Log In Sign Up

Two-stream Convolutional Networks for Multi-frame Face Anti-spoofing

Face anti-spoofing is an important task to protect the security of face recognition. Most of previous work either struggle to capture discriminative and generalizable feature or rely on auxiliary information which is unavailable for most of industrial product. Inspired by the video classification work, we propose an efficient two-stream model to capture the key differences between live and spoof faces, which takes multi-frames and RGB difference as input respectively. Feature pyramid modules with two opposite fusion directions and pyramid pooling modules are applied to enhance feature representation. We evaluate the proposed method on the datasets of Siw, Oulu-NPU, CASIA-MFSD and Replay-Attack. The results show that our model achieves the state-of-the-art results on most of datasets' protocol with much less parameter size.


page 2

page 3

page 4

page 5

page 6

page 7

page 8

page 9


Exploiting temporal and depth information for multi-frame face anti-spoofing

Face anti-spoofing is significant to the security of face recognition sy...

Face De-Spoofing: Anti-Spoofing via Noise Modeling

Many prior face anti-spoofing works develop discriminative models for re...

Static and Dynamic Fusion for Multi-modal Cross-ethnicity Face Anti-spoofing

Regardless of the usage of deep learning and handcrafted methods, the dy...

Deep Spatial Gradient and Temporal Depth Learning for Face Anti-spoofing

Face anti-spoofing is critical to the security of face recognition syste...

Spoof Face Detection Via Semi-Supervised Adversarial Training

Face spoofing causes severe security threats in face recognition systems...

Dual-Cross Central Difference Network for Face Anti-Spoofing

Face anti-spoofing (FAS) plays a vital role in securing face recognition...

Face Anti-Spoofing from the Perspective of Data Sampling

Without deploying face anti-spoofing countermeasures, face recognition s...

1 Introduction

Face authentication is being increasingly used in our daily life for tasks such as phone unlocking, access authentication and face-payment owing to its convenience and high-efficiency. While face authentication systems are vulnerable to spoofing attacks with printed photos, relayed videos and forged masks without protective measures. Therefore, face anti-spoofing is vital to the security of face recognition systems, which can defend the above mentioned attacks efficiently [9, 31].

Figure 1: The pipeline of our proposed face anti-spoofing network. The origin multiple frames are first warped to align according to the initial frame. Left is the RGB difference branch which takes stacked RGB difference image as input. It has a feature pyramid feature module and a pyramid pooling module to extract robust temporal features. Right is the multi-frame branch consists of a CNN-LSTM model, an opposite feature pyramid module(FPM) and a pyramid pooling module(PPM). The final prediction is determined by the combination of two branches’ prediction score.

The core problem for face anti-spoofing is how to capture discriminative features among genuine faces and attackers. Its purpose is to predict whether a face in a video belongs to a genuine person, which can be deemed as a binary classification task. While typical classification model can not meet requirements of face anti-spoofing since features they need are varied in granularity. Besides, speed is an important factor in industry, thus lightness for model is considered to be a significant attribute to evaluate.

Previous methods have made some progress in recent years. A typical method is tacking face anti-spoofing task from the aspect of space. In our view, the differences in the dimension of spatial lie in two aspects: texture and distribution pattern. Most prior works focus on texture, regard it as a noise extraction task. While in the condition of low quality face images or videos, the texture feature is indistinct and hard to distinguish, especially when we utilize a deep model, who will lose much detail information because of down-sampling. Some methods try to divide image into several patches to focus more on its texture, but it breaks the distribution of origin images and increases computational complexity. The distribution pattern includes perspective deformation and spoofing artifacts caused by screen sloping and distortion when warping a print paper or photo. It can only be observed through the full face image.

Another perspective is capturing differences in sequential. They consider the motion patterns contained in genuine and spoofing videos are different. For a genuine face, its motion cues are mainly expression changes such as eye blinking, mouth movement. While the temporal information in print or photo attacks are mainly caused by hand-trembling or material reflection, and there are also expression changes in replay attack. The motion cues are very valuable to distinguish valid access with attempted attacks, and also the relative motion between the face region and the background can be helpful. This kind of methods usually need multiple frames, and are expected to have better performance than methods using single frame. While unlike normal video classification task, we need more detailed temporal features because of the subtle movement of face verification video. Besides, for replay attack, its temporal information is similar with live faces except for some perspective changes due to the depth of screen, and need more fine-grained temporal features.

There are some multi-modal based methods show superiority for defending replay attack and print attack, which benefit of multi-dimension data, such as depth images or IR images. In practical these kind of data is hard to obtain considering cost and application condition. For the sake of accessibility and costs, we focus on the ubiquitous 2D-camera case, available in almost all mobile devices and easy to acquire. While a vital problems for anti-spoofing task with RGB images is over-fitting since origin frame contain full information of face appearance, which is valuable for face recognition while redundant for face anti-spoofing. Some works try to break the image distribution and then recover it to ignore face appearance, but they also lose the distortion and perspective information that may helpful to recognize hack faces. Some [13]

try to regard hack images as live faces plus noises, and try to model noises and then classify by them. But the noises is hard to model and has high dependence on the image quality.

