PreprintPDF Available
Preprints and early-stage research may not have been peer reviewed yet.

Abstract and Figures

A face spoofing attack occurs when an intruder attempts to impersonate someone who carries a gainful authentication clearance. It is a trending topic due to the increasing demand for biometric authentication on mobile devices, high-security areas, among others. This work introduces a new database named Sense Wax Attack dataset (SWAX), comprised of real human and wax figure images and videos that endorse the problem of face spoofing detection. The dataset consists of more than 1800 face images and 110 videos of 55 people/waxworks, arranged in training, validation and test sets with a large range in expression, illumination and pose variations. Experiments performed with baseline methods show that despite the progress in recent years, advanced spoofing methods are still vulnerable to high-quality violation attempts.
Content may be subject to copyright.
Rafael Henrique Vareto, Araceli Marcia Sandanha, William Robson Schwartz
Smart Sense Laboratory, Department of Computer Science
Universidade Federal de Minas Gerais, Belo Horizonte, Brazil
A face spoofing attack occurs when an intruder attempts to imper-
sonate someone who carries a gainful authentication clearance. It
is a trending topic due to the increasing demand for biometric au-
thentication on mobile devices, high-security areas, among others.
This work introduces a new database named Sense Wax Attack
dataset (SWAX ), comprised of real human and wax figure images
and videos that endorse the problem of face spoofing detection. The
dataset consists of more than 1800 face images and 110 videos of
55 people/waxworks, arranged in training, validation and test sets
with a large range in expression, illumination and pose variations.
Experiments performed with baseline methods show that despite
the progress in recent years, advanced spoofing methods are still
vulnerable to high-quality violation attempts.
Index Termsspoofing, presentation attack, face, wax figures
The term spoofing, also referred to as presentation attack, represents
a legitimate threat for biometric systems. The attack occurs when a
malefactor attempts to pass him/herself off as someone who carries
an advantageous authentication clearance. Intruders regularly em-
ploy falsified data to bypass security procedures and gain illegitimate
access. As a countermeasure, new datasets are regularly released in
the literature as an attempt to address the latest attack nuances and
leverage upcoming researches [1, 2, 3].
The human face may have become the “universal” authentica-
tion biometric for several reasons, such as the increasing distribution
of personal pictures on social networks, spread of surveillance cam-
eras, and convenience to name a few [4]. Most spoofing attacks com-
prise facial pictures from users enrolled in recognition systems since
face images are easily acquired due to their broad availability. A case
in point occurred in China involving scammers posing with wax fig-
ures of prominent executives to lure in around 600K investors and
embezzle almost US$500 million [5]. The low-cost access to face
images contributes to the increase of criminals designing attacks to
be validated as authentic users, turning face spoofing into a popular
way of deceiving people and biometric applications.
This work presents a database comprised of both real human
and wax figure image/video in the interest of endorsing the problem
of face spoofing detection. The proposed database, entitled Sense
Wax Attack dataset (SWAX), is designed to investigate the problem
in which a face media is presented to a system that must determine
whether it categorizes a bona fide (authentic) or a counterfeit (attack)
sample. The goal is not only to deliver a novel spoofing benchmark
by specifying dataset protocols and usage requirements, but also en-
able the development of more robust anti-spoofing systems with the
anticipation of unforeseen wax-based portrait attacks.
Fig. 1: A Korean celebrity on the left and a realistic sculpted wax dummy.
Although several datasets focus on spoofing detection, most
engage in recapturing authentic images or videos in distinct medi-
ums [6, 7, 8] by varying input sensors, attack types and capture
conditions. Only recently have few researchers turned themselves to
modeling emerging attack strategies [9, 10, 11], e.g. silicon masks,
which suggests concealing a suspect’s real appearance or imperson-
ating someone else’s identity. To the best of our knowledge, S WAX is
the only dataset comprising both real and wax-modeled persons up
to the present time. It provides means of studying attacks in uncon-
strained environments as it encompasses significant divergence in
pose, expression, lighting, scene, and camera settings.
