ML Security PapersEmergent Morphing Attack Detection in Open Multi-modal Large Language Models
Marija Ivanovska , Vitomir Štruc
Published on arXiv
2602.15461
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
LLaVA1.6-Mistral-7B achieves at least 23% lower equal error rate than competitive task-specific morphing attack detection baselines in a zero-shot protocol with no domain adaptation.
Face morphing attacks threaten biometric verification, yet most morphing attack detection (MAD) systems require task-specific training and generalize poorly to unseen attack types. Meanwhile, open-source multimodal large language models (MLLMs) have demonstrated strong visual-linguistic reasoning, but their potential in biometric forensics remains underexplored. In this paper, we present the first systematic zero-shot evaluation of open-source MLLMs for single-image MAD, using publicly available weights and a standardized, reproducible protocol. Across diverse morphing techniques, many MLLMs show non-trivial discriminative ability without any fine-tuning or domain adaptation, and LLaVA1.6-Mistral-7B achieves state-of-the-art performance, surpassing highly competitive task-specific MAD baselines by at least 23% in terms of equal error rate (EER). The results indicate that multimodal pretraining can implicitly encode fine-grained facial inconsistencies indicative of morphing artifacts, enabling zero-shot forensic sensitivity. Our findings position open-source MLLMs as reproducible, interpretable, and competitive foundations for biometric security and forensic image analysis. This emergent capability also highlights new opportunities to develop state-of-the-art MAD systems through targeted fine-tuning or lightweight adaptation, further improving accuracy and efficiency while preserving interpretability. To support future research, all code and evaluation protocols will be released upon publication.
Key Contributions
- First systematic zero-shot benchmark of open-source MLLMs for single-image morphing attack detection using a standardized, reproducible evaluation protocol
- LLaVA1.6-Mistral-7B achieves state-of-the-art MAD performance in zero-shot setting, surpassing task-specific baselines by at least 23% EER
- Analysis showing that large-scale vision-language pretraining implicitly encodes perceptual priors that transfer to forensic morphing artifact detection
🛡️ Threat Analysis
Face morphing attack detection is AI-generated/manipulated content detection in the biometric domain — functionally equivalent to deepfake detection, which ML09 explicitly covers. The paper evaluates MLLMs' ability to authenticate the integrity of facial images and flag AI-manipulated content without task-specific training.