Principles of Designing Robust Remote Face Anti-Spoofing Systems

TL;DR

This paper analyzes remote face anti-spoofing in cloud-connected verification, highlighting vulnerabilities of single-frame passive systems to physical and digital attacks, including deepfakes and adversarial content. It provides a taxonomy of threats, empirical evaluation across multiple datasets, and demonstrates cross-domain weaknesses. The authors propose design principles spanning model accuracy, robustness, ML-pipeline security, and platform robustness, emphasizing proactive sensing with active sensors to mitigate unseen threats and improve user experience. The work offers practical guidance for building robust remote FAS systems in the AI-generated content era, with broad implications for security pipelines and deployment.

Abstract

Protecting digital identities of human face from various attack vectors is paramount, and face anti-spoofing plays a crucial role in this endeavor. Current approaches primarily focus on detecting spoofing attempts within individual frames to detect presentation attacks. However, the emergence of hyper-realistic generative models capable of real-time operation has heightened the risk of digitally generated attacks. In light of these evolving threats, this paper aims to address two key aspects. First, it sheds light on the vulnerabilities of state-of-the-art face anti-spoofing methods against digital attacks. Second, it presents a comprehensive taxonomy of common threats encountered in face anti-spoofing systems. Through a series of experiments, we demonstrate the limitations of current face anti-spoofing detection techniques and their failure to generalize to novel digital attack scenarios. Notably, the existing models struggle with digital injection attacks including adversarial noise, realistic deepfake attacks, and digital replay attacks. To aid in the design and implementation of robust face anti-spoofing systems resilient to these emerging vulnerabilities, the paper proposes key design principles from model accuracy and robustness to pipeline robustness and even platform robustness. Especially, we suggest to implement the proactive face anti-spoofing system using active sensors to significant reduce the risks for unseen attack vectors and improve the user experience.

Figures (6)

• Figure 1: A common work flow of remote face verification system.
• Figure 2: The points of threat attack in a biometric system (best viewed in colored). The attack can happen anywhere in the biometric system including physical and digital worlds: In physical world (marked in green), the attackers can present the victim's photo on a presentation media or produce an adversarial environment to a biometric system. In transformed digital world (marked in red) on devices, the attackers can hi-jack the digital content to the data stream. In server-controlled processing device, the attackers can modify/override any part of the processing system that can flip the final decision to bypass the biometric check. In the paper, we trust the protection on the server side and only focus on the discussion on the input from the physical and digital worlds.
• Figure 3: Example of images of live and attacks category in SiW, OUlU-NPU, and Face Forensics datasets.
• Figure 4: Adversarial attack illustration by (a) PGD attack and (b) Simple black-box attack, in the order of clean spoof image, generated adversarial image, and generated adversarial noise.
• Figure 5: Illustration of one type of proactive approaches by projecting the random signals and verifying the signals.