Zhihao Wu,Yushi Cheng,Shibo Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.14722/ndss.2024.241036

2024-01-01

Abstract:Face authentication systems are widely employed in access control systems to ensure the security of confidential facilities.Recent works have demonstrated their vulnerabilities to adversarial attacks.However, such attacks typically require adversaries to wear disguises such as glasses or hats during every authentication, which may raise suspicion and reduce their attack impacts.In this paper, we propose the UniID attack, which allows multiple adversaries to perform face spoofing attacks without any additional disguise by enabling an insider to register a universal identity into the face authentication database by wearing an adversarial patch.To achieve it, we first select appropriate adversaries through feature engineering, then generate the desired adversarial patch with a multi-target joint-optimization approach, and finally overcome practical challenges such as improving the transferability of the adversarial patch towards black-box systems and enhancing its robustness in the physical world.We implement UniID in laboratory setups and evaluate its effectiveness with six face recognition models (FaceNet, Mobile-FaceNet, ArcFace-18/50, and MagFace-18/50) and two commercial face authentication systems (ArcSoft and Face++).Simulation and real-world experimental results demonstrate that UniID can achieve a max attack success rate of 100% and 79% in 3-user scenarios under the white-box setting and black-box setting respectively, and it can be extended to more than 8 users.

Hao Fang,Ajian Liu,Haocheng Yuan,Junze Zheng,Dingheng Zeng,Yanhong Liu,Jiankang Deng,Sergio Escalera,Xiaoming Liu,Jun Wan,Zhen Lei

2024-01-31

Abstract:Face Recognition (FR) systems can suffer from physical (i.e., print photo) and digital (i.e., DeepFake) attacks. However, previous related work rarely considers both situations at the same time. This implies the deployment of multiple models and thus more computational burden. The main reasons for this lack of an integrated model are caused by two factors: (1) The lack of a dataset including both physical and digital attacks with ID consistency which means the same ID covers the real face and all attack types; (2) Given the large intra-class variance between these two attacks, it is difficult to learn a compact feature space to detect both attacks simultaneously. To address these issues, we collect a Unified physical-digital Attack dataset, called UniAttackData. The dataset consists of $1,800$ participations of 2 and 12 physical and digital attacks, respectively, resulting in a total of 29,706 videos. Then, we propose a Unified Attack Detection framework based on Vision-Language Models (VLMs), namely UniAttackDetection, which includes three main modules: the Teacher-Student Prompts (TSP) module, focused on acquiring unified and specific knowledge respectively; the Unified Knowledge Mining (UKM) module, designed to capture a comprehensive feature space; and the Sample-Level Prompt Interaction (SLPI) module, aimed at grasping sample-level semantics. These three modules seamlessly form a robust unified attack detection framework. Extensive experiments on UniAttackData and three other datasets demonstrate the superiority of our approach for unified face attack detection.

Computer Vision and Pattern Recognition

Lei Li,Zhihao Yao,Shanshan Gao,Huijian Han,Zhaoqiang Xia

DOI: https://doi.org/10.1016/j.engappai.2024.108345

IF: 8

2024-01-01

Engineering Applications of Artificial Intelligence

Abstract:To solve the security problem posed by fake face presentation attacks in face recognition systems, many detection methods have been proposed in recent years. Among these detection methods, the methods by analyzing a single image have achieved good real-time performance. However, their detection performances are often limited by the effectiveness of the extracted features. Compared with the real face, the fake face always shows structure and texture differences. Based on this, we propose a detection method that fuses local texture and structural depth information, where the Swin-Transformer is invoked to generate both local and constructed features. More specifically, the face image is first divided into non-overlapped small patches, which can further extract the features in micro-clues. Then, the Swin-Transformer with four stages is invoked to encode these patches, and the outputs from different stages are fused to generate constructed depth descriptors and local texture features. Finally, the local texture features and constructed depth map are combined to classify whether the input face image is captured from a real face. Extensive experiments about intra-dataset and cross-dataset evaluation indicate that our proposed approach significantly outperforms the state-of-the-art methods and show promising generalization performance.

