Unknown Presentation Attack Detection with Face RGB Images

October 25, 2018


Because public safety heavily relies on all kinds of biometric identification and authentication systems, such as those used in law enforcement and border control, the Presentation Attack Detection (PAD) problem, also known as spoofing detection, attracts a lot of attention from the biometrics community.

Any flaw that could expose these systems to phony/augmented presentations is unaffordable. Therefore, for high-security applications, human-in-the-loop is essential. Preventing presentation attacks (PAs) via human intervention, on the other hand, is not scalable and error-prone. However, because biometric data is more easily obtained, manufacturing or augmenting artifacts to spoof biometric systems is far easier than before. As a result, PAD solutions are needed to mitigate PA threats to current and future biometric identification systems.

Even though PAD is an open-set classification problem because in real life the possibility of encountering an unknown attack always exists, most existing PAD algorithms treat the problem as a close set binary classification problem, in which both bona fide (BF) and predefined attack presentation instruments are used to train and test the algorithms. They do not, however, detect PAs from other categories of PA instruments that are not included in the training dataset. Therefore, in real-world circumstances, human supervision is still essential to secure biometric systems.


The Unknown PAD (UPAD) problem is challenging because the system must discover new forms of PAs that were not included in the training sample. It is difficult to know what the optimal decision function is for these unknown sorts of PAs, unlike the closed set PAD problem. Using state-of-the-art features, the latest and largest face PAD dataset, and more complex outlier detection methods, we propose a baseline solution and a thorough assessment study for UPAD.

The unknown type of PA samples found by the UPAD algorithm will be utilized to retrain PAD algorithms to detect future PAs, as shown in Figure 1. Rather than depending solely on a pre-trained PAD algorithm, the UPAD algorithm will significantly improve the anti-PA system’s long-term ability to combat PAs.

The proposed UPAD algorithms, like other existing PAD algorithms, are divided into two parts: feature extraction and classification. To detect presentation attacks, outlier detection approaches are used.

LBP is the most popular texture-based feature representation. We follow the feature extraction process used in the baseline Oulu PAD algorithm, in which LBP8,1u2 histogram extracted from HSV and YCbCr channels of the aligned face images are concatenated as a 354-dimensional feature vector, facilitating the comparison between PAD and UPAD performance on the Oulu dataset.

We use both one-class support vector machines (OC-SVM) as our baseline outlier identification approach and learn the feature distribution of genuine presentations, as well as neural network autoencoders (as shown in the figure below) to compare non-generative versus generative models for the UPAD problem.

By solely using bona fide presentations to train the autoencoder, the learned code will only contain information that is relevant for reconstructing bona fide presentations. Therefore, the distinction between bona fide and attack presentations will result in a high reconstruction error for attack presentations.

Experimental Results

The proposed UPAD algorithms are tested on four face PAD datasets: CASIA, Replay-Attack, MSU, and the biggest face PAD dataset to date, the Oulu dataset.  First, we test the algorithm’s performance on an aggregate dataset composed of CASIA, Replay-Attack, and MSU, using the identical inter-database and intra-database protocols described in prior work on the aggregate dataset. Second, we assess the UPAD performance using four newly suggested UPAD protocols on the Oulu dataset, with BF and one type of attack presentation in the training and validation sets and BF and the other type of attack presentation in the testing set.

Table 1 shows how LBP features improve the performance in intra-database testing in terms of the area under the ROC curve (AUC). Nonetheless, RBF SVM achieves the best overall UPAD performance in both intra- and inter- database protocols. In terms of outlier detection-based UPAD methods, the overall performance of OC-SVM and AutoEncoder is equivalent in both protocols.

The details of our evaluation on the Oulu dataset can be found in the paper. The main conclusion from this evaluation is the following. When there is no difference in the illumination conditions between the training and testing data, binary classification methods perform better. However, when the illumination conditions in the testing data differ from those in the training data, our proposed outlier detection methods perform better.