector). Our DEFEAT architecture consists of two phases. The first phase is primarily a DNN that accepts two feature vectors from the facial authentication CNN. The DNN outputs the probability that the two feature vectors belong to two separate people, the genuine user and the adversary. In this phase, we also include a number of statistical measurements. We feed this data to the second phase, which consists of a KNN-based classifier. The final output tells the facial authentication service if the user is infected or safe. With the increase of facial recognition in smart phones and other devices, we believe that additional protections need to be in place to protect the end user from harm. Recently, there has been a large increase in cyber attacks, such as ransomware. We seek to decrease the number of attacks by protecting the end user from malicious access to their accounts.

 

On addressing the research challenge:

Figure 1: Diagram of the end to end classification process. 

 

We used FaceNet as our facial authentication system, however, our techniques could be applied to other facial authentication systems as well. FaceNet consists of a convolutional neural network that outputs a 128 dimensional feature vector. This feature vector is then fed into a secondary classifier, such as a SVM, for final classification. We use the 128 dimensional feature vector as input to our discriminator. For each user, we calculated four statistical measurements using their 128 dimensional feature vectors generated by FaceNet using the images they sent to the facial authentication system. The first measurement was the maximum internal difference between embeddings. The second measurement was the minimum external difference between a feature vector of this user and any other user. The third was the mean (average) internal distance between feature vectors of the user. The fourth was the Shannon entropy of the user’s set of feature vectors. At the same time, we fed each possible permutation of two feature vectors for a user to our DNN. Our DNN then outputs the probability that one feature vector belonged to the genuine user and the other feature vector belonged to the attacker. We calculated a number of statistics from this data, including the mean, median, range, and standard deviation of probabilities. All of these statistics are given as input to our second phase of our discriminator, the KNN-based classifier. This classifier then outputs if the user is infected or pristine, i.e. was not attacked.

 

On testbed needs: 

I really appreciated the option to save our data for future experiments on Chameleon. If we didn’t need hardware for a period of time, we could easily save our experiments and reload them at a later time. We store both images and feature vectors generated from deep neural networks on Chameleon, which are several terabytes. VMs are easy to use. Without Chameleon, our experiments would not be possible because we have limited access to our university’s clusters as they would charge a lot for extensive usage. 

  

On the authors:

   Dalton Cole (PhD)                              Sara Newman (PhD)                    Dan Lin (Associate Professor)

The first author Dalton Cole attended the University of Missouri - Columbia (Mizzou). He recently defended his dissertation and began working at Sandia National Labs in the Fall. Dalton is interested in machine learning and cyber security. He is also interested in solving programming problems in general. As an undergrad and partially as a graduate student, he competed in programming competitions. In graduate school, all of his research has been geared towards machine learning and securing something, from programming languages to facial recognition systems. His hobbies include rock climbing, long distance running, and watching anime. He’s quarantining with his grandparents, who don’t make him pay rent. :)

 

Sara Newman received her Bachelor’s degree in Computer Science at Missouri University of Science and Technology and is currently pursuing her PhD in Computer Science at University of Missouri - Columbia. Her research interests include the robustness of, and various adversarial attacks against, deep neural networks, particularly in the context of image classification.

 

Dan Lin received a PhD degree in Computer Science from National University of Singapore in 2007, and was a postdoctoral research associate at Purdue University for two years. She is currently an associate professor and Director of I-Privacy Lab at University of Missouri. Her research interests cover many areas in the fields of information security and artificial intelligence. She is an IEEE senior member.

 

On staying motivated through a long research project:

The nice thing about research projects is that there is a goal in mind. You know where it will end or at the very least, where the next step will be.

 

On career challenges and overcoming them: 

Dalton Cole: “At my first graduate school, I was working under a professor. I did not enjoy his research area and he did not like my research interests. For many years, I tried to make it work out, but in the end, it didn’t. Finally, I decided to switch schools and I found my current advisor Dr. Dan Lin. I knew our research interests aligned and now I’ve successfully defended my dissertation. I had to accept failure before moving onto success.”

 

On their most powerful piece of advice:

Don’t be afraid of failure. Sometimes things just don’t work out and you shouldn’t try to force it to succeed. Giving up and moving onto the next thing will save you a lot of time in the end.

 

Interested readers can explore the following resources for more information: 

Our paper has been published. Here is a link to the IEEE posting: https://ieeexplore.ieee.org/abstract/document/9382920/

The lab homepage is available here: https://lindan.mufaculty.umsystem.edu/home/i-privacy-lab

And a link to the posting on my advisor’s website: http://faculty.missouri.edu/lindan/papers/attack_face_authentication.pdf