Zhihao Wu,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2024.3445570

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Face authentication technology has been widely used in physical access control to critical infrastructures. The security of a face authentication system has been threatened by photo replay attacks and thus the 3D liveness detection techniques have been deployed to safeguard such systems. In this paper, we conduct a comprehensive analysis of the security aspects pertaining to 3D liveness detection systems that employ structured light depth camera, and propose a novel attack surface targeting 3D face authentication systems involving multiple modalities such as Depth, RGB and IR. We propose the DepthFake attack, a multi-modal spoofing attack against real-world 3D face authentication using only a single 2D photo. To achieve it, DepthFake first reconstruct the depth information of the victim's face from his 2D photo. Then, DepthFake actively projects a carefully-crafted scatter patterns embedded with the face depth information, in order to empower the 2D photo with 3D authentication properties. We address a range of practical challenges, including mitigating depth estimation errors, achieving depth images forgery techniques based on structured light, ensuring accurate alignment between various modalities of face images, and effectively implementing DepthFake in real world. We validated DepthFake on 5 commercial face authentication systems (i.e., Tencent Cloud, Baidu Cloud, 3DiVi, Ali Cloud and ArcSoft) and two commercial access control devices. The results over 50 users demonstrate that DepthFake achieves an overall Depth attack success rate of $79.4\%$ , RGB-D attack success rate of $59.4\%$ , IR-D attack success rate of $79.4\%$ , and RGB-IR attack success rate of $83.8\%$ in the real world.

Junyi Cao,Ke-Yue Zhang,Taiping Yao,Shouhong Ding,Xiaokang Yang,Chao Ma

DOI: https://doi.org/10.1007/s11263-024-02151-2

IF: 13.369

2024-01-01

International Journal of Computer Vision

Abstract:Real-world face recognition systems are vulnerable to diverse face attacks, ranging from digitally manipulated artifacts to physically crafted spoofing attacks. Existing works primarily focus on using an image classification network to address one type of attack but disregarding another. However, face recognition systems in real-world scenarios always encounter diverse simultaneous attacks, rendering the aforementioned single-attack detecting solution ineffective. Besides, excessive reliance on a classifier might easily fail when encountering face attacks with unknown patterns, as the category-level difference learned by classification backbones cannot generalize well to new attacks. Considering that real data are captured from actual individuals, while attack samples are generated by various distinct techniques, our focus is on extracting compact representations of real faces. This approach allows us to identify the fundamental differences between genuine and attack images, enabling us to address both manipulated artifacts and spoofing attacks simultaneously. Concretely, we propose a dual space reconstruction learning framework that models the commonalities of genuine faces in both spatial and frequency domains. With the learned characteristics of real faces, the model is more likely to segregate diverse attack samples as outliers from genuine images. Besides, we introduce a dynamic filtering module that filters out the redundant information retained by the reconstruction and enhances the critical divergence between the real and the attack to achieve better classification features. Since the training samples only cover limited style variations, which hampers the generalization to unseen domains, we further design a consistency regularized training strategy that mimics distribution shifts during training and imposes specific constraints to encourage style-irrelevant features. Moreover, in view of the lack of accessible benchmarks for unified evaluation of the detection competence against both face forgery and spoofing attacks, we set up a new challenging benchmark, named UniAttack, to foster the exploration of effective solutions to face attack detection. Both qualitative and quantitative results from existing and proposed benchmarks unequivocally demonstrate the superiority of our methods over state-of-the-art approaches.

Haocheng Yuan,Ajian Liu,Junze Zheng,Jun Wan,Jiankang Deng,Sergio Escalera,Hugo Jair Escalante,Isabelle Guyon,Zhen Lei

2024-04-18

Abstract:Face Anti-Spoofing (FAS) is crucial to safeguard Face Recognition (FR) Systems. In real-world scenarios, FRs are confronted with both physical and digital attacks. However, existing algorithms often address only one type of attack at a time, which poses significant limitations in real-world scenarios where FR systems face hybrid physical-digital threats. To facilitate the research of Unified Attack Detection (UAD) algorithms, a large-scale UniAttackData dataset has been collected. UniAttackData is the largest public dataset for Unified Attack Detection, with a total of 28,706 videos, where each unique identity encompasses all advanced attack types. Based on this dataset, we organized a Unified Physical-Digital Face Attack Detection Challenge to boost the research in Unified Attack Detections. It attracted 136 teams for the development phase, with 13 qualifying for the final round. The results re-verified by the organizing team were used for the final ranking. This paper comprehensively reviews the challenge, detailing the dataset introduction, protocol definition, evaluation criteria, and a summary of published results. Finally, we focus on the detailed analysis of the highest-performing algorithms and offer potential directions for unified physical-digital attack detection inspired by this competition. Challenge Website:

Computer Vision and Pattern Recognition

Debayan Deb,Xiaoming Liu,Anil K. Jain

DOI: https://doi.org/10.48550/arXiv.2104.02156

2021-04-06

Abstract:State-of-the-art defense mechanisms against face attacks achieve near perfect accuracies within one of three attack categories, namely adversarial, digital manipulation, or physical spoofs, however, they fail to generalize well when tested across all three categories. Poor generalization can be attributed to learning incoherent attacks jointly. To overcome this shortcoming, we propose a unified attack detection framework, namely UniFAD, that can automatically cluster 25 coherent attack types belonging to the three categories. Using a multi-task learning framework along with k-means clustering, UniFAD learns joint representations for coherent attacks, while uncorrelated attack types are learned separately. Proposed UniFAD outperforms prevailing defense methods and their fusion with an overall TDR = 94.73% @ 0.2% FDR on a large fake face dataset consisting of 341K bona fide images and 448K attack images of 25 types across all 3 categories. Proposed method can detect an attack within 3 milliseconds on a Nvidia 2080Ti. UniFAD can also identify the attack types and categories with 75.81% and 97.37% accuracies, respectively.

Computer Vision and Pattern Recognition

Lei Li,Zhihao Yao,Shixi Zhou,Yupeng Ma,Jun Wu,Zhaoqiang Xia

DOI: https://doi.org/10.1109/icipmc55686.2022.00021

2022-01-01

Abstract:In recent years, many face spoofing detection methods based on video frame or video sequence have been proposed to counteract the security threats of face recognition system. Although the video sequence based detection methods analyzing liveness signals have satisfactory performance, it is difficult to capture a long video in realistic applications; the video frame based methods have good real-time capabilities, but the detection performance is poor when dealing with high-resolution fake faces. Therefore, in this paper, we propose a novel video frame based face spoofing detection method exploiting facial blood flow differences, which achieves excellent detection performance and generalization capability. Specifically, compared with fake face, the subcutaneous tissue of live face is distributed with complex blood vessels. When the visible light penetrates face skin, its absorption in different regions is different due to the distribution of blood vessels. In order to extract the visible light absorption variations between different regions, the attentional face image is first fed into an 1D CNN to extract features for describing the absorption characteristics of each point; then, a GRU network is invoked to capture the absorption variations of the outputs of 1D CNN; finally, the Softmax function is used to classify whether the face image is a live face or a spoofing attack. Extensive experiments on three databases of 3DMAD, MSU and Replay-Attack demonstrate the effectiveness of our proposed method in distinguishing the printed images or 3D masks from the live ones and show that the detection performance outperforms other state-of-the-art methods.

Hanqing Gu,Jiayin Chen,Fusu Xiao,Yi-Jia Zhang,Zhe-Ming Lu

DOI: https://doi.org/10.1109/access.2023.3335040

IF: 3.9

2023-01-01

IEEE Access

Abstract:Face features, as the most widely adopted and essential biometric characteristic in identity verification and recognition, play a crucial role in ensuring security. However, the significance is also accompanied by various face attacks, posing a great threat to the security of facial recognition systems. Therefore, exploring face anti-spoofing detection holds substantial practical significance. There is existing research on Face Anti-Spoofing (FAS) detection, but there is still potential for enhancing detection performance. In this paper, we propose a face anti-spoofing method, named AR-MLP (Attention ResNet-Multilayer Perceptron), which incorporates self-attention and MLP auxiliary convolution. By replacing the last two “Basic block” layers of the Conv-MLP network with a model combining self-attention and convolution, and adjusting the network architecture and parameters, AR-MLP can capture global features more effectively by suitably integrating the self-attention and convolution layers. We conduct comprehensive evaluations using three authoritative multimodal face anti-spoofing datasets (WMCA, HQ-WMCA, and CASIA-SURF CeFA) for intra-dataset, cross-attack, and cross-race testing. The experimental results demonstrate that AR-MLP outperforms several excellent methods in terms of classification performance and computational overhead.

