ML Security PapersFind the Differences: Differential Morphing Attack Detection vs Face Recognition
Una M. Kelly 1,2, Luuk J. Spreeuwers 1, Raymond N.J. Veldhuis 1,3
Published on arXiv
2604.14734
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Shows that conventional FR thresholds inherently make systems vulnerable to morphing attacks and proposes alternative threshold selection that bounds vulnerability to unknown morphing types
Morphing is a challenge to face recognition (FR) for which several morphing attack detection solutions have been proposed. We argue that face recognition and differential morphing attack detection (D-MAD) in principle perform very similar tasks, which we support by comparing an FR system with two existing D-MAD approaches. We also show that currently used decision thresholds inherently lead to FR systems being vulnerable to morphing attacks and that this explains the tradeoff between performance on normal images and vulnerability to morphing attacks. We propose using FR systems that are already in place for morphing detection and introduce a new evaluation threshold that guarantees an upper limit to the vulnerability to morphing attacks - even of unknown types.
Key Contributions
- Demonstrates that face recognition systems can be repurposed for differential morphing attack detection (D-MAD) with comparable performance to dedicated D-MAD methods
- Introduces a von Mises-Fisher distribution model to simulate embeddings and explain the trade-off between FR performance and morphing vulnerability
- Proposes new decision thresholds for FR systems that guarantee upper bounds on vulnerability to any morphing attack type, including unknown ones
🛡️ Threat Analysis
Face morphing attacks are adversarial inputs crafted to fool face recognition systems at inference time by causing the system to accept the morphed image as matching two different identities. The paper analyzes FR system vulnerability to these evasion attacks and proposes defense mechanisms.