Variance Dichotomy in Feature Spaces of Facial Recognition Systems is a Weak Defense against Simple Weight Manipulation Attacks

Matthew Bowditch; Mike Paterson; Matthias Englert; Ranko Lazic

Variance Dichotomy in Feature Spaces of Facial Recognition Systems is a Weak Defense against Simple Weight Manipulation Attacks

Matthew Bowditch, Mike Paterson, Matthias Englert, Ranko Lazic

Published: 02 Jul 2025, Last Modified: 02 Jul 2025Accepted by TMLREveryoneRevisionsBibTeXCC BY 4.0

Abstract: We show that several leading pretrained facial recognition systems exhibit a variance dichotomy in their feature space. In other words, the feature vectors approximately lie in a lower dimensional linear subspace. We demonstrate that this variance dichotomy degrades the performance of an otherwise powerful scheme for anonymity/unlinkability and confusion attacks on facial recognition system devised by Zehavi et al. (2024), which is based on simple weight manipulations in only the last hidden layer. Lastly, we propose a method for the attacker to overcome this intrinsic defense of these pretrained facial recognition systems.

Submission Length: Regular submission (no more than 12 pages of main content)

Changes Since Last Submission: We have changed the colour of the line in figure 1 to improve clarity, added an acknowledgements section and changed to the camera-ready version. We have also removed the normalization by standard deviation across components when computing the covariance matrix. This has a negligible effect on the resulting explained variances and all key conclusions are unaffected by this change.

Video: https://www.youtube.com/watch?v=DF_RjKacRms

Supplementary Material: zip

Assigned Action Editor: ~Sanghyun_Hong1

Submission Number: 4369

Loading