Liang Yu Gong,Xue Jun Li,Peter Han Joo Chong

DOI: https://doi.org/10.3390/s24237635

IF: 3.9

2024-12-01

Sensors

Abstract:Spoofing attacks (or Presentation Attacks) are easily accessible to facial recognition systems, making the online financial system vulnerable. Thus, it is urgent to develop an anti-spoofing solution with superior generalization ability due to the high demand for spoofing attack detection. Although multi-modality methods such as combining depth images with RGB images and feature fusion methods could currently perform well with certain datasets, the cost of obtaining the depth information and physiological signals, especially that of the biological signal is relatively high. This paper proposes a representation learning method of an Auto-Encoder structure based on Swin Transformer and ResNet, then applies cross-entropy loss, semi-hard triplet loss, and Smooth L1 pixel-wise loss to supervise the model training. The architecture contains three parts, namely an Encoder, a Decoder, and an auxiliary classifier. The Encoder part could effectively extract the features with patches' correlations and the Decoder aims to generate universal "Clue Maps" for further contrastive learning. Finally, the auxiliary classifier is adopted to assist the model in making the decision, which regards this result as one preliminary result. In addition, extensive experiments evaluated Attack Presentation Classification Error Rate (APCER), Bonafide Presentation Classification Error Rate (BPCER) and Average Classification Error Rate (ACER) performances on the popular spoofing databases (CelebA, OULU, and CASIA-MFSD) to compare with several existing anti-spoofing models, and our approach could outperform existing models which reach 1.2% and 1.6% ACER on intra-dataset experiment. In addition, the inter-dataset on CASIA-MFSD (training set) and Replay-attack (Testing set) reaches a new state-of-the-art performance with 23.8% Half Total Error Rate (HTER).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Shen Chen,Taiping Yao,Keyue Zhang,Yang Chen,Ke Sun,Shouhong Ding,Jilin Li,Feiyue Huang,Rongrong Ji

DOI: https://doi.org/10.1109/iccvw54120.2021.00098

2021-01-01

Abstract:Face presentation attack detection (PAD) plays a vital role in face recognition systems. Many previous face anti-spoofing methods mainly focus on the 2D face representation attacks, which however, suffer from great performance degradation when facing high-fidelity 3D mask attacks. To address this issue, we propose a novel dual-stream framework consisting of the vanilla convolution stream and the central difference convolution stream. These two streams complement each other and learn more comprehensive features for 3D mask attacks detection. Moreover, we extend 3D PAD to a multi-classification task that contains real face, plaster attack and transparent attack, and utilize various data augmentations and label smoothing techniques to improve the generalizability on unseen attacks. The proposed method achieved the second place in the Chalearn 3D High-Fidelity Mask Face Presentation Attack Detection Challenge@ICCV2021 with a score of 3.15 (ACER).

Hang Zou,Chenxi Du,Hui Zhang,Yuan Zhang,Ajian Liu,Jun Wan,Zhen Lei

2024-08-23

Abstract:Facial recognition systems are susceptible to both physical and digital attacks, posing significant security risks. Traditional approaches often treat these two attack types separately due to their distinct characteristics. Thus, when being combined attacked, almost all methods could not deal. Some studies attempt to combine the sparse data from both types of attacks into a single dataset and try to find a common feature space, which is often impractical due to the space is difficult to be found or even non-existent. To overcome these challenges, we propose a novel approach that uses the sparse model to handle sparse data, utilizing different parameter groups to process distinct regions of the sparse feature space. Specifically, we employ the Mixture of Experts (MoE) framework in our model, expert parameters are matched to tokens with varying weights during training and adaptively activated during testing. However, the traditional MoE struggles with the complex and irregular classification boundaries of this problem. Thus, we introduce a flexible self-adapting weighting mechanism, enabling the model to better fit and adapt. In this paper, we proposed La-SoftMoE CLIP, which allows for more flexible adaptation to the Unified Attack Detection (UAD) task, significantly enhancing the model's capability to handle diversity attacks. Experiment results demonstrate that our proposed method has SOTA performance.

