人臉防偽辨識對於人臉辨識系統的安全性至關重要，已經有許多基於卷積神經網路的防偽方法被提出，而且這些方法都表現出了良好的性能。儘管取得了這些成功，但卷積神經網路對於對抗樣本的脆弱性讓這些防偽方法容易受到攻擊。

在這項研究中，對抗性雜訊被用於為幾種防偽方法製作對抗樣本，多種攻擊方法被應用於多幀防偽方法以研究其脆弱性。我們證明即便是傳統方法也有機會可以成功攻擊這些防偽模型。然而，在一些困難的攻擊對象如多幀防偽模型，以這些方法所生成的攻擊圖片在攻擊過程中通常會嚴重失真且容易被人眼識別。由於需要大量的雜訊來欺騙模型，這些雜訊方法可能不適合用於攻擊多幀防偽模型。因此，我們提出了一種新的智能展示攻擊以生成變形圖片來有效地攻擊反偽方法。

我們方法的泛化性透過對四個公開可使用的數據集進行多次實驗來驗證，實驗結果證實我們的方法表現良好，並且使用該方法所產生的攻擊圖片比使用傳統雜訊方法的圖片失真更少。此外，我們證明了使用元學習訓練並具有較強域泛化能力的防偽模型也容易受到這些攻擊。

Face anti-spoofing critically contributes to the security of face recognition systems. Numerous anti-spoofing approaches based on convolutional neural networks (CNNs) have been proposed, and they have shown promising performance. Despite these successes, the vulnerability of CNNs to adversarial examples leaves these anti-spoofing methods vulnerable to attacks.

In this study, adversarial noise is used to craft adversarial examples for several anti-spoofing methods, and various attack methods are applied to investigate the vulnerability of the multi-frame anti-spoofing approach. We demonstrate that even conventional methods can possibly attack these anti-spoofing models successfully. However, in some difficult attack targets such as a multi-frame anti-spoofing model, the attack image generated by these methods is typically heavily distorted during the attack process and can easily be distinguished by human eyes. Because a large amount of noise is needed to deceive the model, these noise methods may be unsuitable for attacking a multi-frame anti-spoofing model. Thus, we proposed a new intelligent face presentation attack approach to generate morph images to effectively attack anti-spoofing approaches.

The generalization of our methodology was validated through several experiments on four publicly available datasets. The experimental results showed that the proposed method performed promisingly, and the attack images generated using this method appeared less distorted than those produced using conventional noise methods. Moreover, we demonstrated that an anti-spoofing model trained using meta-learning and having strong domain generalizability is also vulnerable to these attacks.

摘要 i
Abstract ii
Contents iii
List of Tables iv
List of Figures v
1 Introduction 1
1.1 Motivation 1
1.2 Problem Statement 3
1.3 Contributions 4
1.4 Thesis Organization 5
2 Related Work 6
2.1 Face Anti­Spoofing 6
2.2 Adversarial Noise Attacks 8
2.3 Face Morphing Attacks 10
2.4 Summary 11
3 Proposed Method 13
3.1 Problem Description 13
3.2 Adversarial Noise Attack 15
3.3 Morphing Attack 17
4 Experiments 24
4.1 Databases 24
4.1.1 Idiap REPLAY­ATTACK 24
4.1.2 CASIA Face Anti­Spoofing 25
4.1.3 MSU Mobile Face Spoofing 25
4.1.4 OULU­NPU 25
4.2 Experimental Settings 26
4.3 The Attack Result of Single­Frame Anti­Spoofing 28
4.4 The Attack Result of Multi­Frame Anti­Spoofing 32
4.5 Image Quality Comparison 34
4.6 The Influence of Morphing Attack to Face Verification 37
4.7 The Effect of Gaussian Smooth in Morphing Attack 39
5 Conclusions 41
References 43