The proposed SWAX dataset consists of genuine and counterfeit
samples for all available subjects. As illustrated in Figure 1, the
database contains labeled photographs of characters, celebrities and
public figures, chosen based on a list of waxworks obtained from a
famous chain of wax museums. More precisely, this work aims at
investigating face spoofing detection in realistic scenarios, whither
there is little control over the images acquisition. In contemplation
of fair algorithm comparisons, we provide four protocols for devel-
oping and evaluating algorithms using the SWAX benchmark.
The main contributions of this work are: 1) generation of a pub-
lic set of real human and wax figure media in the wild, indicating that
these faces carry most common variations observed in ordinary sce-
narios and, consequently, represent practical situations; 2) develop-
ment of straightforward baselines, which stand on long-established
techniques in the interest of meeting the requirements of each pro-
posed protocol and guarantee a legitimate comparison among algo-
rithms considering the sort of data they are trained on.
Most existing datasets concentrate either on modeling impersonation
attack strategies or recapturing genuine images and videos on differ-
ent mediums. The former demands a high expertise level since it
requires the manufacturing of realistic masks and, therefore, is an
expensive process. The latter usually involves high-quality cameras
for the sake of capturing deceptive print and video replay attacks.
arXiv:1910.09642v1 [cs.CV] 21 Oct 2019
Fig. 2: Face samples collected from online resources and constituting bona fide (top row) and counterfeit (bottom row) images.
Several face spoofing datasets have been proposed in the last
decade [12, 1, 6]. More recently, Boulkenafet et al. [7] designed
one of the largest mobile-based benchmarks, OULU-NP U, holding
more than four thousand real-access and attack videos captured us-
ing the frontal camera of six mobile devices. Liu et al. [8] intro-
duced SIW, with live and spoof videos of 165 individuals covering
a large range of expression, illumination and pose variations. These
datasets represent situations that fail to generalize well in conditions
where attacks do not proceed from print or replay spoof mediums.
More precisely, they require that algorithms learn whether a medium
corresponds to an attack rather than the individual itself. A way to
make biometric systems robust to other realistic intrusions is to lay
out medium-free presentation attacks, like mask-based attacks.
Few masks-based attacks have also been proposed [13, 9]. Man-
jani et al. [11] propose SMAD, a database containing stretchable
masks under unconstrained environments, allowing actors to speak
and blink, in an attempt to pass on a lifelike sensation. Bhattachar-
jee et al. [3] consider rigid and flexible silicone masks as they release
CS -MAD, a dataset captured using low-cost cameras with the collab-
oration of 14 subjects. The use of masks can restrict natural facial
functions/movements such as smiling, talking and blinking, failing
to proper fit and match real faces. It becomes even more complex
under the need of accurately reproducing another person’s appear-
ance due to the requirement of facial casts. Realistic mask imper-
sonations demand face molds from the subject being modeled and
from the person about to wear the disguise. The process of making
lifelike masks can cost high figures due to its manufacturing com-
plexity and, to make matters worse, real presentation attacks do not
rely on the cooperation of the individual “being cloned”.
There are numerous approaches focusing on print or replay
spoofing attacks. Many methods deal with the design of handcrafted
descriptors and learning algorithms whereas others focus on the
convolutional neural networks trend, described as follows.
There is a myriad of anti-spoofing works in the literature [6, 14,
15]. Valle et al. [16] presented a transfer learning method using a
pre-trained DN N model on static features to recognize photo, video
and mask attacks. Liu et al. [8] combined DNN with RNN to esti-
mate the depth of face images along with rPP G signals to boost the
detection of unauthorized access. Jourabloo et al. [17] decomposed
a spoofing face into noise and face information by modeling the pro-
cess of how the attack is generated from its original live image.
Only recently have researchers turned their attention to fraudu-
lent 3D-mask attacks. Steiner et al. [18] adopted spectral signatures
of material surfaces in the short wave infrared range to distinguish
human skin from other materials, regardless of the hide characteris-
tics. Bhattacharjee et al. [19] used off-the-shelf imaging devices to
detect print and replay intrusions as well as mask-based presentation
attacks near-real-time applications. Many literature methods end up
being restricted to specific datasets domains, especially when cam-
eras have comparable capture quality. However, they usually fail to
achieve good results on cross-dataset evaluations [14, 20, 8].