In this paper, we form a light-weight two-stream model to handle the above problems. Our model consists of two branches: multi-frame branch and RGB difference branch. The former utilize multiple RGB images as inputs and pay attention to detailed spatial information by a feature pyramid module and a pyramid pooling module, and use LSTMs to capture temporal features. The later take RGB difference images as inputs. By applying a feature pyramid module with the opposite direction and a pyramid pooling module, it can capture fine-grained temporal feature and avoid over-fitting. The feature enhancement modules make the two branches become more powerful respectively and complementary to each other. By combining the two branches with much less parameter size, it reaches a competitive accuracy compared with state-of-the-art methods without using auxiliary data or heavy model under most evaluation metrics.

Our contributions can be summarized as follows:

  • We design a novel CNN-LSTM model to capture discriminative spatial-temporal features.

  • We form a branch take RGB difference as inputs to learn key differences between genuine face and attacks and decrease over-fitting.

  • We propose to utilize feature pyramid modules with different fusion direction and pyramid pooling modules in two-stream network to obtain robust spatial and temporal features for both two branches.

  • We conduct extensive experimental analysis on the datasets of Siw, Oulu-NPU, CASIA-MFSD and Replay-Attack. The results show that our proposed network can achieve better performance compared with other state-of-the-art methods without auxiliary data and with much less parameter size on most of datasets’ protocol.

2 Related Work

Face anti-spoofing used texture information. The texture-based analysis exploited the fact that real face contains different texture and illumination pattern as compared to a plastic or LCD surface. Hand-crafted features are utilized to capture texture features, such as LBP [22], HoG [14] and SIFT [20], and then classified by a SVM. Wen et al. [9]

considered four types of surface deformations such as specular reflection, blurriness features, chromatic moment and color diversity to generate the feature vector and used SVM classifier to classify the output feature into live or not. The above methods have several drawbacks including the need to utilize hand designed features and the limited performance. Since convolutional neural networks have been proved to be effective in classification task, some CNN based methods try to extract more robust spatial features to distinguish real from spoofed faces. Li 

[16] utilized a VGGNet [26]

pre-trained on ImageNet 

[23] to capture deep robust features, and used a SVM to classify. Nagpal et. al [19] evaluated the performance of utilizing several popular CNN structure including ResNet [11] and GoogLeNet [28] in face anti-spoofing. They also validate the influences of choosing different hyper parameters for training. Tu et. al [29] proposed a CNN framework using sparsely labeled data from the target domain to learn features that are invariant across domains for face anti-spoofing, which improved the generalization ability across different kinds of databases.

Face anti-spoofing used spatial-temporal information. The motion based face anti-spoofing is also investigated by several researchers by exploiting the fact that the most of face attacks happen with the use of stills and thus, its motion pattern can be used to differentiate a live subject. Wang et. al [33] proposed a depth supervised structure with OFF block and ConvGRU module to uncover facial depths and their unique motion patterns from temporal information of monocular frame sequences. Liu et. al [18] proposed a novel CNN-RNN structure for end to-end learning the depth map and rPPG signal. They improved model generalization by training with supervision of depth map and rPPG signal. Li et. al [15] utilized a 3D CNN network which take both spatial and temporal information into consideration. They decrease over-fitting problem by a specifically designed data augmentation method and a generalization regularization. Tu [30] leveraged LSTM with the extracted features as inputs to capture the temporal dynamics in videos. To ensure the fine-grained motions more easily to be perceived in the training process, the Eulerian motion magnification is used as the preprocessing to enhance the facial expressions exhibited by individuals, and the attention mechanism is embedded in LSTM to ensure the model learn to focus selectively on the dynamic frames across the video clips. Yang et. al [35] exploited a novel spatial-temporal anti-spoofing network, which can automatically attend to discriminative regions, and it makes analyzing the behaviors of the network possible. They conducted extensive experiments and show that the proposed model can distinguish spoof faces by extracting features from a variety of regions to seek out subtle evidences such as borders, moire patterns, reflection artifacts, etc.

Two-stream neural network. Essentially face anti-spoofing is a classification task, and it can be regarded as video classification when input a video. Therefore, many ideas of video classification can be applied in our task. Simonyan et. al [25]

first used a two-stream neural network for action recognition in video which incorporates spatial and temporal networks by single frame and multi-frame optical flow inputs, and obtained competitive performance. TSN 

[32] utilized two-stream ConvNets to classify videos and investigated the influence of utilizing different input modality including RGB images, RGB difference, optical flow fields, and warped optical flow fields. They observed that the combination of RGB images and RGB differences can boost the recognition performance since they encode complementary information, and RGB difference can serve as a low-quality, high-speed alternative for motion representations. Sun et. al [27]

introduced a novel compact motion representation for video action recognition, named Optical Flow guided Feature (OFF), which enables the network to distill temporal information through a fast and robust approach. The OFF which derived from the definition of optical flow provides theoretical support for using the difference between two frames. By directly calculating pixel-wise spatiotemporal gradients of the deep feature maps, the OFF could be embedded in any existing CNN based video action recognition framework with only a light additional cost.

