Prosthetic attack detection model training method, system, device and storage medium

By using a fully convolutional model and feature value weighting, a spoofing attack detection model is generated, which solves the problem of redundancy and complexity in existing anti-attack algorithms and achieves efficient liveness detection and adaptability to non-full-face attacks.

CN116363717BActive Publication Date: 2026-06-09SHENZHEN GUANGJIAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN GUANGJIAN TECH CO LTD
Filing Date
2021-12-24
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing anti-attack algorithms are redundant and complex, making it difficult to effectively identify fake attacks, especially since redundancy exists in the preprocessing stage of convolutional networks.

Method used

A fully convolutional model is adopted. A positive and negative sample training set is generated by collecting and annotating infrared images of real faces and attack photos. The model is trained to generate a fake attack detection model. The model structure includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer and an output layer. Feature value weights are set in the output layer, and the live face is judged by the ratio value and the threshold.

Benefits of technology

It significantly reduces model complexity, improves the accuracy of spoofing attack detection, can handle infrared images of different resolutions and non-full-face attacks, and is suitable for liveness detection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116363717B_ABST
    Figure CN116363717B_ABST
Patent Text Reader

Abstract

The application provides a training method, system and device of a prosthesis attack detection model and a storage medium, comprising: collecting infrared images of real faces, generating a positive sample training set after labeling the infrared images of the real faces; collecting infrared images of attack photos, generating a negative sample training set after labeling the infrared images of the attack photos; and training a pre-set convolutional neural network model to generate a prosthesis attack detection model according to the negative sample training set and the positive sample training set. In the application, the infrared images of target faces are subjected to living body detection through the prosthesis attack detection model, the prosthesis attack detection model comprises an input layer, a plurality of convolution processing modules, a maximum pooling layer, a first 2D convolution layer and an output layer, the complexity of the model is significantly reduced, and the application of the model is facilitated.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to liveness detection, and more specifically, to a training method, system, device, and storage medium for a spoofing attack detection model. Background Technology

[0002] Most anti-attack algorithms on the market are based on convolutional networks, adding a fully connected layer after multiple convolutional networks. Many algorithms preprocess the input data, including taking several small face samples from the input face image, feeding these samples into the learning network to obtain the output for the samples, and finally analyzing the results.

[0003] However, considering that convolution itself is a process of extracting modules, the preprocessing step of predicting the extraction of multiple modules might be redundant. Therefore, a simple algorithm for 2D paper attack on face recognition based on a fully convolutional model is provided. Summary of the Invention

[0004] In view of the deficiencies in the prior art, the purpose of this invention is to provide a training method, system, device and storage medium for a fake attack detection model.

[0005] The training method for the spoofing attack detection model provided by the present invention includes the following steps:

[0006] Step M1: Collect infrared images of real human faces, and generate a positive sample training set after annotating the infrared images of real human faces;

[0007] Step M2: Acquire infrared images of the attack photos, and generate a negative sample training set by annotating the infrared images of the attack photos;

[0008] Step M3: Train the pre-set convolutional neural network model using the negative sample training set and the positive sample training set to generate a fake attack detection model.

[0009] Preferably, step M1 includes the following steps:

[0010] Step M101: Perform face detection on the infrared image of the real face to determine the first face region;

[0011] Step M102: Crop out the first face region to generate a positive sample;

[0012] Step M103: Repeat steps M101 to M102 to generate the positive sample training set;

[0013] Step M2 includes the following steps:

[0014] Step M201: Perform face detection on the infrared image of the attack photo to determine the second face region;

[0015] Step M202: After cropping the second face region, a negative sample is generated;

[0016] Step M203: Repeat steps M201 to M202 to generate the negative sample training set.

[0017] Preferably, the spoofing attack detection model includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer;

[0018] The input layer, the plurality of the convolutional processing modules, the max pooling layer, the first 2D convolutional layer, and the output layer are connected in sequence;

[0019] The convolution processing module includes a second 2D convolutional layer, a batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially.

