Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AdvFAS: A robust face anti-spoofing framework against adversarial examples

Jiawei Chen, Xiao Yang, Heng Yin, Mingzhi Ma, Bihui Chen, Jianteng Peng, Yandong Guo, Zhaoxia Yin, Hang Su

TL;DR

The paper addresses the vulnerability of face anti-spoofing systems to adversarial examples by introducing AdvFAS, a robust framework that couples adversarial detection with face spoofing. It models two scores, $f_\theta(x)$ and ${ES}(x)$, and augments the detector with a lightweight corrector $g_\kappa(x)$ so that ${\rm ES}(x)=f_\theta(x)\cdot g_\kappa(x)$ provides a principled decision under adversarial pressure. The authors provide theoretical analysis showing separability between correctly and wrongly detected inputs and validate the approach across multiple backbones, datasets, and attacks, including real-world and adaptive scenarios. Results indicate AdvFAS significantly boosts adversarial robustness while maintaining high performance on clean data, demonstrating practical applicability for secure face recognition systems in realistic settings.

Abstract

Ensuring the reliability of face recognition systems against presentation attacks necessitates the deployment of face anti-spoofing techniques. Despite considerable advancements in this domain, the ability of even the most state-of-the-art methods to defend against adversarial examples remains elusive. While several adversarial defense strategies have been proposed, they typically suffer from constrained practicability due to inevitable trade-offs between universality, effectiveness, and efficiency. To overcome these challenges, we thoroughly delve into the coupled relationship between adversarial detection and face anti-spoofing. Based on this, we propose a robust face anti-spoofing framework, namely AdvFAS, that leverages two coupled scores to accurately distinguish between correctly detected and wrongly detected face images. Extensive experiments demonstrate the effectiveness of our framework in a variety of settings, including different attacks, datasets, and backbones, meanwhile enjoying high accuracy on clean examples. Moreover, we successfully apply the proposed method to detect real-world adversarial examples.

AdvFAS: A robust face anti-spoofing framework against adversarial examples

TL;DR

The paper addresses the vulnerability of face anti-spoofing systems to adversarial examples by introducing AdvFAS, a robust framework that couples adversarial detection with face spoofing. It models two scores, and , and augments the detector with a lightweight corrector so that provides a principled decision under adversarial pressure. The authors provide theoretical analysis showing separability between correctly and wrongly detected inputs and validate the approach across multiple backbones, datasets, and attacks, including real-world and adaptive scenarios. Results indicate AdvFAS significantly boosts adversarial robustness while maintaining high performance on clean data, demonstrating practical applicability for secure face recognition systems in realistic settings.

Abstract

Ensuring the reliability of face recognition systems against presentation attacks necessitates the deployment of face anti-spoofing techniques. Despite considerable advancements in this domain, the ability of even the most state-of-the-art methods to defend against adversarial examples remains elusive. While several adversarial defense strategies have been proposed, they typically suffer from constrained practicability due to inevitable trade-offs between universality, effectiveness, and efficiency. To overcome these challenges, we thoroughly delve into the coupled relationship between adversarial detection and face anti-spoofing. Based on this, we propose a robust face anti-spoofing framework, namely AdvFAS, that leverages two coupled scores to accurately distinguish between correctly detected and wrongly detected face images. Extensive experiments demonstrate the effectiveness of our framework in a variety of settings, including different attacks, datasets, and backbones, meanwhile enjoying high accuracy on clean examples. Moreover, we successfully apply the proposed method to detect real-world adversarial examples.
Paper Structure (15 sections, 3 theorems, 14 equations, 5 figures, 9 tables, 1 algorithm)

This paper contains 15 sections, 3 theorems, 14 equations, 5 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introdution
  2. Related Work
  3. Method
  4. Problem Formulation
  5. Theoretical Analysis
  6. Theoretically Coupling ES and $\boldsymbol{f_{\theta}}$
  7. Coupling in Practice ES and $\boldsymbol{f_{\theta}}$
  8. Framework Details
  9. Experiments
  10. Experimental Settings
  11. Vulnerability Evaluation of Existing Detectors
  12. Performance Against Different Settings
  13. In Real-world Scenarios
  14. Performance Against Adaptive Attacks
  15. Conclusion

Key Result

Lemma 1

(Separability) Given the detector $f_{\theta}$, $\forall x_1,x_2$ with spoofing scores larger than $\frac{1}{2}$, $i.e.$, If $x_1$ is detected correctly, while $x_2$ is detected wrongly, then $\rm{ES}$$(x_1)$$> \frac{1}{2} >$$\rm{ES}$$(x_2)$.

Figures (5)

  • Figure 1: Left: Conventional detector methods demonstrate very poor performance in defending adversarial examples. Right: Our AdvFAS can distinguish wrongly detected examples from correctly detected ones through two coupled scores: $f_\theta(x)$ and ES$(x)$. ES($x$) refers to the expected score. $g_\kappa(x)$ builds the bridge between $f_\theta(x)$ and ES$(x)$.
  • Figure 2: Construction of the objective $\mathcal{L}_{cor}$ in \ref{['form: eight']} for training the corrector, which is the binary cross-entropy (BCE) loss between ES$(x)$ and $E_{label}$. The corrector shares a main backbone with the detector, introducing little extra memory cost.
  • Figure 3: The adversarial examples are crafted on WMCA and CASIA-SURF 3DMask by patch attack.
  • Figure 4: Examples of test data in real-world scenarios; a) adversarial 3D face crafted for a face recognition system, b) adversarial 2D glasses crafted for a face anti-spoofing system.
  • Figure 5: Performances under adaptive attacks on WMCA. We design four adaptive objectives to evade both the detector and corrector.

Theorems & Definitions (4)

  • Lemma 1
  • Lemma 2
  • Definition 1
  • Theorem 1