Realistic wax-made sculptures are susceptible to the same limita-
tions found in silicon masks. However, the former tends to be more
faithful to actual human traits and, consequently, present greater
chances of deceiving biometric systems than masks. They can also
be as portable as masks since presentation attacks may require ei-
ther face portraits or busts instead of full-body figures. From this
perspective, we propose the Sense Wax Attack dataset (S WAX)1.
The SWAX database is compiled from unrestrained online re-
sources and consists of characters, celebrities and public figure im-
ages and videos to whom wax dummies have been sculpted into.
The database contains 33 female and 22 male individuals. It con-
sists of 1,812 images and 110 videos of 55 people/figures, arranged
in training, validation and test sets. More precisely, each subject
holds at least 20 authentic still images and a minimum of 10 coun-
terfeit images. All motion and still pictures are manually captured
under uncontrolled scenarios, formed by uncooperative individuals
and distinct camera viewpoints.
Figure 2 points up the main aspects of the proposed database,
depicting authentic and attack samples, respectively. Bona fide in-
dividual samples also incorporate human appearance alterations due
to the natural aging process as pictures are collected without any
sort of age restraint. Some subjects samples also present accessories
like spectacles or hats, and some male individuals may even have
mustaches or beards. Consequently, there is a significant variation
in facial expressions, illumination, pose, scene, camera types and
imaging conditions.
The proposed dataset comprises mutually exclusive sets, which
indicates that no subject identity contained in the training set can be
made available in the validation or the test sets simultaneously. The
same applies to validation and test sets, suggesting that alike subjects
should not come out in distinct subsets. For development purposes,
the proposed dataset encompasses independent randomly generated
splits for 10-fold cross validation in an attempt to escape unfairly
algorithm biases and expose overfitting occurrences. In addition, the
data presented in the SWAX dataset should be used as is, according
to the provided training, evaluation and test sets.
3.1. Evaluation Protocols
The following paragraphs specify the evaluation protocols guide-
line and set the proper manipulation of training, validation and test
collections. These sets are characterized by the corresponding sub-
ject/figure identity in which each face picture2is presented as either
bona fide (authentic) or counterfeit (attack) sample. The four proto-
cols3are detailed in the following subsections.
1The SWAX dataset will be released upon paper acceptance.
2The word “picture” refers to still images and videos.
3Protocol 01 follows the unsupervised paradigm whereas the remaining ones adhere
to the supervised learning task.
3.1.1. Protocol 01: Unsupervised, with additional data
Real-world biometric applications are inclined to anticipate all sorts
of illegal intrusions and undergo attacks of distinct nature, which
are unknown to the training stage. However, unpredictable attack
characteristics require a notable generalization potential that is not
usually represented in supervised and multi-class classification tech-
niques as they tend to become too specific to some particular attacks.
It is pertinent to handle spoofing detection problems with one-
class-based techniques when labels are not available. Alternate un-
supervised strategies comprehend autoencoders [17], clustering [21]
and domain adaptation [22] algorithms. One-class classification can
be defined as a special case of unsupervised learning where only
the class comprising authentic face pictures is well characterized by
training data instances. It implies that counterfeit pictures are not
known at training time but may emerge at test time. In essence, hav-
ing all picture samples sharing identical labels in the target variable
is analogous to being unlabeled seeing that there is no discriminative
information about their class names [23].
For the sake of following the unsupervised protocol appropri-
ately, the following conditions shall apply:
Procedures claimed to be unsupervised cannot make use of
presentation attack samples at the training stage, being re-
stricted to authentic samples only.
There should be no parameters carrying bona fide or counter-
feit labels, not to mention any other relevant information such
as file names or singular identifiers.
Approaches can neither benefit from “beforehand informa-
tion” concerning the number of samples included in each
class nor use the label distribution inherent to training and
test sets.
Supplementary samples, outside of S WAX database, are al-
lowed in cases where they depict bona fide individuals only
and should not be composed of hand-labeled data or infor-
mation indicating whether pictures are authentic or comprise
presentation attacks.
3.1.2. Protocol 02: Restricted, without additional data
The second protocol is in consonance with the supervised learning
task, in which there is access to target variables for a set of training
data. Each face picture is provided with one out of two categories:
bona fide or counterfeit class. These two labels represent ground-
truth information that favor the model in encountering the best-fitted
mapping function to guarantee good predictions about “future” pic-
ture presentations. That is, authentic and attack samples not listed
in the training set to provide more accurate guidance on how well
approaches generalize to unseen data.
