Shulou(Shulou.com)06/03 Report--

Abstract: At present, Face Recognition technology has been widely used in many fields, but its risks have always been concerned by the outside world, especially for the financial industry with low risk tolerance. If there is a loophole in the user verification link, it may cause huge losses. This article will start with a project example, share the problems encountered and experience gained in testing Face Recognition technology, and put forward some thoughts on how to test artificial intelligence.

Face Recognition Technology Test Example--From a Project

Recently, when our testing department undertook a project, it discovered a business security vulnerability in the user's live verification of the project. Living verification is a necessary step in the service flow of the project. The verification method is that the user records the video of reading random numbers with mobile phone equipment, and judges whether the current operating user is himself after comparing it with background face data. At this point, the tester found that by remaking pictures and videos on electronic devices, non-self can also pass the verification. Subsequently, the project team contacted the living verification technology provider, adjusted relevant parameters, and carried out the special test of Face Recognition, but there were still a certain proportion of static pictures in this special test successfully attacked and cheated the model. In view of the test results, after research and discussion, the project team decided to postpone the project and focus on solving the problems related to Face Recognition model.

Introduction to Common Face Recognition/Living Body Detection Technologies

Face Recognition is a widely used and relatively mature technology in the field of artificial intelligence. Static picture Face Recognition has low security, so living body detection technology is mostly adopted. The following is an introduction to common living body detection technology.

Motion-coordinated living detection: The algorithm gives random action instructions, and the user cooperates to complete the actions, such as nodding, blinking, shaking his head, lip language, etc. This type of algorithm is currently the most widely used.

Silent living body detection: As the name suggests, compared with motion living body detection, silent living body detection does not require the user to cooperate with the action, but allows the user to face the camera for a few seconds to complete the detection, its detection elements include eyelid and eyeball rhythm, facial muscle contraction and so on.

Infrared living body detection: that is, using infrared imaging principle for living body detection, this algorithm has high security, but it needs to be equipped with an additional infrared camera.

3D structured light living body detection: It can recognize 3D face structure according to reflected light, which has high security, but it needs depth image lens module cooperation. At present, it is only configured on some high-end flagship mobile phones.

Introduction to Common Face Recognition Attacks

In the process of testing Face Recognition/Living Verification, the testers tried a variety of attack methods, classified from the medium, the basic ideas include picture attack and video attack.

Image attack: static images cheat Face Recognition algorithm, applied to static images Face Recognition. Picture display media include electronic screens (electronic screens with different resolutions and different imaging principles), paper pictures (color and black and white), etc.

Figure 1 Basic photo attacks, see who I am?

Video attack: Remake or make video to fool Face Recognition algorithm, mainly used to attack motion-matching living body detection. The most direct attack method is to play Short Video recorded in advance according to the instructions of the corresponding customer himself, but in reality the forgery cost is relatively high. With the development of image processing technology and artificial intelligence technology, there are some software that generates dynamic video according to static photos. Only one portrait photo is needed to generate video of the portrait shaking his head, nodding, blinking, and even reading various text mouth shapes.

Figure 2: Using software to generate a video of Yanzu reading a string of numbers. The bottom right is the original picture.

Considering the above two attack methods, the prepared image material usually needs to rely on the electronic screen as a medium for output, which can be determined by identifying moire patterns and the like. And pure static picture Face Recognition application scene is also less. Two advanced attack methods are described below.

Physical attack: The form of this attack is more diversified, the main idea is to avoid electronic screens or simple flat photos as a verification image display method. For example, print a photo of a human body, bend the photo according to a certain arc, cooperate with the live verification command activity, for the command to blink, you can subtract the eye image of the photo, and the real person who is not yourself will blink at the back. More advanced attack methods also include making 3D face models.

Figure 3 Half Face Attack

Figure 4. Buckle mouth attack

Application cracking/injection attack: This attack mode requires certain technical means, including buried point monitoring Face Recognition trigger process, modifying program to bypass this step, or reorganizing data message after packet capture, directly transmitting the influence prepared in the above picture attack and video attack to background without transcribing through other media, and modifying threshold value and other key indicators in message before inspection, etc.

How to Test Artificial Intelligence Software

The testing of artificial intelligence software can be divided into two parts: one, the testing of software. Second, the test of the algorithm. The particularity of this test lies in the test of the algorithm.

For testers, since the most widely used deep learning algorithm (neural network) is a black box algorithm, it is difficult for testers to propose regular functional defects like traditional functional tests, and the defects are difficult to reproduce stably. Therefore, the test results finally provided by testers often provide the pass rate of forward and reverse cases as a reference.

Although algorithm developers need to input a large number of training sets and test sets when modeling, and also need to evaluate a large number of model-related metrics, testing work is still indispensable: developers pay more attention to the forward pass rate of the model, and the reverse scenario of diversity is insufficient. This requires the tester to use his imagination to provide more reverse scenarios. Its significance lies in that, on the one hand, more targeted model training is adopted for scenes where algorithms are more likely to fail. On the other hand, even the black box neural network algorithm can also back-deduce the weights of each path of the model according to the reverse use case, and provide reference for the adjustment of model parameters.

In addition, for Face Recognition algorithm, usually pay attention to the model similarity threshold, that is, the similarity is greater than X%, and it is judged to pass. If the value is too high, it increases the risk of attack passing, and if the value is too low, it will cause a low positive pass rate and affect the normal user experience. What threshold should be adopted needs to be decided after the project team weighs the risks and benefits.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.