3 Our Approach

In the following, we describe the proposed method for face anti-spoofing. The pipeline of our method is shown in Fig. 1. Our algorithm consists of a multi-frame branch and a RGB difference branch. The multi-frame branch is CNN-LSTM structure to extract spatial and temporal features, and RGB difference branch is a classification model to extract temporal features and decrease over-fitting. We first present the preprocess of video data, and then the multi-frame model, finally describe the RGB difference model.

3.1 Preprocess

In face authentication, what we are given is a video clip contains a certain face. After extracting frames from a video, there may exist much background information which interfere our inference. We first use a face detector to recognize key points for face images. For the common methods of face anti-spoofing, the face region is then cropped to fed into a classification model. While we observed that if face move dynamically, it is hard to distinguish the key temporal features since both genuine and fake faces can generate sweeping movements. If we align faces to eliminate the variations in the spatial appearances first, we can focus on the subtle motion cues in facial expression changes. We normalise the face geometry according to the initial frame in a video by choosing anchor points, whose position are fixed even with face expression changes. For a point , its registered value is


where is the origin image and is the weight decided by anchor points.

After registration, we compute a crop box according to the first frame’s key points, and all the following frames are cropped into a face region according to this bounding box. Then a fixed number of key frames are located roughly by computing difference deviation. All frames in a video are divided into stacks, and the first frame is defined as the onset frame. In the first stack we find a frame which have the greatest changes from the onset frame, i.e. have the largest difference deviation, and regard this frame as the new onset frame. We can collect frames (including the first frame) which changes dynamically to capture more temporal information.

Figure 2: The spatial feature extractor based on MobileNetV3-Small model in multi-frame branch. The blue blocks are origin feature maps at different levels, and the yellow parts are outputs of the feature pyramid module. Green blocks stand for the final spatial feature maps processed by the pyramid pooling module. These arrows indicate feature spread direction.

3.2 Multi-frame branch

The branch of multi-frame takes multiple frames as inputs, which are selected by our sampling logic from a video. For each frame, we utilize a MobileNetV3-Small [12] neural network as spatial feature extractor. As discussed above, detailed feature(texture) and global feature(distribution) are both important for defending spoofing faces, therefore we add a feature pyramid module and a pyramid pooling module to capture hierarchical and multi-granularity spatial features for enhancing representations for key features in face anti-spoofing, as shown in Fig. 2.

In our view, the output feature map in the origin network may ignore some important details because of down-sampling. As a result, we spread robust deep features from shallow layers to deep layers which may encode rich detail information by applying a feature pyramid module [17]. In our network, we up-sample the coarser-resolution feature map by a factor of and merge it with the corresponding bottom-up map by element-wise addition, where convolution is applied to adjust the number of channel. We perform this operation once after each down-sampling. Since there are five down-sample layers in our network, we obtain five spatial feature representations for each frame at different levels.

After obtaining hierarchical features, we need more context information to perceive global distribution for a frame. For each feature map, a pyramid pooling module [38]

is applied to harvest different sub-region representations by average pooling operation with varying-size pooling kernels in a few strides to get four bins with size of

, , and respectively, and then followed by up-sampling and concatenation layers to form the final feature representation, which carries multi-granularity information including both local and global context features.

Figure 3: The temporal feature extractor in multi-frame branch. Features obtained from the same layers are fed into a Bi-LSTM to encode temporal features in a certain receptive field. All temporal features are then concatenated to compose a final feature. A fully-connected layer is applied to predict scores for distinguish live and spoofing faces.

For one frame, we have obtained its robust and fine-grained spatial features at five levels. We utilize a CNN-LSTM structure to concatenate multiple frames’ feature at each level as a sequence. As shown in Fig. 3

, feature maps at the same levels are concatenated to fed into a Bi-LSTM respectively to model temporal correlation across multiple frames at different levels. The outputs of them are concatenated again into a final layer which encodes hierarchical spatial-temporal features. Followed by a fully-connected layer and a softmax activation function, the prediction result of face anti-spoofing for multi-frame branch is determined.

3.3 RGB difference branch

The multiple frames extracted from a video represent its spatial and motion cues, but sometimes less is more. For face anti-spoofing too much information means more risks of over-fitting. Inspired by two-stream methods in video classification [25, 32], we also design another branch which take RGB differences as inputs. For the most conditions of face authentication, the video clips are relatively short and have a fix background, RGB differences between two consecutive frames can help us to focus on motion information generated in faces efficiently. Since we have applied registration in preprocess, the RGB differences contain motion cues without still spatial distribution information, which can avoid over-fitting into human faces or background.