[0020] Preferably, the output of the output layer is an N×N matrix. When the attack detection result is generated based on the N×N matrix,

[0021] A weight value is assigned to each output feature value in the N×N matrix, wherein the weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature value located on the periphery of the matrix.

[0022] Preferably, for each output feature value in the N×N matrix of the output layer, a liveness determination is performed according to a preset first threshold, and a number of output feature values ​​greater than the first threshold is generated.

[0023] The proportion of the number of output feature values ​​to the total number of output feature values ​​in the N×N matrix is ​​generated based on the number of output feature values.

[0024] The target face corresponding to the image is determined to be a live person by comparing the ratio value with a preset second threshold.

[0025] Preferably, the spoofing attack detection model includes an input layer, multiple convolutional processing modules, a first 2D convolutional layer, a first batch normalization layer, a second 2D convolutional layer, a sigmoid function layer, and an output layer;

[0026] The input layer, the plurality of the convolution processing modules, the first 2D convolution layer, the first batch normalization layer, the second 2D convolution layer, the sigmoid function layer, and the output layer are connected sequentially.

[0027] The convolution processing module includes a third 2D convolutional layer, a second batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially.

[0028] Preferably, the training process of the spoofing attack detection model includes the following steps:

[0029] Step M1: Collect infrared images of real human faces, and generate a positive sample training set after annotating the infrared images of real human faces;

[0030] Step M2: Acquire infrared images of the attack photos, and generate a negative sample training set by annotating the infrared images of the attack photos;

[0031] Step M3: Train the pre-set convolutional neural network model using the negative sample training set and the positive sample training set to generate a fake attack detection model.

[0032] Preferably, the use of the spoofing attack detection model includes the following steps:

[0033] Step S101: Obtain an infrared image of the target face and input the infrared image of the target face into a pre-trained spoofing attack detection model;

[0034] Step S102: Determine whether the face pixel region of the infrared image is a live face image using the spoofing attack detection model, and generate a liveness detection result;

[0035] Step S103: When the probability of a live face image in the liveness detection result is greater than the probability of a fake attack image, the face pixel region is identified as a live face image; otherwise, the face pixel region is identified as a fake face image.

[0036] The spurious attack detection system provided by the present invention includes the following modules:

[0037] The positive sample generation module is used to collect infrared images of real human faces and generate a positive sample training set after annotating the infrared images of the real human faces.

[0038] Negative sample generation module: Acquires infrared images of attack photos, annotates the infrared images of attack photos, and generates a negative sample training set;

[0039] The model training module is used to train a pre-set convolutional neural network model based on the negative sample training set and the positive sample training set to generate a fake attack detection model.

[0040] The prosthetic attack detection device provided by the present invention includes:

[0041] processor;

[0042] A memory in which executable instructions of the processor are stored;

[0043] The processor is configured to execute the training method steps of the spoofing attack detection model by executing the executable instructions.

[0044] According to the computer-readable storage medium provided by the present invention, a program is used to store a method for training the aforementioned spoofing attack detection model when the program is executed.

[0045] Compared with the prior art, the present invention has the following beneficial effects:

[0046] The fake attack detection model trained in this invention can perform liveness detection on the infrared image of the input target face. The fake attack detection model only includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer, which significantly reduces the complexity of the model and facilitates its widespread application.

[0047] In this invention, a weight value is set for each output feature value in the N×N matrix of the output layer. The weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature value located on the periphery of the matrix, thereby improving the accuracy of spoofing attack detection.

[0048] This invention generates a ratio of the number of output feature values ​​to the total number of output feature values ​​in the N×N matrix based on the number of output feature values. The proportion is compared with a preset second threshold to determine whether the target face corresponding to the image is a live object. This invention can not only handle infrared image inputs of different resolutions, but also is applicable to non-full-face attacks when trained with full fake attacks. Attached Figure Description

[0049] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are merely embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort. Other features, objects, and advantages of the present invention will become more apparent by reading the following detailed description of non-limiting embodiments with reference to the accompanying drawings:

[0050] Figure 1 This is a flowchart of the training method steps for the spoofing attack detection model in an embodiment of the present invention;

[0051] Figure 2 This is a flowchart illustrating the steps of spoofing detection using a spoofing attack detection model in an embodiment of the present invention.