Computer Vision and Pattern Recognition

胡永健,蔡楚鑫,刘琲贝,王宇飞,廖广军

2023-01-01

Abstract:Due to feasibility and friendly user interaction, deep learning-based face recognition and identity authentication becomes one of the most popular artificial intelligence technologies in China. The face recognition and identity authentication system should secure that the captured face for verification is a living face rather than a fake face or called spoofing face. Otherwise, the output of the system is useless for business. Face spoofing detection or called living face detection mechanism is set in the front part of the system, and plays a key role in distinguishing a fake face from the input faces. Most current face anti-spoofing algorithms perform well in intra-dataset. However, the model training in lab is unable to simulate all aspects in the real-world application scenarios. As a result, the data distribution in source domain is not always similar to the data distribution in target domain, which causes the lab-trained algorithms barely perform as well as in lab. Although we can mitigate the performance degradation with the increase of detection feature types and dimensions, it tends to make the detection network very complex in structure and large in model size. In order to improve the generalization ability of model without resorting to large model, we design a face spoofing detection network using the 3D depth point cloud supervision and confidence correction scheme. The proposed approach consists of three major contributions. First, we design a shallow convolutional neural network called DenseBlockNet. It can well extract distinctive depth features between real faces and spoofing ones and has a small model size. Second, we establish the relationship between the 2D depth map produced by DenseBlockNet and the coordinates of sampling points, and thus create a 3D depth point cloud. We adopt the Chamfer loss to minimize the distance between the learned 3D depth point cloud and the ground truth 3D depth point cloud label, and use the Binary Cross Entropy loss to supervise the difference between the learned 2D depth map and the ground truth 2D depth map label. Third, we introduce a prediction confidence map to correct the error of the learned 3D depth point cloud, so that it can avoid overfitting in intra-datasets and obtain good generalization ability in inter-datasets. Extensive experiments are conducted on 5 popular presentation attack databases, namely Reply-attack, CASIA-FASD, MSU-MFSD,Rose-Youtu, and OULU-NPU. Compared with 8 representative methods including 2 SOTA methods, the proposed method can achieve the least or second least half-total-error-rates in either intra-dataset or inter-dataset tests. Besides, it has the smallest model, the least amount of model parameters and the lowest computational complexity.

Bowen Zhang,Benedetta Tondi,Mauro Barni

DOI: https://doi.org/10.48550/arXiv.1910.00327

2019-10-01

Abstract:In this paper, we study the vulnerability of anti-spoofing methods based on deep learning against adversarial perturbations. We first show that attacking a CNN-based anti-spoofing face authentication system turns out to be a difficult task. When a spoofed face image is attacked in the physical world, in fact, the attack has not only to remove the rebroadcast artefacts present in the image, but it has also to take into account that the attacked image will be recaptured again and then compensate for the distortions that will be re-introduced after the attack by the subsequent rebroadcast process. Subsequently, we propose a method to craft robust physical domain adversarial images against anti-spoofing CNN-based face authentication. The attack built in this way can successfully pass all the steps in the authentication chain (that is, face detection, face recognition and spoofing detection), by achieving simultaneously the following goals: i) make the spoofing detection fail; ii) let the facial region be detected as a face and iii) recognized as belonging to the victim of the attack. The effectiveness of the proposed attack is validated experimentally within a realistic setting, by considering the REPLAY-MOBILE database, and by feeding the adversarial images to a real face authentication system capturing the input images through a mobile phone camera.