Figure 4: The structure of our proposed RGB difference branch, which based on MobileNetV3-Small network. The blue, yellow and green blocks represent for origin features, FPM features and PPM features respectively. The feature spread direction is opposite to the multi-frame branch. The five PPM features are directly fed in a fully-connected layer without LSTM to obtain fine-grained features.

After concatenating multiple RGB difference images, we fed it into another modified MobileNetV3-Small neural network, whose main difference with the multi-frame RGB branch is the feature pyramid module. Unlike RGB frames branch whose features from deeper layers are robust since it encode abundant information, there are less information among RGB difference images, and we need more shallow features because detailed features are more important than its semantic feature for motion cues. Therefore, we make a modification for feature pyramid module, which spread information from shallow layers to deeper layers. As shown in Fig. 4

, after each layer’s down-sampling, we down-sample the larger-resolution feature map by max pooling and merge it with the corresponding top-down map by element-wise addition, where

convolution is applied to adjust the number of channel.

Followed by the feature pyramid module is a pyramid pooling module to capture multi-granularity features. Since RGB difference inputs have encoded motion information itself, these features are concatenated directly without LSTMs, and then fed into a fully-connected layer and a softmax activation function to predict scores for live faces and spoof faces.

3.4 Models training

Benefit of different input modal and feature fusion direction, this two branches show great complementarity. We train them independently. For multi-frame branch, we exploit a baseline model trained on the ImageNet as initialization, and then fine tune the whole parameters on training set. We also utilize a pretrained RGB model to initialize the RGB difference network, which has two differences in training process. The first is we do not need to standardize inputs as multi-frame branch does, since it already has normal distribution around zero. Second is we need to modify the weights of first convolution layer of pretrained models to handle the input of RGB difference. We average the weights across the RGB channels and replicate this average by the channel number of RGB difference network input. After training, the final prediction is determined by the sum value of these two branches’ predict scores.

4 Experiment

4.1 Datasets and Metrics

We evaluate the proposed model on four public face anti-spoofing databases, including Replay-Attack [8], CASIA-MFSD [37], Oulu-NPU [5] and SiW [18]. The Replay-Attack Database [8] for face spoofing consists of 1300 video clips of photo and video attack attempts to 50 clients, under different lighting conditions, which includes print and replay attack. CASIA-MFSD [37] contains 50 genuine subjects, and fake faces are made from the high quality records of the genuine faces. Three fake face attacks are implemented, which include warped photo attack, cut photo attack and video attack, and each subject contains 12 videos (3 genuine and 9 fake), and the final database contains 600 video clips. The Oulu-NPU [5] face presentation attack detection database consists of 4950 real access and attack videos. The presentation attack types considered in the OULU-NPU database are print and video-replay generated by different printer and display devices. SiW [18] provides live and spoof videos from 165 subjects. For each subject, we have 8 live and up to 20 spoof videos, in total 4,478 videos. All videos are in 30 fps, about 15 second length, and 1080P HD resolution. The live videos are collected in four sessions with variations of distance, pose, illumination and expression. The spoof videos are collected with several attacks such as printed paper and replay.

We employ the ACER and HTER to evaluate performance [3], where ACER is the mean value of the Attack Presentation Classification Error Rate (APCER) and the Bona Fide Presentation Classification Error Rate (BPCER), and the HTER is half of the sum of the False Rejection Rate (FRR) and the False Acceptance Rate (FAR).

4.2 Implementation details

Our model is implemented with PyTorch framework. After face detection for each frame, we resize each face region to the fixed size of

. We use stochastic gradient descent algorithm to optimize our proposed network with initial learning rate of 0.01. The batch size of the two branch are 8 and 16 respectively and the number of frames extracted from a video is 10 for intra testing and 5 for cross testing, i. e

is and respectively, and for longer video clips we can sample more frames. During training, spatial and temporal data augment methods are used, which are random clip and crop for spatial augment and resample frames for temporal augment.

The parameter size of the whole two-stream model is only 1.73 M, since we remove the last fully-connected layers of the original MobileNetV3-Small. Its lightness and effectiveness allow it to be implemented widely in practical, such as mobile devices, and bring better user experience.

4.3 Intra Testing

The intra testing denotes that evaluating our methods with testing data which belongs to the same database with training data. We carried intra testing on Onlu-NPU [5] and SiW [18]

databases. The ACER is used to report quantitative results in SiW database. There are three protocols defined by SiW: Protocol 1 is designed to evaluate the generalization of the face PAD methods under different face poses and expression. Protocol 2 evaluates the generalization capability on cross medium of the same spoof type. Protocol 3 is designed to evaluate the performance on unknown PA. We follow their rules to train and test. For evaluating, we compare our algorithm with recent excellent methods including Auxiliary 

[18], OFFB [33] and STASN [35], which are all CNN-LSTM like structure. Among these methods, we have the lightest model and do not need any auxiliary data. Auxiliary utilized depth map and rPPG signal as auxiliary supervision. OFFB used depth map as label to train. STASN introduced a heavy model to train and infer. Table 1 shows the comparative results of performance in SiW database. For the consideration of protocol 1 and 2, our method performs best among these state-of-the-art methods, show its great generalization under different face expressions and mediums. The disadvantage of our model is that we can not handle unknown presentation attacks well because we lack of auxiliary data to capture differences in different perspective.

