The proliferation of biometric authentication systems in critical security applications has highlighted the urgent need for robust defense mechanisms against sophisticated adversarial attacks. This paper presents ShieldNet, an adversarially resilient Convolutional Neural Network (CNN) framework specifically designed for secure iris biometric authentication. Unlike existing approaches that apply adversarial training or gradient regularization independently, ShieldNet introduces a synergistic dual-layer defense framework featuring three key components: (1) an attack-aware adaptive weighting mechanism that dynamically balances defense priorities across multiple attack types, (2) a smoothness-regularized gradient penalty formulation that maintains differentiable gradients while encouraging locally smooth loss landscapes, and (3) a consistency loss component that enforces prediction stability between clean and adversarial inputs. Through extensive experimental validation across three diverse iris datasets, MMU1, CASIA-Iris-Africa, and UBIRIS.v2, and rigorous evaluation against strong adaptive attacks including AutoAttack, PGD-100 with random restarts, and transfer-based black-box attacks, ShieldNet demonstrated robust performance, achieving 87.3% adversarial accuracy under AutoAttack on MMU1, 85.1% on CASIA-Iris-Africa, and 82.4% on UBIRIS.v2, while maintaining competitive clean data accuracies of 94.7%, 93.9%, and 92.8%, respectively. The proposed framework outperforms existing state-of-the-art defense methods including TRADES, MART, and AWP, achieving an equal error rate (EER) as low as 2.8% and demonstrating consistent robustness across both gradient-based and gradient-free attack scenarios. Comprehensive ablation studies validate the complementary contributions of each defense component, while latent space analysis confirms that ShieldNet learns genuinely robust feature representations rather than relying on gradient obfuscation. These results establish ShieldNet as a practical and reliable solution for deployment in high-security biometric authentication environments.
ShieldNet: A Novel Adversarially Resilient Convolutional Neural Network for Robust Image Classification
Manzoor A.;Fargetta G.;Ortis A.;Battiato S.
2026-01-01
Abstract
The proliferation of biometric authentication systems in critical security applications has highlighted the urgent need for robust defense mechanisms against sophisticated adversarial attacks. This paper presents ShieldNet, an adversarially resilient Convolutional Neural Network (CNN) framework specifically designed for secure iris biometric authentication. Unlike existing approaches that apply adversarial training or gradient regularization independently, ShieldNet introduces a synergistic dual-layer defense framework featuring three key components: (1) an attack-aware adaptive weighting mechanism that dynamically balances defense priorities across multiple attack types, (2) a smoothness-regularized gradient penalty formulation that maintains differentiable gradients while encouraging locally smooth loss landscapes, and (3) a consistency loss component that enforces prediction stability between clean and adversarial inputs. Through extensive experimental validation across three diverse iris datasets, MMU1, CASIA-Iris-Africa, and UBIRIS.v2, and rigorous evaluation against strong adaptive attacks including AutoAttack, PGD-100 with random restarts, and transfer-based black-box attacks, ShieldNet demonstrated robust performance, achieving 87.3% adversarial accuracy under AutoAttack on MMU1, 85.1% on CASIA-Iris-Africa, and 82.4% on UBIRIS.v2, while maintaining competitive clean data accuracies of 94.7%, 93.9%, and 92.8%, respectively. The proposed framework outperforms existing state-of-the-art defense methods including TRADES, MART, and AWP, achieving an equal error rate (EER) as low as 2.8% and demonstrating consistent robustness across both gradient-based and gradient-free attack scenarios. Comprehensive ablation studies validate the complementary contributions of each defense component, while latent space analysis confirms that ShieldNet learns genuinely robust feature representations rather than relying on gradient obfuscation. These results establish ShieldNet as a practical and reliable solution for deployment in high-security biometric authentication environments.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
