A morph is a combination of two separate facial images and contains identity information of two different people. When used in an identity document, both people can be authenticated by a biometric Face Recognition (FR) system. Morphs can be generated using either a landmark-based approach or approaches based on deep learning such as Generative Adversarial Networks (GAN). In a recent paper, we introduced a \emph{worst-case} upper bound on how challenging morphing attacks can be for an FR system. The closer morphs are to this upper bound, the bigger the challenge they pose to FR. We introduced an approach with which it was possible to generate morphs that approximate this upper bound for a known FR system (white box), but not for unknown (black box) FR systems. In this paper, we introduce a morph generation method that can approximate worst-case morphs even when the FR system is not known. A key contribution is that we include the goal of generating difficult morphs \emph{during} training. Our method is based on Adversarially Learned Inference (ALI) and uses concepts from Wasserstein GANs trained with Gradient Penalty, which were introduced to stabilise the training of GANs. We include these concepts to achieve similar improvement in training stability and call the resulting method Wasserstein ALI (WALI). We finetune WALI using loss functions designed specifically to improve the ability to manipulate identity information in facial images and show how it can generate morphs that are more challenging for FR systems than landmark- or GAN-based morphs. We also show how our findings can be used to improve MIPGAN, an existing StyleGAN-based morph generator.

翻译：形变攻击是指将两张不同人脸图像融合后生成的图像，其同时包含两人的身份信息。当此类图像用于身份证明文件时，生物特征人脸识别系统可能对这两人均予以认证通过。形变图像的生成既可采用基于特征点的方法，也可采用基于深度学习的方法（如生成对抗网络）。在先前的研究中，我们提出了形变攻击对人脸识别系统构成威胁的“最坏情况”上界——越逼近该上界的形变图像，对识别系统造成的挑战越大。我们曾提出一种方法，能够针对已知人脸识别系统生成逼近该上界的形变图像，但该方法无法适用于未知系统。本文提出一种新型形变生成方法，即使在人脸识别系统未知的情况下也能逼近最坏情况形变。核心贡献在于：我们将生成高难度形变图像的目标直接嵌入训练过程。本方法基于对抗学习推理框架，并融合了Wasserstein生成对抗网络及其梯度惩罚训练技术——该技术原为稳定生成对抗网络训练而设计。通过引入这些技术实现训练稳定性的同步提升，我们将其命名为Wasserstein对抗学习推理。采用针对身份信息操控能力优化的损失函数微调后，该方法能生成比基于特征点或其他生成对抗网络方法更具挑战性的形变图像。此外，我们展示了如何将这些研究成果用于改进现有基于StyleGAN的形变生成器MIPGAN。