[1] Naveed Akhtar and Ajmal Mian. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access, 6:14410–14430, 2018.
[2] Zinelabidine Boulkenafet, Jukka Komulainen, and Abdenour Hadid. Face antispoofing using speeded­up robust features and fisher vector encoding. IEEE Signal Processing Letters, 24(2):141–145, 2016.
[3] Zinelabidine Boulkenafet, Jukka Komulainen, and Abdenour Hadid. Face
spoofing detection using colour texture analysis. IEEE Transactions on Information Forensics and Security, 11(8):1818–1830, 2016.
[4] Zinelabinde Boulkenafet, Jukka Komulainen, Lei Li, Xiaoyi Feng, and Abdenour Hadid. Oulu­npu: A mobile face presentation attack database with realworld variations. In 2017 12th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2017), pages 612–618. IEEE, 2017.
[5] Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. IEEE, 2017.
[6] Ivana Chingovska, André Anjos, and Sébastien Marcel. On the effectiveness of local binary patterns in face anti­spoofing. In 2012 BIOSIG­proceedings of the international conference of biometrics special interest group (BIOSIG), pages 1–7. IEEE, 2012.
[7] Naser Damer, Alexandra Mosegui Saladie, Andreas Braun, and Arjan Kuijper. Morgan: Recognition vulnerability and attack detectability of face morphing attacks created by generative adversarial network. In 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems (BTAS), pages 1–10. IEEE, 2018.
[8] Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 9185–9193, 2018.
[9] Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. Evading defenses to transferable adversarial examples by translation­invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4312–4321, 2019.
[10] Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati,
Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. Robust
physical­world attacks on deep learning visual classification. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 1625–1634, 2018.
[11] Matteo Ferrara, Annalisa Franco, and Davide Maltoni. The magic passport. In IEEE International Joint Conference on Biometrics, pages 1–7. IEEE, 2014.
[12] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
[13] Diego Gragnaniello, Giovanni Poggi, Carlo Sansone, and Luisa Verdoliva. An investigation of local descriptors for biometric spoofing detection. IEEE transactions on information forensics and security, 10(4):849–863, 2015.
[14] Jukka Komulainen, Abdenour Hadid, and Matti Pietikäinen. Context based face anti­spoofing. In 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS), pages 1–8. IEEE, 2013.
[15] Iryna Korshunova, Wenzhe Shi, Joni Dambre, and Lucas Theis. Fast face­swap using convolutional neural networks. In Proceedings of the IEEE International Conference on Computer Vision, pages 3677–3685, 2017.
[16] Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.
[17] Haoliang Li, Wen Li, Hong Cao, Shiqi Wang, Feiyue Huang, and Alex C Kot. Unsupervised domain adaptation for face anti­spoofing. IEEE Transactions on Information Forensics and Security, 13(7):1794–1809, 2018.
[18] Jiadong Lin, Chuanbiao Song, Kun He, Liwei Wang, and John E Hopcroft.
Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv preprint arXiv:1908.06281, 2019.
[19] Yaojie Liu, Amin Jourabloo, and Xiaoming Liu. Learning deep models for face anti­spoofing: Binary or auxiliary supervision. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 389–398, 2018.
[20] Oeslle Lucena, Amadeu Junior, Vitor Moia, Roberto Souza, Eduardo Valle, and Roberto Lotufo. Transfer learning using convolutional neural networks for face anti­spoofing. In International Conference Image Analysis and Recognition, pages 27–34. Springer, 2017.
[21] Jukka Määttä, Abdenour Hadid, and Matti Pietikäinen. Face spoofing detection from single images using micro­texture analysis. In 2011 international joint conference on Biometrics (IJCB), pages 1–7. IEEE, 2011.
[22] Nicolas Papernot, Ian Goodfellow, Ryan Sheatsley, Reuben Feinman, and
Patrick McDaniel. cleverhans v2. 0.0: an adversarial machine learning library. arXiv preprint arXiv:1610.00768, 10, 2016.
[23] Keyurkumar Patel, Hu Han, and Anil K Jain. Secure face unlock: Spoof detection on smartphones. IEEE transactions on information forensics and security, 11(10):2268–2283, 2016.
[24] Olaf Ronneberger, Philipp Fischer, and Thomas Brox. U­net: Convolutional networks for biomedical image segmentation. In International Conference on Medical image computing and computer­assisted intervention, pages 234–241. Springer, 2015.
[25] Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, et al. Imagenet large scale visual recognition challenge. International journal of computer vision, 115(3):211–252, 2015.