In contrast to the unsupervised paradigm, this protocol admits
information indicating whether a picture is authentic or consists of
an attack. Still, it dismisses any type of annotation or data from
outside SWAX database, including supplementary picture samples,
external tools like facial landmark detectors and alignment methods
learned on separate pictures, or feature extractors trained on other
data sources. Such external algorithms must be unsupervised, and
the data they operate on must be entirely within SWAX database’s
training sets. In other words, authentic/attack training labels pro-
vided in protocol 02 are authorized to be used along with external
algorithms, provided that they satisfy the requirements below:
Algorithms under this protocol are not allowed to use supple-
mentary data, either to identify presentation attacks or per-
form any kind of picture preprocessing.
Validation and test sets are exclusive to their own purposes
and cannot be employed to learn auxiliary methods.
Researchers cannot rely on supplementary labeled data, such
as manual face segmentation or facial landmark annotation.
3.1.3. Protocol 03: Unrestricted, with no-label additional data
Differently from the first two protocols, which restrain investigators
and developers in such a way they must employ either no-label or
SWAX training data alone, protocol 03 acknowledges the exploitation
of additional data sources in the interest of improving an algorithm’s
precision. Actually, the main distinction between protocols 02 and
03 is that the latter supports the adoption of SWAX independent data
if and only if they do not consist of bona fide or counterfeit labels.
The external training data may encompass genuine or fraudu-
lent face samples, but the annotation data must be limited to labeled
or segmented face components, for instance, mouth contour and eye
corners to name a few. Auxiliary algorithms proposed for feature de-
scription, face detection and face alignment, even though having the
possibility of being tuned on non-SWAX face samples, are legitimate
as we understand that outside data and methods used exclusively for
no-spoofing reasons is significantly different from using supplemen-
tary data/methods to learn spoofing detection classifiers, deserving
an exclusive category. Therefore, this protocol grants permission to
utilizing feature extractors and alignment algorithms that have been
developed for completely unrelated purposes.
The third protocol is distinguished from the others as it is sub-
jected to the following conditions:
Outside data should not consist of individuals included in
SWAX database.
External pictures cannot hold corresponding information in-
dicating whether they are genuine or fraudulent samples.
Additional pictures can be labeled with keypoints or segments
for the sake of designing preprocessing algorithms.
Non-SWAX annotations cannot present information that may
accredit the formation of authentic or attack face pictures.
3.1.4. Protocol 04: Totally Unrestricted
Supplementary labeled data play an important role in machine
learning algorithms as it qualifies biometric algorithms to identify
a broader variety of spoofing patterns. On the contrary previously
described protocols, protocol 04 endorses the use of additional pic-
ture samples regardless of the data annotation provided. The totally
unrestricted pattern is the most permissive protocol as it admits
outside datasets, external feature extractors and other methods that
have been built on independent visual data as long as they adhere to
the subsequent requirements:
Supplementary genuine and fraudulent pictures in which their
corresponding identity is not available in the SWAX database.
External face samples may include annotated keypoints, at-
tributes, segments as well as information carrying bona fide
or counterfeit labels.
Protocol 04 admits cross-dataset experiments in the interest of
assessing the generalization capability of algorithms and increas-
ing their performance. In consequence, researchers are allowed to
avoid SWAX samples, using external data only in the training stage,
but compelled to evaluate the designed approaches on the provided
testing splits. The idea of combining multiple datasets provides im-
proved statistical power and enhanced classification ability on differ-
ent domains, turning an algorithm more robust to diversified attacks.
3.2. Evaluation Metrics
Evaluation metrics are employed in order to point out a model’s per-
formance. For the SWAX database, we select two different metrics:
the Receiver Operating Characteristic and the standardized ISO/IEC
30107-3 assessment mechanisms for biometric systems.
The IEC 30107-3 designates a particular set of metrics for
supervised and unsupervised paradigms [24]. They are denom-
inated Attack Presentation Classification Error Rate, APC ER =
i=1 (1 Resi); and Bona Fide Presentation Classification
Error Rate, BPCER =1
i=1 (Resi).VP A indicates the num-
ber of spoofing attacks whereas VBF expresses the total number of
authentic presentations. Resireceives the value 1when the i-th
probe video presentation is categorized as an attack and 0if labeled
as bona fide presentation. AP CE R and BPCER resemble False Ac-
ceptance and False Rejection Rates, traditionally employed in the
literature when assessing binary classification methods.