Prot. Method ACER()
1 Auxiliary [18] 3.58
OFFB [33] 0.73
STASN [35] 1.0
Ours 0.26
2 Auxiliary [18] 0.570.69
OFFB [33] 0.150.14
STASN [35] 0.280.05
Ours 0.150.21
3 Auxiliary [18] 8.313.80
OFFB [33] 3.100.81
STASN [35] 12.11.50
Ours 14.763.43
Table 1: Comparative results of intra test on SiW database.

For evaluating on Oulu-NPU dataset, it considers four protocols: Protocol 1 is designed to evaluate the generalization under previously unseen environmental conditions, namely illumination and background scene. Protocol 2 aims to evaluate the effect of attacks created with different printers or displays devices. Protocol 3 is used to study the effect of the input camera variation. Protocol 4 considers generalization of face PAD methods across previously unseen environmental conditions, attacks and input sensors. By using the required fashion to apply, we show the results in Table 2 compared with Auxiliary [18], STASN [35], OFFB [33], MixedFASNet [4] and GRADIANT [4]. Our proposed method achieves two best and two second ACER scores in four protocols among all state-of-the-art methods, indicates that light model without auxiliary supervision can achieve competitive performance in intra testing.

Prot. Method APCER() BPCER() ACER()
1 Auxiliary [18] 1.6 1.6 1.6
GRADIANT [4] 1.3 12.5 6.9
OFFB [33] 2.5 0 1.3
STASN [35] 1.2 2.5 1.9
Ours 0.9 1.5 1.2
2 Auxiliary [18] 2.7 2.7 2.7
GRADIANT [4] 3.1 1.9 2.5
MixedFASNet [4] 9.7 2.5 6.1
OFFB [33] 1.7 2.0 1.9
STASN [35] 4.2 0.3 2.2
Ours 3.3 0.9 2.1
3 Auxiliary [18] 2.71.3 3.11.7 2.91.5
GRADIANT [4] 2.63.9 5.05.3 3.82.4
MixedFASNet [4] 5.36.7 7.85.5 6.54.6
OFFB [33] 5.91.9 5.93.0 5.91.0
STASN [35] 4.73.9 0.91.2 2.81.6
Ours 3.61.6 1.42.3 2.51.0
4 Auxiliary [18] 9.35.6 10.46.0 9.56.0
GRADIANT [4] 5.04.5 15.07.1 10.05.0
OFFB [33] 14.28.7 4.23.8 9.23.4
STASN [35] 6.710.6 8.38.4 7.54.7
Ours 12.77.5 5.29.3 8.93.1
Table 2: Comparative results of intra test on Oulu-NPU database.

4.4 Cross Testing

Cross testing aims to justify the generalization potential of the concerned model. We utilize Replay-Attack [8] and CASIA-MFSD [37] which belongs to different distribution to testify the generalization ability of our model. The two databases are split into training and testing part respectively, and we select a training dataset and a testing dataset from different source to train and test. We compare our method with other face anti-spoofing algorithms including tradition solutions such as LBP-TOP [21], Color Texture [7] and Spectral cubes [1], and some recent excellent methods such as Auxiliary [18], OFFB [33] and STASN [35]. Table 3 shows the results of cross testing. Our model’s performance exceed all state-of-the-art methods by a large margin in crossing testing. It indicates the generalization of our proposed model is the best so far.

Method Train Test Train Test
CASIA Replay Replay CASIA
S MFSD Attack Attack MFSD
Motion [21] 50.2 47.9
LBP-TOP [21] 49.7 60.6
Motion-Mag [2] 50.1 47.0
Spectral cubes [1] 34.4 50.0
LBP [6] 47.0 39.6
Color Texture [7] 30.3 37.7
CNN [34] 48.5 45.5
Auxiliary [18] 27.6 28.4
FaceDs [13] 28.5 41.1
OFFB [33] 17.5 24.0
STASN [35] 31.5 30.9
ours 8.0 22.3
Table 3: Comparative results of cross test on CASIA-MFSD and Replay-attack database.

4.5 Ablation study

Modules for enhancing feature representation. To enhance the ability of capturing spatial and temporal features, we apply feature pyramid modules and pyramid pooling modules for both two branches to fuse features. For each module, we experiment its influence for two branches. Besides, experiments on the direction of feature fusion of feature pyramid module for two branches are also implemented. The protocol 1 of Oulu-NPU and a cross test are utilized to compare comprehensive performance for them. As shown in Table 4, both branches can benefit from feature pyramid and pyramid pooling module. While for the multi-frame branch, a top-down structure for feature fusion is more powerful. In contrast, the RGB difference branch prefers the bottom-up fashion to capture more detailed feature.