[26] Ulrich Scherhag, Christian Rathgeb, Johannes Merkle, Ralph Breithaupt, and Christoph Busch. Face recognition systems under morphing attacks: A survey. IEEE Access, 7:23012–23026, 2019.
[27] Florian Schroff, Dmitry Kalenichenko, and James Philbin. Facenet: A unified embedding for face recognition and clustering. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 815–823, 2015.
[28] Rui Shao, Xiangyuan Lan, Jiawei Li, and Pong C Yuen. Multi­adversarial
discriminative deep domain generalization for face presentation attack detection. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 10023–10031, 2019.
[29] Rui Shao, Xiangyuan Lan, and Pong C Yuen. Regularized fine­grained meta face anti­spoofing. In AAAI, pages 11974–11981, 2020.
[30] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
[31] Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan
Boneh, and Patrick McDaniel. Ensemble adversarial training: Attacks and
defenses. arXiv preprint arXiv:1705.07204, 2017.
[32] Guoqing Wang, Hu Han, Shiguang Shan, and Xilin Chen. Unsupervised adversarial domain adaptation for cross­domain face presentation attack detection. IEEE Transactions on Information Forensics and Security, 16:56–69, 2020.
[33] Qinglong Wang, Wenbo Guo, Kaixuan Zhang, Alexander G Ororbia II, Xinyu Xing, Xue Liu, and C Lee Giles. Learning adversary­resistant deep neural networks. arXiv preprint arXiv:1612.01401, 2016.
[34] Run Wang, Felix Juefei­Xu, Qing Guo, Yihao Huang, Xiaofei Xie, Lei Ma,
and Yang Liu. Amora: Black­box adversarial morphing attack. In Proceedings
of the 28th ACM International Conference on Multimedia, pages 1376–1385,
2020.
[35] Zezheng Wang, Zitong Yu, Chenxu Zhao, Xiangyu Zhu, Yunxiao Qin,
Qiusheng Zhou, Feng Zhou, and Zhen Lei. Deep spatial gradient and temporal depth learning for face anti­spoofing. In Proceedings of the IEEE/CVF
Conference on Computer Vision and Pattern Recognition, pages 5042–5051,
2020.
[36] Zezheng Wang, Chenxu Zhao, Yunxiao Qin, Qiusheng Zhou, Guojun Qi, Jun
Wan, and Zhen Lei. Exploiting temporal and depth information for multi­frame face anti­spoofing. arXiv preprint arXiv:1811.05118, 2018.
[37] Di Wen, Hu Han, and Anil K Jain. Face spoof detection with image distortion analysis. IEEE Transactions on Information Forensics and Security, 10(4):746–761, 2015.
[38] Cihang Xie, Jianyu Wang, Zhishuai Zhang, Yuyin Zhou, Lingxi Xie, and Alan Yuille. Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE International Conference on Computer Vision, pages 1369–1378, 2017.
[39] Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, Jianyu Wang, Zhou Ren, and Alan L Yuille. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 2730–2739, 2019.
[40] Jianwei Yang, Zhen Lei, and Stan Z Li. Learn convolutional neural network for face anti­spoofing. arXiv preprint arXiv:1408.5601, 2014.
[41] Zhiwei Zhang, Junjie Yan, Sifei Liu, Zhen Lei, Dong Yi, and Stan Z Li. A face antispoofing database with diverse attacks. In 2012 5th IAPR international conference on Biometrics (ICB), pages 26–31. IEEE, 2012.
[42] I Standard. Information technology—biometric presentation attack detection—part 1: Framework. ISO: Geneva, Switzerland, 2016.
[43] Jiankang Deng, Jia Guo, Niannan Xue, and Stefanos Zafeiriou. Arcface: Additive angular margin loss for deep face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages
4690–4699, 2019.
[44] Omkar M Parkhi, Andrea Vedaldi, and Andrew Zisserman. Deep face recognition. 2015.
[45] Sefik Ilkin Serengil and Alper Ozpinar. Lightface: A hybrid deep face recognition framework. In 2020 Innovations in Intelligent Systems and Applications Conference (ASYU), pages 23–27. IEEE, 2020.
[46] Yi Sun, Xiaogang Wang, and Xiaoou Tang. Deep learning face representation from predicting 10,000 classes. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1891–1898, 2014.
[47] Yaniv Taigman, Ming Yang, Marc’Aurelio Ranzato, and Lior Wolf. Deepface: Closing the gap to human­level performance in face verification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1701–1708, 2014.
[48] Yousef Atoum, Yaojie Liu, Amin Jourabloo, and Xiaoming Liu. Face antispoofing using patch and depth­based cnns. In 2017 IEEE International Joint Conference on Biometrics (IJCB), pages 319–328. IEEE, 2017.
[49] Bowen Zhang, Benedetta Tondi, and Mauro Barni. Adversarial examples for replay attacks against cnn­based face recognition with anti­spoofing capability. Computer Vision and Image Understanding, 197:102988, 2020.
[50] Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning, pages 1310–1320. PMLR, 2019.
[51] Zihao Liu, Qi Liu, Tao Liu, Nuo Xu, Xue Lin, Yanzhi Wang, and Wujie Wen. Feature distillation: Dnn­oriented jpeg compression against adversarial examples. In 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 860–868. IEEE, 2019.