AdvFAS: A robust face anti-spoofing framework against adversarial examples

Jiawei Chen,Xiao Yang,Heng Yin,Mingzhi Ma,Bihui Chen,Jianteng Peng,Yandong Guo,Zhaoxia Yin,Hang Su
DOI: https://doi.org/10.1016/j.cviu.2023.103779
2023-08-04
Abstract:Ensuring the reliability of face recognition systems against presentation attacks necessitates the deployment of face anti-spoofing techniques. Despite considerable advancements in this domain, the ability of even the most state-of-the-art methods to defend against adversarial examples remains elusive. While several adversarial defense strategies have been proposed, they typically suffer from constrained practicability due to inevitable trade-offs between universality, effectiveness, and efficiency. To overcome these challenges, we thoroughly delve into the coupled relationship between adversarial detection and face anti-spoofing. Based on this, we propose a robust face anti-spoofing framework, namely AdvFAS, that leverages two coupled scores to accurately distinguish between correctly detected and wrongly detected face images. Extensive experiments demonstrate the effectiveness of our framework in a variety of settings, including different attacks, datasets, and backbones, meanwhile enjoying high accuracy on clean examples. Moreover, we successfully apply the proposed method to detect real-world adversarial examples.
Computer Vision and Pattern Recognition,Artificial Intelligence
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the lack of effectiveness and robustness of existing face anti - spoofing techniques under adversarial sample attacks. Specifically, although significant progress has been made in preventing conventional presentation attacks (such as print attacks, video replay attacks, 3D mask attacks, etc.), the defense capabilities of these techniques against adversarial examples are still limited. Adversarial examples refer to malicious samples that cause machine - learning models to make incorrect judgments by adding small perturbations to the input data. This type of attack poses a serious threat to the security of face recognition systems because they can bypass existing anti - counterfeiting mechanisms and cause the system to fail. To solve this problem, the authors deeply explored the coupling relationship between adversarial detection and face anti - spoofing, and based on this, proposed a new robust framework - AdvFAS. This framework improves the system's ability to detect adversarial samples by introducing two coupling scores to distinguish correctly detected and incorrectly detected face images. Specifically, these two scores are: - \( f_\theta(x) \): The output score of the traditional detector, representing the judgment result of the detector on the input image \( x \). - \( ES(x) \): The expected score, which is used to assist in determining whether \( f_\theta(x) \) is correct. In the case of correct detection, \( ES(x)=f_\theta(x) \); in the case of incorrect detection, \( ES(x) \) is equal to the true label (0 or 1). To achieve this goal, the paper also designed a corrector. By calculating a correction score \( g_\kappa(x) \) to predict \( ES(x) \), and sharing the backbone network with the detector to reduce memory overhead. In addition, the paper also proposed several strategies (such as stopping gradient propagation and adding masks) to eliminate the impact of adversarial samples on the detection accuracy of clean samples. Through extensive experimental verification, the AdvFAS framework performs well in multiple settings, including different attack methods, data sets, and backbone networks, while also maintaining high accuracy on clean samples. This indicates that AdvFAS can not only effectively defend against adversarial samples but also maintain good performance in practical applications.