1 - - 5.1 28.3
top-down - 8.1 35.5
bottom-up - 4.2 21.6
bottom-up 2.0 11.0
2 - - 8.5 36.0
bottom-up - 7.6 24.8
top-down - 6.8 20.2
top-down 5.9 16.3
Table 4: Ablation study results of feature enhancement modules. Branch 1 is multi-frame based model, and Branch 2 for RGB difference.

Choice of branches. Since our model consists of two sub models which capture different features, we valid the performance of each of them. Besides, we also develop a single-frame RGB version branch that take only one frame as input to valid our power of extracting temporal features, a single origin frame branch that take one full frame without cropping as input to try to increase its ability of distinguish some attacks that can be easily recognized by some background interact information, and an optical flow branch to compare its performance with RGB difference. The single frame branch has the same model structure except for LSTMs, instead the output features are directly concatenated to fed into a fully-connected layer just as the RGB difference branch. The single origin branch is created by a MobileNetV3-Small network without modification, since it aims to learn global context information rather than detailed features such as texture. We extract optical flow by TVL1 algorithm [36] for the optical flow branch which has the same network structure with the RGB difference branch. Each branch are trained individually. After then different combinations of them are experimented to represent multi-dimensional features.

As shown in Table 5, the multi-frame branch performs best in intra testing and cross testing when applying single branch, which verifies its ability of capturing comprehensive features. For single frame based branch, the single frame and single origin frame perform better in different test fashion. The optical flow branch performs poorly compared with the RGB difference. We attribute it to the fact that RGB difference has more detailed information after subtracting two frames directly which may be more suitable for face anti-spoofing. The combination of multi-frame branch and RGB difference branch boosts the performance of intra and cross testing, show their complementary for face anti-spoofing task. Besides, integrating any other branch will not increase accuracy since they may encode redundancy information compared with the two-stream model.

Branch1 Branch2 Branch3 ACER() HTER()
single - - 5.2 28.2
origin - - 7.4 16.2
multi - - 2.0 11.0
diff - - 5.9 16.3
flow - - 18.4 35.3
single multi - 2.8 22.1
single diff - 3.8 20.2
multi diff - 1.2 8.0
multi flow - 5.2 12.1
single multi diff 1.2 15.6
origin multi diff 3.2 13.6
Table 5: Comparative results of combing different branches.

Exploration Study. To better understand and help to develop face anti-spoofing task, we discuss some methods we have tested here. Five improvement fashions that may deemed as useful for similar tasks or original are implemented with our baseline model to enhance generalization: image patch, convLSTM, denoising, style transfer and branch supervise.

Image patch based method take parts of a frame or feature map as inputs, and model spatial-temporal features on each individual part. The final inference are determined by concatenated output features of all parts, which breaks the original distribution to avoid over-fitting and focus on detailed features.

ConvLSTM model temporal features along each spatial kernel, which can be deemed as capture spatial-temporal features immediately [24], but it will introduce many extra parameters compared with typical LSTM. For convLSTM based model, we use it to replace the origin LSTM to try to capture more fine-grained spatial-temporal features.

Denoising method is to regard attacks as live face plus noises [13]. We implement it in our fashion by adding a encoder-decoder module to restore the original input in the front of classification model, and the noise pattern is calculated by subtracting the origin image and the restore image. The final prediction are obtained by a baseline model which take the noise image as input.

In the field of style transfer, gram matrix is widely used to represent style of a image [10], which is actually texture. And we have known there are differences in texture between genuine and fake faces. As a result, gram matrix of shallow feature maps are computed to contribute to the output feature as complementary in our implement.

Branch supervise is using RGB difference to generate spatial attention masks at different levels respectively. We aim to use these masks to let multi-frame branch focus more on those positions that take changes, therefore, they are then applied in the according layers for multi-frame branch while training it.

Among the five methods, the first two are single-frame based model, the next two take multiple frames as inputs, and the last one is improvement for integrating two stream model. We compare each of them with their baseline model respectively. The backbone network for these experiments are modified MobileNetV3-Small model in our proposed method. The hyper parameters for training and data augment strategy are all as same as above. For each improvement, we have also tested lots of experiments about the chosen of hyper parameters and sub modules, and we only show the results of one typical model for them.

Table 6 shows the results of these exploration methods. For improvements of multiple frame branch, the image patch based method incur a loss of accuracy. But we conclude some rules for image patch based methods according to our experiments. First, the image patch base method is useful if we only use output from single layer as final feature representation, as a result we infer multi-layer structure have similar influences of image patch because of multiple scale receptive field. Second, it would be better to divide feature maps in shallower layer than divide image distinctly considering of computing efficiency. The implement of convLSTM also decreases accuracy for face anti-spoofing, which may be due to over-fitting caused by many extra parameters.

