Skip to content

Latest commit

 

History

History
59 lines (48 loc) · 6.22 KB

threat-modeling.md

File metadata and controls

59 lines (48 loc) · 6.22 KB

Threat Model Analysis for davidsandberg/facenet

Threat: Presentation Attack (Photo/Video)

  • Description: An attacker presents a photograph, video recording, or replay attack (using a screen displaying a video) of a legitimate user's face to the camera. The attacker aims to impersonate the legitimate user.
    • Impact: Unauthorized access to the application and its resources, impersonation of the legitimate user, potential data breach or manipulation.
    • Affected Component: The entire facenet pipeline is affected, as it processes the input image and generates embeddings. Specifically, the lack of liveness detection in the core facenet library is the primary vulnerability.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Implement Liveness Detection: Integrate a separate, robust liveness detection library or service. This is the most crucial mitigation. Examples include:
        • Challenge-Response: Require the user to perform a specific action (blink, smile, turn head).
        • Depth Analysis: Use a depth-sensing camera (e.g., structured light, time-of-flight) to distinguish between a 2D image and a 3D face.
        • Texture Analysis: Analyze the texture of the skin to detect subtle differences between real skin and a mask or photograph.
        • Micro-Movement Analysis: Detect subtle, involuntary movements of the face.

Threat: Presentation Attack (3D Mask)

  • Description: An attacker uses a realistic 3D mask of a legitimate user's face to bypass the facial recognition system. This is a more sophisticated presentation attack than a simple photo.
    • Impact: Similar to photo/video presentation attacks: unauthorized access, impersonation, data breach/manipulation.
    • Affected Component: Same as photo/video attacks: the entire facenet pipeline, particularly its lack of inherent liveness detection.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Advanced Liveness Detection: Use liveness detection techniques specifically designed to detect 3D masks. This often involves depth analysis and texture analysis, potentially combined with other methods.

Threat: Adversarial Perturbation (Targeted Misclassification)

  • Description: An attacker crafts a slightly modified image of their own face. The modifications are imperceptible to humans but cause facenet to misclassify the attacker's face as that of a specific target user. This leverages vulnerabilities in the underlying machine learning model.
    • Impact: Targeted impersonation of a specific user, bypassing authentication and gaining unauthorized access.
    • Affected Component: The facenet model itself (the pre-trained or fine-tuned neural network) is the primary target. The embedding generation process (facenet.prewhiten, facenet.load_model, and the inference process) is exploited.
    • Risk Severity: High
    • Mitigation Strategies:
      • Adversarial Training: Train the facenet model (or a downstream classifier) with adversarial examples to make it more robust to these perturbations. This is a complex but effective mitigation.
      • Ensemble Methods: Use multiple models (potentially with different architectures or training data) and combine their predictions.

Threat: Model Poisoning (Backdoor)

  • Description: An attacker gains access to the training data used to train or fine-tune the facenet model. They introduce "poisoned" samples (images with subtle modifications or mislabeled data) that create a backdoor. This backdoor allows the attacker to be recognized as a specific user, or to cause misclassifications under specific conditions.
    • Impact: Complete compromise of the facial recognition system. The attacker can reliably bypass authentication or cause targeted misclassifications.
    • Affected Component: The facenet model itself (the trained neural network) is compromised. The training process and data are the attack vectors.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Training Data Control: Implement rigorous access control and auditing for the training data.
      • Data Provenance: Track the origin and integrity of all training data.
      • Data Sanitization and Validation: Carefully inspect and validate all training data for anomalies or malicious modifications.
      • Anomaly Detection During Training: Monitor the training process for unusual behavior that might indicate poisoning.
      • Use Pre-trained Models from Trusted Sources: If possible, use pre-trained models from reputable sources and avoid retraining unless absolutely necessary and with extreme caution.
      • Differential Privacy during training: Use differential privacy techniques to limit the influence of single training sample.

Threat: Model Inversion Attack

  • Description: Given access to the embeddings generated by facenet, an attacker attempts to reconstruct a recognizable image of the original face.
    • Impact: Privacy violation; the attacker can potentially obtain images of enrolled users, which could then be used for presentation attacks or other malicious purposes.
    • Affected Component: The facenet model and the embedding generation process. The attacker exploits the information contained within the embeddings.
    • Risk Severity: High
    • Mitigation Strategies:
      • Treat Embeddings as Highly Sensitive Data: Implement strict access control, encryption at rest and in transit, and auditing.
      • Differential Privacy: Add noise to the embeddings during generation to make reconstruction more difficult. This trades off some accuracy for increased privacy.
      • Secure Multi-Party Computation (SMPC) or Homomorphic Encryption: If embeddings need to be shared or processed by multiple parties, consider using SMPC or homomorphic encryption to protect them.