Cryptography and Security

Song Chen,Weixin Li,Hongyu Yang,Di Huang,Yunhong Wang

DOI: https://doi.org/10.1109/fg47880.2020.00019

2020-01-01

Abstract:Face anti-spoofing has recently become more important to the wide application of Face Recognition (FR) techniques. Compared to Spoofing Attacks (SAs) of printed photos and replayed videos, 3D masks bring more challenges to FR systems. This paper proposes a novel approach to 3D face mask anti-spoofing, namely Multi-Modal Dynamics Fusion Network (MM-DFN), and different from the overwhelming majority of the methods in the literature that only employ RGB data, it highlights the credit of the geometry information delivered by depth sensors or reconstructed from RGB images. Dynamic texture and shape clues are respectively encoded by a two-branch deep CNN model at different rates so that discriminative details are sufficiently captured, and they are combined at intervals for more comprehensive description. Moreover, a 3D model guided data augmentation method is applied to generate a diversity of samples with various poses, which further enhances the anti-spoofing model. The proposed method is extensively evaluated on three public benchmarks, i.e. 3DMAD, HKBU-MARs V1 and SMAD, and the results achieved are state-of-the-art, demonstrating its effectiveness for this issue.

Chenglin Yao,Jianfeng Ren,Ruibin Bai,Heshan Du,Jiang Liu,Xudong Jiang

DOI: https://doi.org/10.48550/arXiv.2305.15940

2023-05-25

Abstract:Detecting 3D mask attacks to a face recognition system is challenging. Although genuine faces and 3D face masks show significantly different remote photoplethysmography (rPPG) signals, rPPG-based face anti-spoofing methods often suffer from performance degradation due to unstable face alignment in the video sequence and weak rPPG signals. To enhance the rPPG signal in a motion-robust way, a landmark-anchored face stitching method is proposed to align the faces robustly and precisely at the pixel-wise level by using both SIFT keypoints and facial landmarks. To better encode the rPPG signal, a weighted spatial-temporal representation is proposed, which emphasizes the face regions with rich blood vessels. In addition, characteristics of rPPG signals in different color spaces are jointly utilized. To improve the generalization capability, a lightweight EfficientNet with a Gated Recurrent Unit (GRU) is designed to extract both spatial and temporal features from the rPPG spatial-temporal representation for classification. The proposed method is compared with the state-of-the-art methods on five benchmark datasets under both intra-dataset and cross-dataset evaluations. The proposed method shows a significant and consistent improvement in performance over other state-of-the-art rPPG-based methods for face spoofing detection.

Computer Vision and Pattern Recognition

Xiao Yang,Longlong Xu,Tianyu Pang,Yinpeng Dong,Yikai Wang,Hang Su,Jun Zhu

DOI: https://doi.org/10.1007/s11263-024-02177-6

IF: 13.369

2024-01-01

International Journal of Computer Vision

Abstract:Recent research has elucidated the susceptibility of face recognition models to physical adversarial patches, thus provoking security concerns about the deployed face recognition systems. Most existing 2D and 3D physical attacks on face recognition, however, produce adversarial examples using a single-state face image of an attacker. This point-wise attack paradigm tends to yield inferior results when countering numerous complicated states in physical environments, such as diverse pose variations. In this paper, by reassessing the intrinsic relationship between an attacker’s face and its variations, we propose a practical pipeline that simulates complex facial transformations in the physical world through 3D face modeling. This adaptive simulation serves as a digital counterpart of physical faces and empowers us to regulate various facial variations and physical conditions. With this digital simulator, we present the Face3DAdv method to craft 3D adversarial patches, which account for 3D facial transformations and realistic physical variations. Moreover, by optimizing the latent space on 3D modeling and involving importance sampling on various transformations, we demonstrate that Face3DAdv can significantly improve the effectiveness and naturalness of a wide range of physically feasible adversarial patches. Furthermore, the physically 3D-printed adversarial patches by Face3DAdv can achieve an effective evaluation of adversarial robustness on multiple popular commercial services, including four recognition APIs, three anti-spoofing APIs and one automated access control system.

