Researchers from Israel have developed a neural network that can be used to bypass authentication systems based on biometric face recognition on a large scale. Artificial intelligence (AI) is able to generate “master” faces. These are comparatively average-looking facial images that can embody multiple identities and thus function as a universal key for the tricked systems.
Covering the majority of the population with nine faces
Scientists from the Blavatnik School of Computer Science and the School of Electrical Engineering in Tel Aviv have made their findings about the “Master Faces” and the attacks on biometric recognition techniques made possible by them published on the preprint server Arxiv. Other experts have apparently not yet examined the paper.
The work suggests that it is possible to generate such “master keys” for more than 40 percent of the population with only nine faces. The researchers did it with the Generative Adversarial Network StyleGAN synthesized using three leading facial recognition systems. In a GAN, one system tries, according to the program, to wipe out the other, while the latter should not be duped if possible. Attackers usually simulate optical illusions for the detection technology: Minimal changes that the human eye does not even notice create a completely new meaning for an AI.
When testing their StyleGAN-based system, the scientists found that a single face generated in this way could account for 20 percent of all identities in the open source database “Labeled Faces in the Wild” (LFW) from the University of Massachusetts. This is an archive that is used for developing facial recognition systems. In this case it served as a reference database for the Israeli system.
Universal facial features created
The new method improves according to one Report from the specialist portal Unite.ai the results of a similar, recently published study by the University of Siena. However, this still required privileged access to the machine learning system. In contrast, the new method derives generalized features from publicly available material and uses them to create the largely universal facial features.
The Israeli researchers are initially using StyleGAN as part of a black box optimization method that focuses on high-dimensional data. The aim is to find the most comprehensive and generalized facial features that will suffice for an authentication system.
The scientists repeated this process again and again in order to record identities that were not encoded in the first run. Under various test conditions, they found that it was possible to achieve an authentication of 40 to 60 percent with just nine generated images.
The system uses the evolutionary algorithm LM-MA-EScoupled to a neural prediction tool. This estimates the probability with which the current “candidate” for a model face has more general features than the competitors from previous rounds.
“Face-based authentication extremely vulnerable”
In order to find out which faces are the best candidates for cross-identity authentication, the experts needed an additional component. They therefore developed a neural indicator to filter out the most suitable faces for the task from the flood of candidates. To check the results, the researchers tested them with the face descriptors SphereFace, FaceNet and Dlib. They trained all three algorithms with 26,400 calls to the “fitness function”.
Ultimately, the scientists found that a special Dlib approach outperformed the other algorithms. With this, nine master faces could be created, which could decode 42 to 64 percent of the test data set. The inclusion of this procedure in the system improved the results again slightly.
The team concludes that “face-based authentication is extremely vulnerable even in the absence of information about the target’s identity”. It sees its initiative as a valid approach to a methodology for bypassing the security of popular facial recognition systems. Hackers from the Chaos Computer Club (CCC) had previously shown that dummies could also be used to crack automated iris recognition.