The Average Classification Error Rate (ACE R) summarizes the
overall system performance as it comprehends the mean of APCER
and BP CE R at the decision threshold determined on the validation
set [25]. Although not used in this work, researchers can also con-
sider the Receiver Operating Characteristic (ROC) and its associated
Area Under Curve (AUC) [26] for the unsupervised task.
This section analyzes the performance of some methods on the
SWAX benchmark and also details the employed feature descriptors,
additional dataset and straightforward spoofing baselines.
4.1. External Datasets
Protocol 01 and 04 authorize researchers to incorporate external
data. We select LF W [27] database, initially designed for studying
the problem of unconstrained face recognition, to compose the un-
supervised analysis. LF W is compatible with S WAX’s first protocol
as it only comprises face images of distinct public figures, having
no incidence of waxwork models. MF SD [6] satisfies the totally
unrestricted protocol requirements as it provides authentic/attack
label information for the training stage.
4.2. Feature Descriptors
We select GLCM [28] and LB P [29] for the extraction of visual fea-
tures in lower dimensional spaces. GL CM features are computed with
directions θ∈ {0,45,90,135}degrees, distance d∈ {1,2}, 16 bins
and six texture properties: contrast, dissimilarity, homogeneity, en-
ergy, correlation, and angular second moment. They are obtained
from each image’s corresponding Fourier transform in the frequency
domain [14]. L BP information comprises 256 bins, a radius equal to
1, and eight points arranged in a 3×3matrix. They are taken from
each image’s color band after being converted from RGB into H SV
and YCRCB[30]. ALL refers to experiments in which GL CM and LBP
descriptors are extracted and concatenated.
4.3. Baselines
As showed in Table 1, some approaches have been picked out from
literature and employed as baselines. WS VM [31] is a classifica-
tion algorithm that provides solutions for non-linear classification
in open-set scenarios. For the unsupervised paradigm, we combine
one-class WS VM with different feature descriptors.
Table 1:APCE R and BPCER results (%) on SWAX’s protocols. Supplementary
datasets are depicted between parenthesis.
Prot. Method APC ER B PCE R ACE R
GLC M+ WSV M 85.8±3.65 20.2±3.93 53.0±3.79
LBP +W SVM 84.2±4.92 11.4±2.15 47.8±3.53
ALL +W SVM 89.9±3.10 11.0±4.26 50.5±3.68
ALL +W SVM (LFW )83.6±4.38 16.2±5.32 49.9±4.85
RHYTHM 57.8±12.1 41.0±8.84 49.5±10.5
ALL +E PLS 34.6±1.75 20.6±2.13 27.6±1.94
ALL +E SVM 46.0±2.12 19.9±2.10 33.0±2.11
ALIG N+RHYTHM 51.1±5.24 43.2±4.86 47.1±5.05
ALIG N+A LL+ EPL S 32.4±1.68 19.8±1.25 26.1±1.46
ALIG N+A LL+ ESV M 44.9±3.29 22.0±3.40 33.5±3.34
DE-SP OO FING 13.6±6.20 67.6±11.9 40.6±9.07
ALL +E PLS (MFS D)32.1±1.21 20.1±1.41 26.1±1.31
ALL +E SVM (MFS D)47.9±1.75 17.6±1.11 32.7±1.43
RHYTHM [14] searches for frequency domain artifacts as it is
trained and tested on SWAX ’s second and third protocols in favor
of distinguishing counterfeit from valid images. Since Protocol 03
admits external data and methods as long as they are not designed
for spoofing purposes, additional algorithms can be engaged in
preprocessing tasks. ALI GN [32] is a DNN-based face alignment
method that iteratively improves the locations of the facial land-
marks estimated in previous stages. Such alignment algorithms
tend to improve biometric systems performance due to carefully
positioning subject faces into a canonical pose. For Protocol 04,
DE-SPO OFI NG [17] performs a cross-dataset evaluation as it is
trained on OU LU -NP U dataset [7] and then aims to estimate deep
spoof noises from SWAX probe face samples.