[0052] Figure 3 This is a flowchart illustrating the steps for generating a positive sample training set in an embodiment of the present invention.

[0053] Figure 4 This is a schematic diagram of the modules of the spoofing attack detection model in an embodiment of the present invention;

[0054] Figure 5 This is a schematic diagram of the modules of the spoofing attack detection model in a modified example of the present invention;

[0055] Figure 6 This is a schematic diagram illustrating the loss variation of the spoofing attack detection model in an embodiment of the present invention;

[0056] Figure 7 This is a schematic diagram illustrating the change process of the loss value of each feature in the input image in an embodiment of the present invention;

[0057] Figure 8 This is a schematic diagram of the EER change process before taking a fixed weight matrix in an embodiment of the present invention;

[0058] Figure 9 This is a schematic diagram illustrating the change process of EER after taking a fixed weight matrix in an embodiment of the present invention;

[0059] Figure 10 This is a schematic diagram illustrating the changes in FAR and FRR when P1 is 0.5 in an embodiment of the present invention.

[0060] Figure 11 This is a schematic diagram illustrating the changes in FAR and FRR in the spoofing attack detection model in a modified example of the present invention;

[0061] Figure 12 This is a schematic diagram illustrating the changes in thresholds P1, P2, and EER in an embodiment of the present invention.

[0062] Figure 13 This is a schematic diagram illustrating the changes in FAR and FRR under optimal thresholds P1 and P2 in an embodiment of the present invention.

[0063] Figure 14 This is a schematic diagram of the module of the spoofing attack detection system in an embodiment of the present invention;

[0064] Figure 15 This is a schematic diagram of the structure of the spoofing attack detection device in an embodiment of the present invention;

[0065] Figure 16 This is a schematic diagram of the structure of a computer-readable storage medium in an embodiment of the present invention. Detailed Implementation

[0066] The present invention will now be described in detail with reference to specific embodiments. These embodiments will help those skilled in the art to further understand the present invention, but do not limit the invention in any way. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention. These all fall within the scope of protection of the present invention.

[0067] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention described herein can be implemented, for example, in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0068] The technical solution of the present invention will be described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.

[0069] The technical solutions of the present invention and how they solve the above-mentioned technical problems will be described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. The embodiments of the present invention will now be described with reference to the accompanying drawings.

[0070] Figure 1 This is a flowchart illustrating the training method steps of the fake attack detection model in an embodiment of the present invention, as follows: Figure 1 As shown, the training method for the spoofing attack detection model provided by the present invention includes the following steps:

[0071] Step M1: Collect infrared images of real human faces, and generate a positive sample training set after annotating the infrared images of real human faces;

[0072] Step M2: Acquire infrared images of the attack photos, and generate a negative sample training set by annotating the infrared images of the attack photos;

[0073] Step M3: Train the pre-set convolutional neural network model using the negative sample training set and the positive sample training set to generate a fake attack detection model.

[0074] In an embodiment of the present invention, Figure 3 This is a flowchart illustrating the steps for generating a positive sample training set in an embodiment of the present invention, as follows: Figure 3 As shown, step M1 includes the following steps:

[0075] Step M101: Perform face detection on the infrared image of the real face to determine the first face region;

[0076] Step M102: Crop out the first face region to generate a positive sample;

[0077] Step M103: Repeat steps M101 to M102 to generate the positive sample training set;

[0078] Step M2 includes the following steps:

[0079] Step M201: Perform face detection on the infrared image of the attack photo to determine the second face region;

[0080] Step M202: After cropping the second face region, a negative sample is generated;

[0081] Step M203: Repeat steps M201 to M202 to generate the negative sample training set.

