pith. sign in

arxiv: 1906.09300 · v2 · pith:Q5JG5I5Dnew · submitted 2019-06-21 · 💻 cs.LG · cs.CV· eess.IV· stat.ML

Adversarial Examples to Fool Iris Recognition Systems

Sobhan Soleymani , Ali Dabouei , Jeremy Dawson , Nasser M. Nasrabadi This is my paper

Pith reviewed 2026-05-25 18:41 UTC · model grok-4.3

classification 💻 cs.LG cs.CVeess.IVstat.ML
keywords adversarial examplesiris recognitionauto-encoder surrogateiterative gradient sign methodwhite-box attackblack-box attackbiometric securitytargeted attack
0
0 comments X

The pith

Iris recognition systems are vulnerable to adversarial examples generated through a surrogate auto-encoder.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that code-based iris recognition cannot support direct back-propagation for creating adversarial examples because its filter bank feature extraction is not differentiable. To solve this, the authors train a deep auto-encoder to act as a surrogate that reproduces the iris code output from input images. Once trained, the surrogate permits the iterative gradient sign method to craft small perturbations that mislead the recognition process. The work evaluates both non-targeted attacks that simply increase code distance and targeted attacks that force a specific output code, and it tests these in white-box and black-box transfer settings. A reader would care because successful attacks would show that standard iris biometrics can be defeated without large visible changes to the input image.

Core claim

By training a deep auto-encoder surrogate network to mimic the conventional filter bank-based iris code generation procedure, adversarial examples can be generated using the iterative gradient sign method algorithm, allowing both non-targeted and targeted attacks to fool iris recognition systems in white-box and black-box frameworks.

What carries the argument

A deep auto-encoder surrogate network trained to replicate iris code generation, which supplies the differentiable mapping needed to back-propagate the adversarial loss through the iterative gradient sign method.

If this is right

  • Non-targeted attacks succeed by maximizing the distance between the original iris code and the code produced from the perturbed image.
  • Targeted attacks succeed by minimizing the distance to a chosen target iris code.
  • White-box attacks apply the iterative gradient sign method directly on the surrogate model.
  • Black-box attacks rely on the transfer of the generated perturbations from the surrogate to the deployed iris recognition system.
  • Both attack types demonstrate that small input perturbations can cause misrecognition in code-based iris systems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same surrogate-model strategy could expose vulnerabilities in other biometric pipelines whose feature extractors are non-differentiable.
  • Black-box transfer success implies that an attacker need not know the exact parameters of a deployed iris system to mount an effective attack.
  • Robustness testing for iris systems may need to include surrogate-based adversarial training to anticipate such transferred attacks.
  • The result links standard adversarial-example techniques to the security of traditional non-neural biometric matching pipelines.

Load-bearing premise

The trained deep auto-encoder surrogate must accurately reproduce the output of the conventional filter bank iris code procedure so that gradients computed on the surrogate remain useful on the real system.

What would settle it

A direct test in which adversarial images produced by the surrogate fail to change the iris codes or recognition decisions of the actual filter-bank system would show the approach does not transfer.

Figures

Figures reproduced from arXiv: 1906.09300 by Ali Dabouei, Jeremy Dawson, Nasser M. Nasrabadi, Sobhan Soleymani.

Figure 1
Figure 1. Figure 1: (a) Normalized iris image, (b) normalized mask, [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Iris code generation: The normalized iris image and the normalized mask are concatenated in depth as the input to [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Iris adversarial example generation network: (a) The conventional iris-code algorithm is utilized to generate the [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: (a) The benign example. Adversarial examples and normalized to [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
read the original abstract