Zitong Yu,Rizhao Cai,Zhi Li,Wenhan Yang,Jingang Shi,Alex C. Kot

2024-01-08

Abstract:Face anti-spoofing (FAS) and face forgery detection play vital roles in securing face biometric systems from presentation attacks (PAs) and vicious digital manipulation (e.g., deepfakes). Despite promising performance upon large-scale data and powerful deep models, the generalization problem of existing approaches is still an open issue. Most of recent approaches focus on 1) unimodal visual appearance or physiological (i.e., remote photoplethysmography (rPPG)) cues; and 2) separated feature representation for FAS or face forgery detection. On one side, unimodal appearance and rPPG features are respectively vulnerable to high-fidelity face 3D mask and video replay attacks, inspiring us to design reliable multi-modal fusion mechanisms for generalized face attack detection. On the other side, there are rich common features across FAS and face forgery detection tasks (e.g., periodic rPPG rhythms and vanilla appearance for bonafides), providing solid evidence to design a joint FAS and face forgery detection system in a multi-task learning fashion. In this paper, we establish the first joint face spoofing and forgery detection benchmark using both visual appearance and physiological rPPG cues. To enhance the rPPG periodicity discrimination, we design a two-branch physiological network using both facial spatio-temporal rPPG signal map and its continuous wavelet transformed counterpart as inputs. To mitigate the modality bias and improve the fusion efficacy, we conduct a weighted batch and layer normalization for both appearance and rPPG features before multi-modal fusion. We find that the generalization capacities of both unimodal (appearance or rPPG) and multi-modal (appearance+rPPG) models can be obviously improved via joint training on these two tasks. We hope this new benchmark will facilitate the future research of both FAS and deepfake detection communities.

Computer Vision and Pattern Recognition

Xiao Yang,Yinpeng Dong,Tianyu Pang,Zihao Xiao,Hang Su,Jun Zhu

DOI: https://doi.org/10.48550/arXiv.2203.04623

2022-03-09

Computer Vision and Pattern Recognition

Abstract:Recent studies have revealed the vulnerability of face recognition models against physical adversarial patches, which raises security concerns about the deployed face recognition systems. However, it is still challenging to ensure the reproducibility for most attack algorithms under complex physical conditions, which leads to the lack of a systematic evaluation of the existing methods. It is therefore imperative to develop a framework that can enable a comprehensive evaluation of the vulnerability of face recognition in the physical world. To this end, we propose to simulate the complex transformations of faces in the physical world via 3D-face modeling, which serves as a digital counterpart of physical faces. The generic framework allows us to control different face variations and physical conditions to conduct reproducible evaluations comprehensively. With this digital simulator, we further propose a Face3DAdv method considering the 3D face transformations and realistic physical variations. Extensive experiments validate that Face3DAdv can significantly improve the effectiveness of diverse physically realizable adversarial patches in both simulated and physical environments, against various white-box and black-box face recognition models.

CAI Chuxin,WANG Yufei,ZHANG Liepiao,ZHUO Sichao,ZHANG Juanmiao,HU Yongjian

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2023.03.10

2023-01-01

Journal of Cyber Security

Abstract:Adversarial attacks exhibit both potential insecurity of face recognition systems and the way of performing attacks. Most current adversarial attacks on face recognition systems are carried out in digital domain. However, based on the recent reports in literature, more and more studies begin to concern about how to put the physical patches containing adversarial noise on human face and its neighboring regions, for example, eyeglass framework, paper sticker, and cap, so as to implement adversarial attacks in physical domain. Such a new type of attacks can easily break through most of current living face detection systems and thus affect the decision of face recognition systems. Although there are a few methods proposed for the generation of adversarial samples in digital domain, it is not easy or cheap to realize those methods in physical domain. This paper proposes a method of generating adversarial attack in digital domain which can be readily extended to physical domain. By adding adversarial perturbation of special shapes into an original face sample, we can fool the face recognition system and make it regard the face as someone else’s face（i.e., dodging attack） or a specific person’s face（i.e., impersonation attack）. The major contributions of this paper include: First, we propose a method of using the face landmarks to construct a specific shape mask of the adversarial perturbation for individual face. Second, we design the adversarial loss function to train the generator to produce digital samples. Third, we design the printing score loss function to reduce the color difference between display and printer so as to reproduce those samples in physical domain.We improve the quality of adversarial samples by means of data enhancement which aims at simulating the way of wearing eyeglasses, illumination variations and other situations in real-world applications. Experimental results show that the proposed method can attack the face recognition system VggFace10 in a high success rate in digital domain. Moreover, it can be readily extended to physical domain and generates samples quickly and economically. Our study exposes the security risk of face recognition systems, which can provide us with useful information to design better face recognition systems against adversarial attacks in the future.