ML Security PapersSRL-MAD: Structured Residual Latents for One-Class Morphing Attack Detection
Diogo J. Paulo 1,2,3, Hugo Proença 1,2, João C. Neves 1,3
Published on arXiv
2603.15050
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves 4.76% average EER across all test sets, outperforming one-class methods SPL-MAD and MAD-DDPM and supervised method MADation
SRL-MAD
Novel technique introduced
Face morphing attacks represent a significant threat to biometric systems as they allow multiple identities to be combined into a single face. While supervised morphing attack detection (MAD) methods have shown promising performance, their reliance on attack-labeled data limits generalization to unseen morphing attacks. This has motivated increasing interest in one-class MAD, where models are trained exclusively on bona fide samples and are expected to detect unseen attacks as deviations from the normal facial structure. In this context, we introduce SRL-MAD, a one-class single-image MAD that uses structured residual Fourier representations for open-set morphing attack detection. Starting from a residual frequency map that suppresses image-specific spectral trends, we preserve the two-dimensional organization of the Fourier domain through a ring-based representation and replace azimuthal averaging with a learnable ring-wise spectral projection. To further encode domain knowledge about where morphing artifacts arise, we impose a frequency-informed inductive bias by organizing spectral evidence into low, mid, and high-frequency bands and learning cross-band interactions. These structured spectral features are mapped into a latent space designed for direct scoring, avoiding the reliance on reconstruction errors. Extensive evaluation on FERET-Morph, FRLL-Morph, and MorDIFF demonstrates that SRL-MAD consistently outperforms recent one-class and supervised MAD models. Overall, our results show that learning frequency-aware projections provides a more discriminative alternative to azimuthal spectral summarization for one-class morphing attack detection.
Key Contributions
- One-class morphing attack detector (SRL-MAD) trained only on bona fide samples using structured residual Fourier representations
- Learnable ring-wise spectral projection that preserves 2D Fourier structure instead of collapsing via azimuthal averaging
- Frequency-informed inductive bias organizing spectral evidence into low/mid/high bands with cross-band interaction modeling
🛡️ Threat Analysis
Face morphing attacks are adversarial manipulations of facial images designed to cause misclassification in biometric authentication systems at inference time. The paper proposes a defense (detection method) against these input manipulation attacks. The morphed images are crafted adversarial inputs that bypass face recognition systems by blending multiple identities.