[0082] Figure 2 This is a flowchart illustrating the steps of prosthetic detection using a prosthetic attack detection model in an embodiment of the present invention, as follows: Figure 2 As shown, it includes the following steps:

[0083] Step S101: Obtain an infrared image of the target face and input the infrared image of the target face into a pre-trained spoofing attack detection model;

[0084] Step S102: Determine whether the face pixel region of the infrared image is a live face image using the spoofing attack detection model, and generate a liveness detection result;

[0085] Step S103: When the probability of a live face image in the liveness detection result is greater than the probability of a fake attack image, the face pixel region is identified as a live face image; otherwise, the face pixel region is identified as a fake face image.

[0086] Figure 4 This is a schematic diagram of the module of the spoofing attack detection model in an embodiment of the present invention, as shown below. Figure 4 As shown, the spoofing attack detection model includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer.

[0087] The input layer, the plurality of the convolutional processing modules, the max pooling layer, the first 2D convolutional layer, and the output layer are connected in sequence;

[0088] The convolution processing module includes a second 2D convolutional layer, a batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially.

[0089] In this embodiment of the invention, after obtaining the 6×6 feature map, global averaging is used to determine whether an input infrared image is a live face or a fake face. The training targets are defined as: live face: a 6×6 matrix of all 1s; fake face: a 6×6 matrix of all 0s, and MSE (Mean Squared Error) is used as the loss function.

[0090] Figure 6 This is a schematic diagram illustrating the loss variation of the spoofing attack detection model in an embodiment of the present invention, as shown below. Figure 6 As shown, the accuracy of the prosthetic attack detection model gradually improves with increasing training time. Figure 7 This is a schematic diagram illustrating the change process of the loss value of each feature in the input image in an embodiment of the present invention, as shown below. Figure 7 As shown, it can be observed that the loss values ​​of the features in the surrounding area, especially the four corners, are relatively higher and the changes are more even. As mentioned earlier, each feature in the feature map output by the fully convolutional network corresponds to the feature of the corresponding region in the original image. However, the information is extracted by the learning network. Therefore, the surrounding area is more about background environmental interference than the actual human face.

[0091] Another observation is that the loss of the four features in the middle of the lower side is also relatively low, which should correspond to the neck area in a face image. The left and right sides are sometimes the background, while the upper side is very likely to be hair. This explains why the loss of the features in the middle of the lower side and the 4×4 features in the center are generally below 0.05, while the loss of other side areas is higher.

[0092] Therefore, in this embodiment of the invention, the output of the output layer is an N×N matrix. When the attack detection result is generated based on the N×N matrix,

[0093] A weight value is assigned to each output feature value in the N×N matrix, wherein the weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature value located on the periphery of the matrix.

[0094] Therefore, based on the rule that the feature weights of the four corners are less than the feature weights of the four sides, and the feature weights of the four sides are less than the feature weights of the center, a fixed weight matrix can be used when calculating the output result, as shown below:

[0095]

[0096] Figure 8 This is a schematic diagram illustrating the EER change process before taking a fixed weight matrix in an embodiment of the present invention. Figure 9 This is a schematic diagram illustrating the change process of EER after taking a fixed weight matrix in an embodiment of the present invention, as shown below. Figure 8 , Figure 9 As shown, the method of using a fixed weight matrix did achieve significant results; the EER (Equal Error Rate) of the spoofing attack detection model decreased by about 1.2% after adding the weight matrix.

[0097] In this embodiment of the invention, each output feature value in the N×N matrix of the output layer is subjected to liveness detection according to a preset first threshold P1, and the number of output feature values ​​greater than the first threshold is generated.

[0098] The proportion of the number of output feature values ​​to the total number of output feature values ​​in the N×N matrix is ​​generated based on the number of output feature values.

[0099] The target face corresponding to the image is determined to be a live person by comparing the ratio value with a preset second threshold P2.

