面向人脸欺诈检测的对抗攻击与防御方法

Due to the rapid development of machine learning based face recognition, machines obtain higher performance than human. But the face recognition systems are prone to spoofing attacks of photo, video, and 3D mask. To this end, a new pattern recognition system called face spoofing detector have been introduced. Besides, the gradient-based adversarial attack is another way to attack face recognition systems. However, the current adversarial attacks are focused on the face recognizer rather than the face spoofing detector. The practicality of these methods is limited. Based on the current attack methods this program proposes a novel adversarial attack algorithm and two corresponding defend algorithms. They include 1) A joint gradient-based adversarial attack for both the face recognition and the face spoof detection; 2) A robust face spoof detection method based on hidden features; 3) A robust face spoof detection method based on rejecting mechanism. Based on the above theoretical research, some limitations are mitigated. On the attacking side, the problem of ignoring face spoofing detector is solved. On the defending side, the hidden features protect the public algorithm against the white-box attacks. The rejecting mechanism rejects the unseen samples and makes the face spoofing detector safer. The robustness of the face spoofing detector is improved. The safety of the whole system of face recognition + face spoofing detector is guaranteed.

随着基于机器学习的人脸识别技术的迅猛发展，机器已经拥有超过人类的识别率，但易被照片、视频、面具等方式欺骗，故需引入一个新的模式识别系统：人脸欺诈检测器。另一方面，基于梯度的对抗攻击也成为攻击人脸识别系统的另一种新途径。然而，目前的对抗攻击方式单一，即攻击仅针对人脸识别不考虑人脸欺诈检测，而丧失实用性。在此基础之上，本项目的主要研究内容是一种新型对抗攻击算法：基于梯度的人脸识别与人脸欺诈检测联合攻击。此外,本项目从攻击方法展开，还进行了两种对应防御算法的研究：基于特征隐藏保护的人脸欺诈检测防御、基于拒绝机制的人脸欺诈检测防御。基于上述理论研究，从攻击方面解决了目前主流对抗攻击算法忽略人脸欺诈检测问题，从防御角度看，特征隐藏保护可使公开的算法免受白盒攻击的影响，而拒绝机制使欺诈检测器具有拒绝未见样本的能力，从两个层面构建鲁棒人脸欺诈检测算法，进而提高整个人脸识别+人脸欺诈检测联合系统的安全性。

随着基于机器学习的人脸识别技术的迅猛发展，机器已经拥有超过人类的识别率，但易被照片、视频、面具等方式欺骗，故需引入一个新的模式识别系统：人脸欺诈检测器。另一方面，基于梯度的对抗攻击也成为攻击人脸识别系统的另一种新途径。然而，目前的对抗攻击方式单一，即攻击仅针对人脸识别不考虑人脸欺诈检测，而丧失实用性。在此基础之上，本项目的主要研究内容是一种新型对抗攻击算法：基于梯度的人脸识别与人脸欺诈检测联合攻击。此外,本项目从攻击方法展开，还进行了两种对应防御算法的研究：基于特征隐藏保护的人脸欺诈检测防御、基于拒绝机制的人脸欺诈检测防御。基于上述理论研究，从攻击方面解决了目前主流对抗攻击算法忽略人脸欺诈检测问题，从防御角度看，特征隐藏保护可使公开的算法免受白盒攻击的影响，而拒绝机制使欺诈检测器具有拒绝未见样本的能力，从两个层面构建鲁棒人脸欺诈检测算法，进而提高整个人脸识别+人脸欺诈检测联合系统的安全性。