We propose an embedding of PLS [33] and S VM [34] classifiers,
entitled EP LS and ESV M, respectively. The embedding is learned
on random subsets of the training set to create an array of classi-
fiers, guaranteeing a balanced division of bona fide (positive class)
and counterfeit (negative class) samples within each classification
model. At test time the method projects a probe image onto all
trained classifiers and computes the ratio of the number of positive
responses attained to the total number of classification models. If
most classifiers return positive responses, it implies that the face im-
age is likely to be an authentic sample, or a spoofing attack, other-
Evaluated algorithms provide an insight into the performance
of countermeasure methods when confronted with wax figure im-
ages. Experiments in Table 1 show that advanced spoofing methods
are still vulnerable to high-quality violation attempts, demanding re-
searchers to deliver more accurate biometric systems. The attained
results are not satisfactory and reveal that face anti-spoofing has a
large room for improvement despite the significant progress in re-
cent years.
This work comprises a public benchmark of real human and wax
figure images and videos, entitled Sense Wax Attack dataset, de-
veloped for face anti-spoofing purposes. The database consists of
different protocols, cross validation splits and evaluation metrics to
operate fair comparisons among different algorithms. Results show
that wax figures can be employed in pursuance of bypassing biomet-
ric systems and obtain illegitimate access. Therefore, there is a lot
to improve when it comes to wax-based face spoofing attacks. We
hope that with the advent of this dataset researchers will consider
new sorts of spoofing attacks as a motivation to delivering robust
methods to the challenging area of spoofing detection.
[1] Ivana Chingovska, Andr´
e Anjos, and S´
ebastien Marcel, “On
the effectiveness of local binary patterns in face anti-spoofing,
in BIOSIG, 2012.
[2] Allan Pinto, Helio Pedrini, William Robson Schwartz, and An-
derson Rocha, “Face spoofing detection through visual code-
books of spectral temporal cubes,” TIP, 2015.
[3] Sushil Bhattacharjee, Amir Mohammadi, and S´
ebastien Mar-
cel, “Spoofing deep face recognition with custom silicone
masks,” in BTAS, 2018.
[4] Sandeep Kumar, Sukhwinder Singh, and Jagdish Kumar, “A
comparative study on face spoofing attacks, in ICCCA, 2017.
[5] Shenzhen Daily, “6 arrested for pyramid sales scam,” 2012.
[6] Di Wen, Hu Han, and Anil K Jain, “Face spoof detection with
image distortion analysis,” TIFS, 2015.
[7] Zinelabinde Boulkenafet, Jukka Komulainen, Lei Li, Xiaoyi
Feng, and Abdenour Hadid, “Oulu-npu: A mobile face pre-
sentation attack database with real-world variations, in FG,
[8] Yaojie Liu, Amin Jourabloo, and Xiaoming Liu, “Learning
deep models for face anti-spoofing: Binary or auxiliary super-
vision,” in CVPR, 2018.
[9] Siqi Liu, Baoyao Yang, Pong C Yuen, and Guoying Zhao,
“A 3d mask face anti-spoofing database with real world vari-
ations,” in CVPRW, 2016.
[10] Akshay Agarwal, Daksha Yadav, Naman Kohli, Richa Singh,
Mayank Vatsa, and Afzel Noore, “Face presentation attack
with latex masks in multispectral videos, in CVPRW, 2017.
[11] Ishan Manjani, Snigdha Tariyal, Mayank Vatsa, Richa Singh,
and Angshul Majumdar, “Detecting silicone mask-based pre-
sentation attack via deep dictionary learning,” TIFS, 2017.
[12] Zhiwei Zhang, Junjie Yan, Sifei Liu, Zhen Lei, Dong Yi, and
Stan Z Li, “A face antispoofing database with diverse attacks,
in ICB, 2012.
[13] Nesli Erdogmus and S´
ebastien Marcel, “Spoofing in 2d face
recognition with 3d masks and anti-spoofing with kinect,” in
BTAS, 2013.
[14] Allan Pinto, William Robson Schwartz, Helio Pedrini, and An-
derson de Rezende Rocha, “Using visual rhythms for detecting
video-based facial spoof attacks,” TIFS, 2015.