[0100] This method can handle infrared image inputs of varying resolutions. Since the convolution process does not require a fixed input size, for higher-resolution infrared images, the same trained network can output larger feature maps, and the same judgment method can be used to obtain the results. Another advantage of fully convolutional networks is their ability to autonomously segment the original image. For example, each feature output by a 2D convolution corresponds to a maximum 31×31 region in the original image, so it can be trained using a full-fake attack, and then different judgment methods can be used to handle non-full-face attacks. For instance, reducing the value of P2 means that if a portion of the output feature map is fake, the corresponding portion in the original image is likely also fake, thus addressing non-full-face attacks.

[0101] Figure 10 This is a schematic diagram illustrating the changes in FAR (False Acceptance Rate) and FRR (False Rejection Rate) when P1 is 0.5 in an embodiment of the present invention. Figure 10 As shown, P2 is no longer averaged, and a high P2 value indicates that the fitting score of the live face is very close to 1, while the prosthesis is relatively chaotic.

[0102] Figure 5 This is a schematic diagram of the module of the spoofing attack detection model in a variation of the present invention, as shown below. Figure 5As shown, the spoofing attack detection model includes an input layer, multiple convolutional processing modules, a first 2D convolutional layer, a first batch normalization layer, a second 2D convolutional layer, a sigmoid function layer, and an output layer.

[0103] The input layer, the plurality of the convolution processing modules, the first 2D convolution layer, the first batch normalization layer, the second 2D convolution layer, the sigmoid function layer, and the output layer are connected sequentially.

[0104] The convolution processing module includes a third 2D convolutional layer, a second batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially.

[0105] Figure 11 This is a schematic diagram illustrating the changes in FAR and FRR in the spoofing attack detection model in a modified example of the present invention, as shown below. Figure 11 As shown, the network was expanded to a maximum of 64 channels, the last ReLU activation was removed, and the stride of all convolutions except the last one was changed to 2. The model output remained a 6×6 feature map, but the total number of output feature values ​​increased to approximately 20,000. Using the same training and test sets, the EER was reduced to approximately 1% at P1=0.5, and subsequently, the EER was reduced to below 1% on a random test set of 4000 images.

[0106] Figure 12 This is a schematic diagram illustrating the changes in thresholds P1, P2, and EER in an embodiment of the present invention. Figure 13 This is a schematic diagram illustrating the changes in FAR and FRR under optimal thresholds P1 and P2 in an embodiment of the present invention, as shown below. Figure 12 , Figure 13 As shown, when the threshold P1 is around 0.95, the EER reaches its minimum value. Although this minimum value is not necessarily the global minimum, we can infer from the graph that the global minimum value can almost only occur here. Therefore, by adjusting the range of values ​​on the P1 axis, the interval is gradually narrowed. Finally, when P1=0.960, P2=0.306 can achieve an EER of 0.07%, and at this point, the FRR and FAR are 0.05% and 0.10%, respectively.

[0107] Figure 14 This is a schematic diagram of the module of the spoofing attack detection system in an embodiment of the present invention, such as... Figure 14 As shown, the spoofing attack detection system provided by the present invention includes the following modules:

[0108] The positive sample generation module is used to collect infrared images of real human faces and generate a positive sample training set after annotating the infrared images of the real human faces.

[0109] Negative sample generation module: Acquires infrared images of attack photos, annotates the infrared images of attack photos, and generates a negative sample training set;

[0110] The model training module is used to train a pre-set convolutional neural network model based on the negative sample training set and the positive sample training set to generate a fake attack detection model.

[0111] This invention also provides a spoofing attack detection device, including a processor and a memory storing executable instructions for the processor. The processor is configured to execute training method steps of a spoofing attack detection model via the executable instructions.

[0112] As shown above, the fake attack detection model trained in this embodiment can perform liveness detection on the infrared image of the input target face. The fake attack detection model only includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer, which significantly reduces the complexity of the model and facilitates its widespread application.

[0113] Those skilled in the art will understand that various aspects of the present invention can be implemented as systems, methods, or program products. Therefore, various aspects of the present invention can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "platform."

[0114] Figure 15 This is a schematic diagram of the spoofing attack detection device in an embodiment of the present invention. The following refers to... Figure 15 To describe an electronic device 600 according to this embodiment of the present invention. Figure 15 The electronic device 600 shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of the present invention.