The denoising and style transfer methods can both improve performance in cross testing and style transfer method can also boost performance in intra testing at the expense of parameter size. We can conclude that extracting texture features and distribution information simultaneously in the dimension of spatial can bring improvements.

Finally, the branch supervise method is designed to make RGB differences branch help multi-frame branch to increases generalization ability. While the results show that the two stream model have not benefit from this fusion methods. Many experiment results tell us that the independence of two models is important since they may encode complementary and different information, and an over-fitting branch is tend to lead another branch into over-fitting too.

Method ACER() HTER()
base(multiple) 2.0 11.0
image patch 2.8 30.2
convLSTM 3.8 15.3
base(single) 5.2 28.2
denoising 6.9 25.1
style transfer 4.7 27.7
base(two stream) 1.2 8.0
branch supervise 3.4 12.1
Table 6: Comparative results of exploration study.

5 Conclusion

In this paper, we proposed a light and powerful model for face anti-spoofing. Our model consists of two branches, each of them has been proved useful for defending attacks. The multi-frame branches can capture spatial-temporal features and the RGB difference branch is expert in handling detailed motion cues and decrease over-fitting. By applying FPM and PPM feature enhancement modules in both two branches, out model achieves state-of-the-art performance in most intra testing and crossing testing at open databases. While our method can not handle unknown presentation attacks well, which is a disadvantage for it and expected to be solved in the future. We also conduct exploration studies to develop a better understanding of face anti-spoofing task. Some of those improvements can help to increase accuracy under certain conditions, which offer some guidances for future development.


  • [1] P. Allan, P. Helio, S. William Robson, and R. Anderson (2015) Face spoofing detection through visual codebooks of spectral temporal cubes. IEEE Transactions on Image Processing 24 (12), pp. 4726–4740. Cited by: §4.4, Table 3.
  • [2] S. Bharadwaj, T. I. Dhamecha, M. Vatsa, and R. Singh (2013) Computationally efficient face spoofing detection with motion magnification. In

    IEEE Conference on Computer Vision and Pattern Recognition Workshops

    Cited by: Table 3.
  • [3] I. J. 1. 3. Biometrics (2016) Information technology – biometric presentation attack detection – part 1: framework. Standard International Organization for Standardization. Cited by: §4.1.
  • [4] Z. Boulkenafet, J. Komulainen, Z. Akhtar, A. Benlamoudi, D. Samai, S. Bekhouche, A. Ouafi, F. Dornaika, A. Taleb-Ahmed, and L. Qin (2017) A competition on generalized software-based face presentation attack detection in mobile scenarios. In International Joint Conference on Biometrics, Cited by: §4.3, Table 2.
  • [5] Z. Boulkenafet, J. Komulainen, L. Lei, X. Feng, and A. Hadid (2017) OULU-npu: a mobile face presentation attack database with real-world variations. In IEEE International Conference on Automatic Face and Gesture Recognition, Cited by: §4.1, §4.3.
  • [6] Z. Boulkenafet, J. Komulainen, and A. Hadid (2015) Face anti-spoofing based on color texture analysis. In IEEE International Conference on Image Processing, Cited by: Table 3.
  • [7] Z. Boulkenafet, J. Komulainen, and A. Hadid (2017) Face spoofing detection using colour texture analysis. IEEE Transactions on Information Forensics and Security 11 (8), pp. 1818–1830. Cited by: §4.4, Table 3.
  • [8] I. Chingovska, A. Anjos, and S. Marcel (2012) On the effectiveness of local binary patterns in face anti-spoofing. In Biometrics Special Interest Group, Cited by: §4.1, §4.4.
  • [9] W. Di, H. Hu, and A. K. Jain (2015) Face spoof detection with image distortion analysis. IEEE Transactions on Information Forensics & Security 10 (4), pp. 746–761. Cited by: §1, §2.
  • [10] L. A. Gatys, A. S. Ecker, and M. Bethge (2015) Texture synthesis using convolutional neural networks. In International Conference on Neural Information Processing Systems, Cited by: §4.5.
  • [11] K. He, X. Zhang, S. Ren, and S. Jian (2016) Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition, Cited by: §2.
  • [12] A. Howard, M. Sandler, G. Chu, L. C. Chen, B. Chen, M. Tan, W. Wang, Y. Zhu, R. Pang, and V. Vasudevan (2019) Searching for mobilenetv3. Cited by: §3.2.
  • [13] A. Jourabloo, Y. Liu, and X. Liu (2018) Face de-spoofing: anti-spoofing via noise modeling. Cited by: §1, §4.5, Table 3.
  • [14] J. Komulainen, A. Hadid, and M. Pietikainen (2014) Context based face anti-spoofing. In IEEE Sixth International Conference on Biometrics: Theory, Cited by: §2.
  • [15] H. Li, P. He, S. Wang, A. Rocha, X. Jiang, and A. C. Kot (2018) Learning generalized deep feature representation for face anti-spoofing. IEEE Transactions on Information Forensics and Security 13 (10), pp. 2639–2652. Cited by: §2.
  • [16] L. Li, X. Feng, Z. Boulkenafet, Z. Xia, M. Li, and A. Hadid (2016) An original face anti-spoofing approach using partial convolutional neural network. In International Conference on Image Processing Theory, Tools and Applications, Cited by: §2.
  • [17] T. Y. Lin, P. Dollár, R. Girshick, K. He, and S. Belongie (2016) Feature pyramid networks for object detection. Cited by: §3.2.
  • [18] Y. Liu, A. Jourabloo, and X. Liu (2018) Learning deep models for face anti-spoofing: binary or auxiliary supervision. Cited by: §2, §4.1, §4.3, §4.3, §4.4, Table 1, Table 2, Table 3.
  • [19] C. Nagpal and S. R. Dubey (2018) A performance evaluation of convolutional neural networks for face anti spoofing. Cited by: §2.
  • [20] K. Patel, H. Han, and A. K. Jain (2016) Secure face unlock: spoof detection on smartphones. IEEE Transactions on Information Forensics and Security 11 (10), pp. 2268–2283. Cited by: §2.
  • [21] T. D. F. Pereira, A. Anjos, J. M. D. Martino, and S. Marcel (2013) Can face anti-spoofing countermeasures work in a real world scenario?. In International Conference on Biometrics, Cited by: §4.4, Table 3.
  • [22] T. D. F. Pereira, A. Anjos, J. M. D. Martino, and S. Marcel (2012) LBP-top based countermeasure against face spoofing attacks. In International Conference on Computer Vision, Cited by: §2.
  • [23] O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, and M. Bernstein (2015) ImageNet large scale visual recognition challenge. International Journal of Computer Vision 115 (3), pp. 211–252. Cited by: §2.
  • [24] X. Shi, Z. Chen, W. Hao, D. Y. Yeung, W. Wong, and W. Woo (2015)

