Defense of Face Presentation Attacks and Adversarial Attacks

Download or read book Defense of Face Presentation Attacks and Adversarial Attacks written by Rui Shao and published by . This book was released on 2021 with total page 168 pages. Available in PDF, EPUB and Kindle. Book excerpt: A significant improvement has been achieved in the visual recognition since the advent of deep convolutional neural networks (CNNs). The promising performance in visual recognition has contributed to many real-world visual applications. Face recognition, as one of the most widely used visual applications, even outperforms the human-level recognition accuracy. However, along with convenience brought by the visual applications such as face recognition, many kinds of attacks targeting at them also emerge. Specifically, face presentation attacks (i.e., print attack, video replay attack, and 3D mask attack) can easily fool many face recognition systems. More generally, adversarial attacks which add crafted imperceptible perturbations to clean images can lead general visual recognition systems into making wrong predictions. Therefore, this thesis focuses on protecting face recognition systems from the face presentation attacks and robustifying general visual recognition systems against the adversarial attacks. Various face presentation attack detection methods have been proposed for 2D attacks (i.e., print attack and video replay attack), but they cannot generalize well to unseen attacks. This thesis firstly focuses on improving the generalization ability of face presentation attack detection from the perspective of the domain generalization. We propose to learn a generalized feature space via a novel multiadversarial discriminative deep domain generalization framework. In this framework, a multi-adversarial deep domain generalization is performed under a dual-force triplet-mining constraint. This ensures that the learned feature space is discriminative and shared by multiple source domains, and thus is more generalized to new face presentation attacks. An auxiliary face depth supervision is incorporated to further enhance the generalization ability. Following adversarial learning based domain generalization, we also propose an adversarial learning based unsupervised domain adaptation (UDA) called Hierarchical Adversarial Deep Domain Adaptation to tackle the distribution mismatch between source and target domain. A Hierarchical Adversarial Deep Network is proposed to jointly optimize the featurelevel and pixel-level adversarial adaptation within a hierarchical network structure, which guides the knowledge from pixel-level adversarial adaptation to facilitate the feature-level adaptation and thus contributes to a better feature alignment. The above multi-adversarial deep domain generalization assumes that there exists a generalized feature space shared by multiple source domains. However, it is difficult to perfectly discover such a feature space. To circumvent this limitation, we further propose a new meta-learning framework called regularized fine-grained meta face presentation attack detection. Instead of searching a shared feature space, this framework trains our model to perform well in the simulated domain shift scenarios, which is achieved by finding generalized learning directions in the meta-learning process. Specifically, the proposed framework incorporates the domain knowledge of face presentation attack detection as the regularization so that meta-learning is conducted in the feature space regularized by the supervision of domain knowledge. Besides, to further enhance the generalization ability of our model, the proposed framework adopts a fine-grained learning strategy that simultaneously conducts meta-learning in a variety of domain shift scenarios in each iteration. Apart from defending 2D face presentation attacks, this thesis also detects 3D mask face presentation attacks. We propose a novel feature learning model to learn discriminative deep dynamic textures for 3D mask face presentation attack detection. A novel joint discriminative learning strategy is further incorporated in the learning model to jointly learn the spatial- and channel-discriminability of the deep dynamic textures. This learning strategy can be used to adaptively weight the discriminability of the learned feature from different spatial regions or channels, which i ensures that more discriminative deep dynamic textures play more important roles in face/mask classification. Besides the detection of various face presentation attacks, we have also studied the defense of adversarial attacks threatening general visual recognition systems. Specifically, we emphasize the necessity of an Open-Set Adversarial Defense (OSAD) mechanism, which defends adversarial attacks under an open-set setting. We propose an Open-Set Defense Network with Clean-Adversarial Mutual Learning (OSDN-CAML) as a solution to the OSAD problem. The proposed network uses an encoder with feature-denoising layers coupled with a classifier to learn a noise-free latent feature representation. Several techniques are further employed for the solution. First, a decoder is utilized to ensure that clean images can be reconstructed from the obtained latent features. Then, self-supervision is used to ensure that the latent features are informative enough to carry out an auxiliary task. Finally, to exploit more complementary knowledge from clean image classification to facilitate feature denoising and search a more generalized local minimum for open-set recognition, we further propose clean-adversarial mutual learning, in which a peer network (classifying clean images) is further introduced to mutually learn with the classifier (classifying adversarial images). In short, the major contributions of this thesis are summarized as follows. A multi-adversarial discriminative deep domain generalization framework is proposed to improve the generalization ability of face presentation attack detection method to unseen attacks, which learns a discriminative and shared feature space among multiple source domains via adversarial learning. An adversarial learning based UDA method named as Hierarchical Adversarial Deep Domain Adaptation is also proposed to adapt the model trained with source data to perform well on target data with different distributions. A regularized fine-grained meta face presentation attack detection method is proposed to train the face presentation attack detection model to learn to generalize well to unseen attacks, which simultaneously conducts metaiv learning in a variety of domain shift scenarios under face presentation attacks. A joint discriminative learning of deep dynamic textures is proposed to capture subtle facial motion differences with spatial- and channel- discriminability for 3D mask presentation attack detection. A new research problem called Open-Set Adversarial Defense (OSAD) is introduced to study the adversarial defense under the open-set setting. An Open-Set Defense Network with Clean-Adversarial Mutual Learning (OSDNCAML) method is proposed as a solution to the OSAD problem, which simultaneously detects open-set samples and classifies known classes in the presence of adversarial noise.