Adversarial examples have recently proven to be able to fool deep learning methods by adding carefully crafted small perturbation to the input space image. In this paper, we study the possibility of generating adversarial examples for code-based iris recognition systems. Since generating adversarial examples requires back-propagation of the adversarial loss, conventional filter bank-based iris-code generation frameworks cannot be employed in such a setup. Therefore, to compensate for this shortcoming, we propose to train a deep auto-encoder surrogate network to mimic the conventional iris code generation procedure. This trained surrogate network is then deployed to generate the adversarial examples using the iterative gradient sign method algorithm. We consider non-targeted and targeted attacks through three attack scenarios. Considering these attacks, we study the possibility of fooling an iris recognition system in white-box and black-box frameworks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper proposes training a deep auto-encoder as a differentiable surrogate to mimic the non-differentiable Gabor filter-bank iris-code extraction process. This surrogate is then used with the iterative gradient sign method (IGSM) to craft adversarial perturbations for both non-targeted and targeted attacks against iris recognition systems, evaluated in white-box and black-box settings.

Significance. If the surrogate is shown to faithfully reproduce iris codes (e.g., via bit-agreement or Hamming-distance metrics), the work would usefully extend adversarial-example techniques to a non-differentiable biometric pipeline and provide concrete evidence of vulnerability in iris systems. The absence of any such fidelity quantification or attack-success numbers in the manuscript, however, leaves the practical impact undetermined.

major comments (2)
  1. [Abstract / method description] Abstract and method description: the central claim rests on the trained auto-encoder producing iris codes whose gradients, when used in IGSM, also fool the conventional filter-bank matcher. No bit-agreement rate, Hamming-distance distribution, or reconstruction-error metric between surrogate outputs and real iris codes is reported, nor is any training protocol for enforcing such fidelity described. Without this check the computed gradients may be irrelevant to the target system.
  2. [Abstract / experimental section] Attack evaluation: the manuscript states that white-box and black-box attacks are studied but supplies no success rates, datasets, number of trials, or comparison against the original non-surrogate matcher. This omission makes it impossible to assess whether the surrogate-based IGSM actually transfers.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive comments. The points raised regarding the surrogate model's fidelity and the quantitative attack evaluation are valid and will be addressed through revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Abstract / method description] Abstract and method description: the central claim rests on the trained auto-encoder producing iris codes whose gradients, when used in IGSM, also fool the conventional filter-bank matcher. No bit-agreement rate, Hamming-distance distribution, or reconstruction-error metric between surrogate outputs and real iris codes is reported, nor is any training protocol for enforcing such fidelity described. Without this check the computed gradients may be irrelevant to the target system.

    Authors: We agree that explicit quantification of the surrogate auto-encoder's fidelity is necessary to support the central claim. In the revised manuscript we will report bit-agreement rates, Hamming-distance distributions, and reconstruction-error metrics between the surrogate outputs and the conventional Gabor filter-bank iris codes. We will also expand the method section to describe the training protocol and loss terms used to enforce fidelity. revision: yes

  2. Referee: [Abstract / experimental section] Attack evaluation: the manuscript states that white-box and black-box attacks are studied but supplies no success rates, datasets, number of trials, or comparison against the original non-surrogate matcher. This omission makes it impossible to assess whether the surrogate-based IGSM actually transfers.

    Authors: We acknowledge the absence of these quantitative details in the current version. The revised experimental section will include attack success rates for non-targeted and targeted attacks in both white-box and black-box settings, specify the datasets and number of trials, and provide direct comparisons against the original non-surrogate iris-code matcher to demonstrate transferability. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper trains a surrogate auto-encoder to approximate conventional iris-code extraction and then applies the standard iterative gradient sign method for adversarial perturbations in white-box and black-box settings. No equation or step reduces by construction to a fitted quantity defined by the paper itself, no self-citation is load-bearing for a uniqueness claim, and no ansatz is smuggled via prior work. The central method is a direct application of known surrogate-model and gradient-based attack techniques to a new domain, remaining self-contained without circular reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central premise is that a learned surrogate can stand in for a non-differentiable conventional iris-code generator; no free parameters or invented entities are mentioned.

