Confidence Aware Learning for Reliable Face Anti-spoofing

TL;DR

The paper tackles the problem that face anti-spoofing models often emit overly confident predictions for unknown attacks or unseen domains, risking security. It introduces Confidence Aware FAS (CA-FAS), which builds Gaussian distributions in feature space for live and known attacks and uses a Mahalanobis-distance framework to measure prediction confidence, with a MD-based triplet loss to jointly learn the feature extractor and distributions. Confidence is computed as $\mathcal{C}(x) = - \min_p MD{ f(x), N(mu_p, Sigma_p) }$, and decisions are made when $\mathcal{C}(x) \ge \theta_c$, otherwise samples are flagged for manual review; a quantile-based threshold adapts to test data. Across eight datasets with various unknown attacks and domain shifts, CA-FAS demonstrates improved reliability by filtering out low-confidence samples, offering a practical approach for secure deployment in real-world systems.

Abstract

Current Face Anti-spoofing (FAS) models tend to make overly confident predictions even when encountering unfamiliar scenarios or unknown presentation attacks, which leads to serious potential risks. To solve this problem, we propose a Confidence Aware Face Anti-spoofing (CA-FAS) model, which is aware of its capability boundary, thus achieving reliable liveness detection within this boundary. To enable the CA-FAS to "know what it doesn't know", we propose to estimate its confidence during the prediction of each sample. Specifically, we build Gaussian distributions for both the live faces and the known attacks. The prediction confidence for each sample is subsequently assessed using the Mahalanobis distance between the sample and the Gaussians for the "known data". We further introduce the Mahalanobis distance-based triplet mining to optimize the parameters of both the model and the constructed Gaussians as a whole. Extensive experiments show that the proposed CA-FAS can effectively recognize samples with low prediction confidence and thus achieve much more reliable performance than other FAS models by filtering out samples that are beyond its reliable range.

Figures (6)

• Figure 1: The relationship between the traditional binary prediction and the proposed confidence aware prediction. In binary prediction, the model uses a prediction boundary to divide the test data. However, due to unseen scenarios or unknown attacks, the differences between test and training feature distributions can lead to misclassifications, which poses serious risks. In contrast, the confidence aware method sets a confidence threshold to filter out samples beyond the reliable range, ensuring that only the samples with high prediction confidence are subjected to the classifier. The low confidence samples are rejected and passed for manual review, reducing the risk of misclassification.
• Figure 2: The overall training process of the proposed CA-FAS. In the feature space, we construct Gaussian distributions for each training category, i.e., live faces and each known attack, using learnable mean vectors and covariance matrices. We then apply Mahalanobis distance-based triplet optimization to minimize the distance of each sample to its corresponding category's Gaussian distribution and maximize its distance to other Gaussian distributions. Finally, the extracted features are fed into the liveness detection classifier, where the classification cross-entropy loss between the predicted results and the ground truth is calculated.
• Figure 3: The Cumulative Distribution Function (CDF) graph of the prediction confidence from Baseline, SSDG, and CA-FAS. A higher curve indicates overall higher prediction confidence, while a lower curve indicates overall lower prediction confidence.
• Figure 4: The t-SNE tSNE2008 visualizations of the FAS features extracted by Baseline, SSDG, and CA-FAS from the training datasets and two target datasets (SiW and WMCA).
• Figure 5: CA-FAS model's prediction confidence distribution for different types of spoof data. It can be seen that the overall prediction confidence for the mask attacks, which are not included in the training data, is lower than the confidence for print and replay attacks.