[0115] like Figure 15 As shown, the electronic device 600 is presented in the form of a general-purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 connecting different platform components (including storage unit 620 and processing unit 610), a display unit 640, etc.

[0116] The storage unit stores program code, which can be executed by the processing unit 610 to perform the steps described in the training method section of the spoofing attack detection model section of this specification, according to various exemplary embodiments of the present invention. For example, the processing unit 610 can perform, as follows: Figure 1The steps are shown in the figure.

[0117] Storage unit 620 may include readable media in the form of volatile storage units, such as random access memory (RAM) 6201 and / or cache memory 6202, and may further include read-only memory (ROM) 6203.

[0118] Storage unit 620 may also include a program / utility 6204 having a set (at least one) program module 6205, such program module 6205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

[0119] Bus 630 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

[0120] Electronic device 600 can also communicate with one or more external devices 700 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 600, and / or with any device that enables electronic device 600 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 650. Furthermore, electronic device 600 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 660. Network adapter 660 can communicate with other modules of electronic device 600 via bus 630. It should be understood that, although... Figure 15 As not shown in the diagram, other hardware and / or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms.

[0121] This invention also provides a computer-readable storage medium for storing a program, which, when executed, implements a training method for a spoofing attack detection model. In some possible implementations, various aspects of the invention can also be implemented as a program product comprising program code, which, when run on a terminal device, causes the terminal device to execute the steps described in the training method section of this specification for the spoofing attack detection model according to various exemplary embodiments of the invention.

[0122] As shown above, when the program of the computer-readable storage medium of this embodiment is executed, the fake attack detection model generated by this training can perform liveness detection on the infrared image of the input target face. The fake attack detection model only includes an input layer, multiple convolution processing modules, a max pooling layer, a first 2D convolutional layer and an output layer, which significantly reduces the complexity of the model and facilitates the promotion and application of the model.

[0123] Figure 16 This is a schematic diagram of the structure of a computer-readable storage medium according to an embodiment of the present invention. (Reference) Figure 16 As shown, a program product 800 for implementing the above-described method according to an embodiment of the present invention is described. It may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto. In this document, the readable storage medium may be any tangible medium containing or storing a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.

[0124] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: electrical connections having one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0125] Computer-readable storage media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable storage medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transfer a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0126] Program code for performing the operations of this invention can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0127] In this embodiment of the invention, the spoofing attack detection model trained in this invention can perform liveness detection on infrared images of input target faces. The spoofing attack detection model only includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer, significantly reducing the complexity of the model and facilitating its widespread application. By setting a weight value for each output feature value in an N×N matrix of output layers, wherein the weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature values ​​located around the periphery of the matrix, the accuracy of spoofing attack detection is improved. Based on the number of output feature values, a ratio of the number of output feature values ​​to the total number of output feature values ​​in the N×N matrix is ​​generated. The ratio is compared with a preset second threshold to determine whether the target face corresponding to the image is live. This model can not only handle infrared image inputs of different resolutions but is also applicable to non-full-face attacks even when trained with full spoofing attacks.

[0128] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. The above description of the disclosed embodiments enables those skilled in the art to implement or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the invention is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein. Specific embodiments of the invention have been described above. It should be understood that the invention is not limited to the specific embodiments described above, and those skilled in the art can make various modifications or variations within the scope of the claims, which do not affect the essence of the invention.

Claims

1. A training method for a fake attack detection model, characterized in that, Includes the following steps: Step M1: Collect infrared images of real human faces, and generate a positive sample training set after annotating the infrared images of real human faces; Step M2: Acquire infrared images of the attack photos, and generate a negative sample training set by annotating the infrared images of the attack photos; Step M3: Train the pre-set convolutional neural network model using the negative sample training set and the positive sample training set to generate a fake attack detection model; The spoofing attack detection model includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer. The input layer, the plurality of the convolutional processing modules, the max pooling layer, the first 2D convolutional layer, and the output layer are connected in sequence; The convolution processing module includes a second 2D convolutional layer, a batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially. The output of the output layer is an N×N matrix. When generating attack detection results based on the N×N matrix, A weight value is assigned to each output feature value in the N×N matrix, wherein the weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature value located on the periphery of the matrix.

