Face anti-spoofing aims to discriminate the spoofing face images (e.g., printed photos) from live ones. However, adversarial examples greatly challenge its credibility, where adding some perturbation noise can easily change the predictions. Previous works conducted adversarial attack methods to evaluate the face anti-spoofing performance without any fine-grained analysis that which model architecture or auxiliary feature is vulnerable to the adversary. To handle this problem, we propose a novel framework to expose the fine-grained adversarial vulnerability of the face anti-spoofing models, which consists of a multitask module and a semantic feature augmentation (SFA) module. The multitask module can obtain different semantic features for further evaluation, but only attacking these semantic features fails to reflect the discrimination-related vulnerability. We then design the SFA module to introduce the data distribution prior for more discrimination-related gradient directions for generating adversarial examples. Comprehensive experiments show that SFA module increases the attack success rate by nearly 40$\%$ on average. We conduct this fine-grained adversarial analysis on different annotations, geometric maps, and backbone networks (e.g., Resnet network). These fine-grained adversarial examples can be used for selecting robust backbone networks and auxiliary features. They also can be used for adversarial training, which makes it practical to further improve the accuracy and robustness of the face anti-spoofing models.

翻译：人脸反欺骗旨在区分欺骗性人脸图像（如打印照片）与活体人脸图像。然而，对抗样本极大地挑战了其可信度，添加少量扰动噪声即可轻易改变预测结果。以往研究采用对抗攻击方法评估人脸反欺骗性能，但未进行细粒度分析，即何种模型架构或辅助特征易受对抗攻击影响。为解决此问题，我们提出一个新型框架，以揭示人脸反欺骗模型的细粒度对抗脆弱性，该框架包含多任务模块和语义特征增强（SFA）模块。多任务模块可获取不同语义特征以进行进一步评估，但仅攻击这些语义特征无法反映与判别相关的脆弱性。为此，我们设计了SFA模块，引入数据分布先验，以获得更多与判别相关的梯度方向，从而生成对抗样本。综合实验表明，SFA模块平均将攻击成功率提升了近40%。我们在不同标注、几何映射和骨干网络（如Resnet网络）上进行了细粒度对抗分析。这些细粒度对抗样本可用于选择鲁棒的骨干网络和辅助特征，也可用于对抗训练，从而切实提升人脸反欺骗模型的准确性和鲁棒性。