axioms (1)
  • domain assumption A deep auto-encoder can be trained to mimic the conventional iris code generation procedure sufficiently well for adversarial attack generation.
    This assumption is required to allow back-propagation through the surrogate for the iterative gradient sign method.

pith-pipeline@v0.9.0 · 5676 in / 1218 out tokens · 27824 ms · 2026-05-25T18:41:45.285594+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages · 2 internal anchors

  1. [1]

    Biocop database, http://biic.wvu.edu/

    work page

  2. [2]

    S. E. Baker, A. Hentz, K. W. Bowyer, and P. J. Flynn. Degra- dation of iris recognition performance due to non-cosmetic prescription contact lenses. Computer Vision and Image Un- derstanding, 114(9):1030–1044, 2010

    work page 2010

  3. [3]

    Bruna, C

    J. Bruna, C. Szegedy, I. Sutskever, I. Goodfellow, W. Zaremba, R. Fergus, and D. Erhan. Intriguing properties of neural networks. International Conference on Learning Representations, 2014

    work page 2014

  4. [4]

    Carlini and D

    N. Carlini and D. Wagner. Adversarial examples are not eas- ily detected: Bypassing ten detection methods. In Proceed- ings of the 10th ACM Workshop on Artificial Intelligence and Security, pages 3–14. ACM, 2017

    work page 2017

  5. [5]

    Crihalmeanu, A

    S. Crihalmeanu, A. Ross, S. Schuckers, and L. Hornak. A protocol for multibiometric data acquisition, storage and dis- semination. Technical Report, WVU, Lane Department of Computer Science and Electrical Engineering, 2007

    work page 2007

  6. [6]

    Czajka and K

    A. Czajka and K. W. Bowyer. Presentation attack detection for iris recognition: An assessment of the state of the art. ACM Computing Surveys, 2018

    work page 2018

  7. [7]

    Dabouei, S

    A. Dabouei, S. Soleymani, J. Dawson, and N. Nasrabadi. Fast geometrically-perturbed adversarial faces. InIEEE Win- ter Conference on Applications of Computer Vision , pages 1979–1988, 2019

    work page 1979

  8. [8]

    J. Daugman. How iris recognition works. In The essential guide to image processing, pages 715–739. 2009

    work page 2009

  9. [9]

    J. Daugman. Information theory and the iriscode. IEEE Trans. Inform. Forensics and Security, 11(2):400–409, 2016

    work page 2016

  10. [10]

    Galbally, A

    J. Galbally, A. Ross, M. Gomez-Barrero, J. Fierrez, and J. Ortega-Garcia. Iris image reconstruction from binary tem- plates: An efficient probabilistic approach based on genetic algorithms. Computer Vision and Image Understanding , 117(10):1512–1525, 2013

    work page 2013

  11. [11]

    L. He, H. Li, F. Liu, N. Liu, Z. Sun, and Z. He. Multi-patch convolution neural network for iris liveness detection. In Biometrics Theory, Applications and Systems (BTAS), 2016 IEEE 8th International Conference on, pages 1–7, 2016

    work page 2016

  12. [12]

    K. P. Hollingsworth, K. W. Bowyer, and P. J. Flynn. The best bits in an iris code. IEEE Transactions on Pattern Analysis and Machine Intelligence, 31(6):964–973, 2009

    work page 2009

  13. [13]

    D. P. Kingma and J. Ba. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  14. [14]

    Krichen, A

    E. Krichen, A. Mellakh, S. Salicetti, and B. Dorizzi. Osiris (open source for iris) reference system. BioSecure Project, 2008

    work page 2008

  15. [15]

    Kurakin, I

    A. Kurakin, I. Goodfellow, and S. Bengio. Adversarial ex- amples in the physical world. International Conference on Learning Representations-Workshop, 2017

    work page 2017

  16. [16]

    Masek and P

    L. Masek and P. Kovesi. Matlab source code for a biometric identification system based on iris patterns. 2003

    work page 2003

  17. [17]