    Convolutional lstm network: a machine learning approach for precipitation nowcasting

    In International Conference on Neural Information Processing Systems, Cited by: §4.5.
  • [25] K. Simonyan and A. Zisserman (2014) Two-stream convolutional networks for action recognition in videos. Cited by: §2, §3.3.
  • [26] K. Simonyan and A. Zisserman (2014) Very deep convolutional networks for large-scale image recognition. Computer Science. Cited by: §2.
  • [27] S. Sun, Z. Kuang, W. Ouyang, S. Lu, and Z. Wei (2017) Optical flow guided feature: a fast and robust motion representation for video action recognition. Cited by: §2.
  • [28] C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V. Vanhoucke, and A. Rabinovich (2014) Going deeper with convolutions. Cited by: §2.
  • [29] X. Tu, H. Zhang, M. Xie, Y. Luo, and Z. Ma (2019) Deep transfer across domains for face anti-spoofing. Cited by: §2.
  • [30] X. Tu, H. Zhang, M. Xie, Y. Luo, and Z. Ma (2019) Enhance the motion cues for face anti-spoofing using cnn-lstm architecture. Cited by: §2.
  • [31] J. A. Unar, W. C. Seng, and A. Abbasi (2014) A review of biometric technology along with trends and prospects. Pattern Recognition 47 (8), pp. 2673–2688. Cited by: §1.
  • [32] L. Wang, Y. Xiong, W. Zhe, Q. Yu, D. Lin, X. Tang, and L. V. Gool (2016) Temporal segment networks: towards good practices for deep action recognition. Cited by: §2, §3.3.
  • [33] Z. Wang, C. Zhao, Y. Qin, Q. Zhou, G. Qi, J. Wan, and Z. Lei (2018) Exploiting temporal and depth information for multi-frame face anti-spoofing. Cited by: §2, §4.3, §4.3, §4.4, Table 1, Table 2, Table 3.
  • [34] J. Yang, L. Zhen, and S. Z. Li (2014) Learn convolutional neural network for face anti-spoofing. Computer Science 9218, pp. 373–384. Cited by: Table 3.
  • [35] X. Yang, W. Luo, L. Bao, Y. Gao, D. Gong, S. Zheng, Z. Li, and W. Liu (2019) Face anti-spoofing: model matters, so does data. In IEEE Conference on Computer Vision and Pattern Recognition, Cited by: §2, §4.3, §4.3, §4.4, Table 1, Table 2, Table 3.
  • [36] C. Zach, T. Pock, and H. Bischof (2007) A duality based approach for realtime tv-l 1 optical flow. Dagm 4713 (5), pp. 214–223. Cited by: §4.5.
  • [37] Z. Zhang, J. Yan, S. Liu, L. Zhen, and S. Z. Li (2012) A face antispoofing database with diverse attacks. In Iapr International Conference on Biometrics, Cited by: §4.1, §4.4.
  • [38] H. Zhao, J. Shi, X. Qi, X. Wang, and J. Jia (2017) Pyramid scene parsing network. In IEEE Conference on Computer Vision and Pattern Recognition, Cited by: §3.2.