[15] Lei Li, Xiaoyi Feng, Zinelabidine Boulkenafet, Zhaoqiang Xia,
Mingming Li, and Abdenour Hadid, “An original face anti-
spoofing approach using partial convolutional neural network,
in IPTA, 2016.
[16] Eduardo Valle and Roberto Lotufo, “Transfer learning us-
ing convolutional neural networks for face anti-spoofing, in
ICIAR, 2017.
[17] Amin Jourabloo, Yaojie Liu, and Xiaoming Liu, “Face de-
spoofing: Anti-spoofing via noise modeling,” in ECCV, 2018.
[18] Holger Steiner, Sebastian Sporrer, Andreas Kolb, and Norbert
Jung, “Design of an active multispectral swir camera system
for skin detection and face verification, Journal of Sensors,
[19] Sushil Bhattacharjee and S´
ebastien Marcel, “What you can’t
see can help you-extended-range imaging for 3d-mask pad, in
BIOSIG, 2017.
[20] Zinelabidine Boulkenafet, Jukka Komulainen, and Abdenour
Hadid, “Face spoofing detection using colour texture analysis,”
TIFS, 2016.
[21] Olegs Nikisins, Amir Mohammadi, Andr´
e Anjos, and
ebastien Marcel, “On effectiveness of anomaly detection
approaches against unseen presentation attacks in face anti-
spoofing,” in ICB, 2018.
[22] Haoliang Li, Wen Li, Hong Cao, Shiqi Wang, Feiyue Huang,
and Alex C Kot, “Unsupervised domain adaptation for face
anti-spoofing,” TIFS, 2018.
[23] Wei Liu, Gang Hua, and John R Smith, “Unsupervised one-
class learning for automatic outlier removal, in CVPR, 2014.
[24] “Information technology - biometric presentation attack detec-
tion,” Tech. Rep., ISO/IEC JTC 1/SC 37 Biometrics, 2017.
[25] Z Boulkenafet, J Komulainen, Z Akhtar, A Benlamoudi,
D Samai, SE Bekhouche, A Ouafi, F Dornaika, A Taleb-
Ahmed, L Qin, et al., “A competition on generalized software-
based face presentation attack detection in mobile scenarios,”
in IJCB, 2017.
[26] Anil Jain, Lin Hong, and Sharath Pankanti, “Biometric identi-
fication,” ACM, 2000.
[27] Gary B Huang, Marwan Mattar, Tamara Berg, and Eric
Learned-Miller, “Labeled faces in the wild: A database
forstudying face recognition in unconstrained environments,
in WFRLF, 2008.
[28] Robert M Haralick, Karthikeyan Shanmugam, et al., “Textural
features for image classification,” TSMC, 1973.
[29] Audrey Ledoux, Olivier Losson, and Ludovic Macaire, “Color
local binary patterns: compact descriptors for texture classifi-
cation,” Journal of Electronic Imaging, 2016.
[30] Zinelabidine Boulkenafet, Jukka Komulainen, and Abdenour
Hadid, “Face anti-spoofing based on color texture analysis, in
ICIP, 2015.
[31] Walter J Scheirer, Lalit P Jain, and Terrance E Boult, “Proba-
bility models for open set recognition,” PAMI, 2014.
[32] Marek Kowalski, Jacek Naruniec, and Tomasz Trzcinski,
“Deep alignment network: A convolutional neural network for
robust face alignment, in CVPRW, 2017.
[33] Roman Rosipal and Nicole Kr¨
amer, “Overview and recent ad-
vances in partial least squares, in ISOPW, 2005.
[34] Ingo Steinwart and Andreas Christmann, Support vector ma-
chines, Springer Science & Business Media, 2008.
ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
A face spoofing attack occurs when an intruder attempts to impersonate someone with a desirable authentication clearance. To detect such intrusions, many researchers have dedicated their efforts to study visual liveness detection as the primary indicator to block spoofing violations. In this work, we contemplate low-power devices through the combination of Fourier transforms, different classification methods, and low-level feature descriptors to estimate whether probe samples correspond to spoofing attacks. The proposed method has low-computational cost and, to the best of our knowledge, this is the first approach associating features extracted from both spatial and frequency domains. We conduct experiments with embeddings of Support Vector Machines and Partial Least Squares on recent and well-known datasets under same and cross-database settings. Results show that, even though devised towards resource-limited single-board computers, our approach is able to achieve significant results, outperforming state-of-the-art methods.
