Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SecureGaze: Defending Gaze Estimation Against Backdoor Attacks

Lingyu Du, Yupei Liu, Jinyuan Jia, Guohao Lan

TL;DR

Gaze estimation systems are vulnerable to backdoor attacks, with continuous output spaces and globally activated backdoors differentiating them from classification tasks. SecureGaze introduces a trigger-reversal framework that leverages feature-space and output-space observations to identify backdoors without enumerating infinite gaze outputs, using a generative trigger model and a sensitivity-aware search. The approach demonstrates strong backdoor identification (over 92-94% accuracy) and effective mitigation across diverse digital and physical attacks, outperforming adapted classification defenses. The work highlights the need for domain-specific defenses in regression-based vision tasks and provides a practical offline pipeline for secure deployment.

Abstract

Gaze estimation models are widely used in applications such as driver attention monitoring and human-computer interaction. While many methods for gaze estimation exist, they rely heavily on data-hungry deep learning to achieve high performance. This reliance often forces practitioners to harvest training data from unverified public datasets, outsource model training, or rely on pre-trained models. However, such practices expose gaze estimation models to backdoor attacks. In such attacks, adversaries inject backdoor triggers by poisoning the training data, creating a backdoor vulnerability: the model performs normally with benign inputs, but produces manipulated gaze directions when a specific trigger is present. This compromises the security of many gaze-based applications, such as causing the model to fail in tracking the driver's attention. To date, there is no defense that addresses backdoor attacks on gaze estimation models. In response, we introduce SecureGaze, the first solution designed to protect gaze estimation models from such attacks. Unlike classification models, defending gaze estimation poses unique challenges due to its continuous output space and globally activated backdoor behavior. By identifying distinctive characteristics of backdoored gaze estimation models, we develop a novel and effective approach to reverse-engineer the trigger function for reliable backdoor detection. Extensive evaluations in both digital and physical worlds demonstrate that SecureGaze effectively counters a range of backdoor attacks and outperforms seven state-of-the-art defenses adapted from classification models.

SecureGaze: Defending Gaze Estimation Against Backdoor Attacks

TL;DR

Gaze estimation systems are vulnerable to backdoor attacks, with continuous output spaces and globally activated backdoors differentiating them from classification tasks. SecureGaze introduces a trigger-reversal framework that leverages feature-space and output-space observations to identify backdoors without enumerating infinite gaze outputs, using a generative trigger model and a sensitivity-aware search. The approach demonstrates strong backdoor identification (over 92-94% accuracy) and effective mitigation across diverse digital and physical attacks, outperforming adapted classification defenses. The work highlights the need for domain-specific defenses in regression-based vision tasks and provides a practical offline pipeline for secure deployment.

Abstract

Gaze estimation models are widely used in applications such as driver attention monitoring and human-computer interaction. While many methods for gaze estimation exist, they rely heavily on data-hungry deep learning to achieve high performance. This reliance often forces practitioners to harvest training data from unverified public datasets, outsource model training, or rely on pre-trained models. However, such practices expose gaze estimation models to backdoor attacks. In such attacks, adversaries inject backdoor triggers by poisoning the training data, creating a backdoor vulnerability: the model performs normally with benign inputs, but produces manipulated gaze directions when a specific trigger is present. This compromises the security of many gaze-based applications, such as causing the model to fail in tracking the driver's attention. To date, there is no defense that addresses backdoor attacks on gaze estimation models. In response, we introduce SecureGaze, the first solution designed to protect gaze estimation models from such attacks. Unlike classification models, defending gaze estimation poses unique challenges due to its continuous output space and globally activated backdoor behavior. By identifying distinctive characteristics of backdoored gaze estimation models, we develop a novel and effective approach to reverse-engineer the trigger function for reliable backdoor detection. Extensive evaluations in both digital and physical worlds demonstrate that SecureGaze effectively counters a range of backdoor attacks and outperforms seven state-of-the-art defenses adapted from classification models.

Paper Structure

This paper contains 43 sections, 6 equations, 14 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Gaze Estimation Systems
  4. Backdoor Attacks and Defenses
  5. Threat Model and Preliminary Study
  6. Threat Model
  7. Gaze estimation model
  8. Attacker's goal and capabilities
  9. Defender's goal and capabilities
  10. Demonstration of Backdoor Attacks on Gaze Estimation Models
  11. Attacks in digital world
  12. Attacks in physical world
  13. System Design
  14. Design Overview of SecureGaze
  15. Feature-space Characteristics for Backdoored Gaze Estimation Models
  16. ...and 28 more sections

Figures (14)

  • Figure 1: Backdoor attacks on gaze estimation model. (a) The attacker injects triggers (e.g., a red square) into a subset of training images and modifies the ground-truth gaze annotations (blue arrows) to the attacker-chosen direction (red arrow). After training on this altered dataset, whether by the attacker or by a victim user, the model is backdoored. (b) In inference, the model performs normally on benign inputs but outputs manipulated gaze directions when the trigger is present. Though using the simple red square as an example, the backdoor trigger can in the form of everyday accessories (e.g., glasses or face masks).
  • Figure 2: Effectiveness of backdoor attacks on gaze estimation models. (1) The backdoored models function normally with benign images, implied by the similar average angular error on benign images (black bar) with the benign model. (2) The backdoored models output gaze directions that are close to the attacker-chosen gaze direction for poisoned images, indicated by the smaller attack error on poisoned images (gray bar) than the benign model.
  • Figure 3: Examples of the physical trigger and synthesized digital triggers: (a) the subject wears a white tape on the face as the physical trigger; (b) the synthesized poisoned images with digital triggers embedded.
  • Figure 4: Setup for the physical world attack. (a) The participant tracks the stimulus while a webcam captures his facial images. (b) The stimulus appears at each corner of the screen in a clockwise order.
  • Figure 5: Gaze directions estimated by the backdoored model with and without the physical backdoor trigger in place.
  • ...and 9 more figures