    Pacut and A

    A. Pacut and A. Czajka. Aliveness detection for iris biomet- rics. In 40th Annual IEEE International Carnahan Confer- ences Security Technology, pages 122–129, 2006

    work page 2006

  18. [18]

    Papernot, P

    N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami. The limitations of deep learning in adversar- ial settings. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 372–387, 2016

    work page 2016

  19. [19]

    Papernot, P

    N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE Symposium on Security and Privacy (SP), pages 582–597, 2016

    work page 2016

  20. [20]

    Raghavendra and C

    R. Raghavendra and C. Busch. Presentation attack detection algorithm for face and iris biometrics. In Signal Process- ing Conference (EUSIPCO), 2014 Proceedings of the 22nd European, pages 1387–1391, 2014

    work page 2014

  21. [21]

    Raghavendra and C

    R. Raghavendra and C. Busch. Robust scheme for iris pre- sentation attack detection using multiscale binarized statisti- cal image features.IEEE Transactions on Information Foren- sics and Security, 10(4):703–715, 2015

    work page 2015

  22. [22]

    Rathgeb and C

    C. Rathgeb and C. Busch. On the feasibility of creating mor- phed iris-codes. In 2017 IEEE International Joint Confer- ence on Biometrics (IJCB), pages 152–157, 2017

    work page 2017

  23. [23]

    Ronneberger, P

    O. Ronneberger, P. Fischer, and T. Brox. U-net: Convo- lutional networks for biomedical image segmentation. In International Conference on Medical image computing and computer-assisted intervention, pages 234–241, 2015

    work page 2015

  24. [24]

    Rozsa, E

    A. Rozsa, E. M. Rudd, and T. E. Boult. Adversarial di- versity and hard positive generation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recogni- tion Workshops, pages 25–32, 2016

    work page 2016

  25. [25]

    Prosodic-Enhanced Siamese Convolutional Neural Networks for Cross-Device Text-Independent Speaker Verification

    S. Soleymani, A. Dabouei, S. M. Iranmanesh, H. Kazemi, J. Dawson, and N. M. Nasrabadi. Prosodic-enhanced siamese convolutional neural networks for cross-device text-independent speaker verification. arXiv preprint arXiv:1808.01026, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  26. [26]

    Soleymani, A

    S. Soleymani, A. Dabouei, H. Kazemi, J. Dawson, and N. M. Nasrabadi. Multi-level feature abstraction from convolu- tional neural networks for multimodal biometric identifica- tion. In 24th International Conference on Pattern Recogni- tion (ICPR), pages 3469–3476, 2018

    work page 2018

  27. [27]

    Soleymani, A

    S. Soleymani, A. Torfi, J. Dawson, and N. M. Nasrabadi. Generalized bilinear deep convolutional neural networks for multimodal biometric identification. In 25th IEEE Inter- national Conference on Image Processing , pages 763–767, 2018

    work page 2018

  28. [28]

    Szegedy, W

    C. Szegedy, W. Liu, Y . Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V . Vanhoucke, and A. Rabinovich. Going deeper with convolutions. In Proceedings of the IEEE conference on computer vision and pattern recogni- tion, pages 1–9, 2015

    work page 2015

  29. [29]

    Szegedy, W

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. arXiv preprint, 2013

    work page 2013

  30. [30]

    Szewczyk, K

    R. Szewczyk, K. Grabowski, M. Napieralska, W. Sankowski, M. Zubert, and A. Napieralski. A reliable iris recognition algorithm based on reverse biorthogonal wavelet transform. Pattern Recognition Letters, 33(8):1019–1026, 2012

    work page 2012

  31. [31]

    Tram `er, F

    F. Tram `er, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Stealing machine learning models via prediction apis. 2016

    work page 2016

  32. [32]

    Venugopalan and M

    S. Venugopalan and M. Savvides. How to generate spoofed irises from an iris code template. IEEE Transactions on In- formation Forensics and Security, 6(2):385–395, 2011

    work page 2011