Conference Paper
Full-text available
We investigate the vulnerability of convolutional neural network (CNN) based face-recognition (FR) systems to presentation attacks (PA) performed using custom-made silicone masks. Previous works have studied the vulnerability of CNN-FR systems to 2D PAs such as print-attacks, or digital-video replay attacks, and to rigid 3D masks. This is the first study to consider PAs performed using custom-made flexible silicone masks. Before embarking on research on detecting a new variety of PA, it is important to estimate the seriousness of the threat posed by the type of PA. In this work we demonstrate that PAs using custom silicone masks do pose a serious threat to state-of-the-art FR systems. Using a new dataset based on six custom silicone masks, we show that the vulnerability of each FR system in this study is at least 10 times higher than its false match rate. We also propose a simple but effective presentation attack detection method, based on a low-cost thermal camera.
Conference Paper
Full-text available
While face recognition systems got a significant boost in terms of recognition performance in recent years, they are known to be vulnerable to presentation attacks. Up to date, most of the research in the field of face anti-spoofing or presentation attack detection was considered as a two-class classification task: features of bona-fide samples versus features coming from spoofing attempts. The main focus has been on boosting the anti-spoofing performance for databases with identical types of attacks across both training and evaluation subsets. However, in realistic applications the types of attacks are likely to be unknown, potentially occupying a broad space in the feature domain. Therefore, a failure to generalize on unseen types of attacks is one of the main potential challenges in existing anti-spoofing approaches. First, to demonstrate the generalization issues of two-class anti-spoofing systems we establish new evaluation protocols for existing publicly available databases. Second, to unite the data collection efforts of various institutions we introduce a challenging Aggre-gated database composed of 3 publicly available datasets: Replay-Attack, Replay-Mobile and MSU MFSD, reporting the performance on it. Third, considering existing limitations we propose a number of systems approaching a task of presentation attack detection as an anomaly detection, or a one-class classification problem, using only bona-fide features in the training stage. Using less training data, hence requiring less effort in the data collection, the introduced approach demonstrates a better generalization properties against previously unseen types of attacks on the proposed Aggregated database.
Conference Paper
Full-text available
In recent years, software-based face presentation attack detection (PAD) methods have seen a great progress. However, most existing schemes are not able to generalize well in more realistic conditions. The objective of this competition is to evaluate and compare the generalization performances of mobile face PAD techniques under some real-world variations, including unseen input sensors, presentation attack instruments (PAI) and illumination conditions , on a larger scale OULU-NPU dataset using its standard evaluation protocols and metrics. Thirteen teams from academic and industrial institutions across the world participated in this competition. This time typical liveness detection based on physiological signs of life was totally discarded. Instead, every submitted system relies practically on some sort of feature representation extracted from the face and/or background regions using hand-crafted, learned or hybrid descriptors. Interesting results and findings are presented and discussed in this paper.
Conference Paper
Full-text available
The vulnerabilities of face-based biometric systems to presentation attacks have been finally recognized but yet we lack generalized software-based face presentation attack detection (PAD) methods performing robustly in practical mobile authentication scenarios. This is mainly due to the fact that the existing public face PAD datasets are beginning to cover a variety of attack scenarios and acquisition conditions but their standard evaluation protocols do not encourage researchers to assess the generalization capabilities of their methods across these variations. In this present work, we introduce a new public face PAD database, OULU-NPU, aiming at evaluating the generalization of PAD methods in more realistic mobile authentication scenarios across three covariates: unknown environmental conditions (namely illumination and background scene), acquisition devices and presentation attack instruments (PAI). This publicly available database consists of 5940 videos corresponding to 55 subjects recorded in three different environments using high-resolution frontal cameras of six different smartphones. The high-quality print and videoreplay attacks were created using two different printers and two different display devices. Each of the four unambiguously defined evaluation protocols introduces at least one previously unseen condition to the test set, which enables a fair comparison on the generalization capabilities between new and existing approaches. The baseline results using color texture analysis based face PAD method demonstrate the challenging nature of the database.