2. The training method for the spoofing attack detection model according to claim 1, characterized in that, Step M1 includes the following steps: Step M101: Perform face detection on the infrared image of the real face to determine the first face region; Step M102: Crop out the first face region to generate a positive sample; Step M103: Repeat steps M101 to M102 to generate the positive sample training set; Step M2 includes the following steps: Step M201: Perform face detection on the infrared image of the attack photo to determine the second face region; Step M202: After cropping the second face region, a negative sample is generated; Step M203: Repeat steps M201 to M202 to generate the negative sample training set.

3. The training method for the spoofing attack detection model according to claim 1, characterized in that, For each output feature value in the N×N matrix of the output layer, a liveness determination is performed based on a preset first threshold, and a number of output feature values ​​greater than the first threshold are generated. The proportion of the number of output feature values ​​to the total number of output feature values ​​in the N×N matrix is ​​generated based on the number of output feature values. The target face corresponding to the image is determined to be a live person by comparing the ratio value with a preset second threshold.

4. The training method for the spoofing attack detection model according to claim 1, characterized in that, The spoofing attack detection model includes an input layer, multiple convolutional processing modules, a first 2D convolutional layer, a first batch normalization layer, a second 2D convolutional layer, a sigmoid function layer, and an output layer. The input layer, the plurality of the convolution processing modules, the first 2D convolution layer, the first batch normalization layer, the second 2D convolution layer, the sigmoid function layer, and the output layer are connected sequentially. The convolution processing module includes a third 2D convolutional layer, a second batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially.

5. The training method for the spoofing attack detection model according to claim 1, characterized in that, The prosthetic attack detection model is used in the following steps: Step S101: Obtain an infrared image of the target face and input the infrared image of the target face into a pre-trained spoofing attack detection model; Step S102: Determine whether the face pixel region of the infrared image is a live face image using the spoofing attack detection model, and generate a liveness detection result; Step S103: When the probability of a live face image in the liveness detection result is greater than the probability of a fake attack image, the face pixel region is identified as a live face image; otherwise, the face pixel region is identified as a fake face image.

6. A spoofing attack detection system, characterized in that, Includes the following modules: The positive sample generation module is used to collect infrared images of real human faces and generate a positive sample training set after annotating the infrared images of the real human faces. Negative sample generation module: Acquires infrared images of attack photos, annotates the infrared images of attack photos, and generates a negative sample training set; The model training module is used to train a pre-set convolutional neural network model based on the negative sample training set and the positive sample training set to generate a fake attack detection model. The spoofing attack detection model includes an input layer, multiple convolutional processing modules, a max pooling layer, a first 2D convolutional layer, and an output layer. The input layer, the plurality of the convolutional processing modules, the max pooling layer, the first 2D convolutional layer, and the output layer are connected in sequence; The convolution processing module includes a second 2D convolutional layer, a batch normalization layer, and a ReLU activation layer; the second 2D convolutional layer, the batch normalization layer, and the ReLU activation layer are connected sequentially. The output of the output layer is an N×N matrix. When generating attack detection results based on the N×N matrix, A weight value is assigned to each output feature value in the N×N matrix, wherein the weight value of the output feature value located in the center of the matrix is ​​greater than the weight value of the output feature value located on the periphery of the matrix.

7. A device for detecting prosthetic attacks, characterized in that, include: processor; A memory in which executable instructions of the processor are stored; The processor is configured to execute the training method steps of the spoofing attack detection model according to any one of claims 1 to 5 by executing the executable instructions.

8. A computer-readable storage medium for storing a program, characterized in that, When the program is executed, it implements the training method steps of the spoofing attack detection model according to any one of claims 1 to 5.