<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Biometric Images Attacks Detecting Using Convolutional Neural Networks</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>V. N. Karazin Kharkiv National University</string-name>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Kharkiv</string-name>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Ukraine kirillfilippsky@gmail.com</string-name>
        </contrib>
        <contrib contrib-type="author">
          <string-name>sapsanmiha@gmail.com</string-name>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Kharkiv National University of Radio Electronics</institution>
          ,
          <addr-line>Kharkiv</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Kherson State University</institution>
          ,
          <addr-line>Kherson</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
      </contrib-group>
      <fpage>0000</fpage>
      <lpage>0003</lpage>
      <abstract>
        <p>Nowadays biometric user authentication systems have become widespread. These systems are implemented not only in enterprises, controlledaccess facilities, but also on smartphones of ordinary users and in online applications. There are special attacks designed to impersonate another person by submitting fake biometric data to the authentication system. The composition, purpose and main components of biometric face recognition systems are considered in the article, the essence of some known types of attacks, existing methods of counteracting counterfeit attacks (spoofing attacks) are analyzed and a new method for detecting them is proposed. The method is based on the use of an artificial convolutional neural network which was trained using a Replay-Attack Database from Idiap Research Institute. The results of modeling attacks on training, validation and test data sets are presented. The obtained results show high efficiency of the proposed method: the probability that an attack will be detected is 94.98%. This indicates the prospect of further studies of artificial neural networks for detecting attacks of counterfeit biometric images.</p>
      </abstract>
      <kwd-group>
        <kwd>biometric images</kwd>
        <kwd>spoofing attacks</kwd>
        <kwd>convolutional neural networks</kwd>
        <kwd>authentication</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>
        Biometrics refers to the science of defining a personality basing on analysis of its
behavior or physical or chemical characteristics [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]. The main biometric methods are
fingerprinting, face and voice recognition. The biometric system recognizes
personality by performing a number of operations. At the global level, a system using
biometric data consists of four parts [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]:
1. Scanner is a physical device used to collect input data to a biometric system.
Depending on the application, the functionality of the device may be different, for
example, fingerprint images can be obtained with optical sensors, while a face sample
can be obtained with a camera.
2. Features extraction algorithm – important features contained in the input data are
removed using the extraction algorithm.
3. Data storage – a database contains templates of a similar type of input data, for
instance, a fingerprint database consists of information about the fingerprints of
several people. The data is not stored open for security reasons, but instead of that it is
stored in a different special format.
4. Decision-making algorithm (Decision algorithm) – the removed features are
compared with those stored in the database to obtain similarity evaluation. Depending
on this assessment, a decision regarding the authentication (identity) of the user is
made.
      </p>
      <p>Depending on the application, biometric systems are divided into two types: to
authenticate or identify a person in the system. The identification system compares the
input data with each image that lies in the database, and then makes its decision about
the identity of the person. The authentication system compares the input data only
with an image that matches certain unique identifier in the database.</p>
      <p>
        Since there are too many features that can be removed from a person's biometric
data, for a feature to be considered useful, it must meet certain conditions. There are
several of the following conditions given in [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ]:
1. Universality (versatility) – means that everyone must have this feature.
2. Uniqueness – means that there must be sufficient difference among the
characteristics of different people.
3. Constancy (permanency) – the feature must remain unchanged during the time
when the prototype of the user's biometric attribute is stored in the database.
4. Measurability – the feature must be possible to remove and/or to process.
      </p>
      <p>One of the biometric systems that meet these conditions is the face recognition
system. In this system the biometric data scanner is a typical or specially designed
camera for this task. In the article we will keep in mind that the scanner will use a regular
smartphone camera or webcam for biometric data capture in the system.</p>
      <p>The objective of this work is to develop a method for detecting a spoofing attack
on a biometric face recognition system. The proposed method is based on the use of
modern elements of deep learning convolutional neural networks, which is used to
detect attempts to fake biometric images (for example, by replacing biometric data
when scanning the face with appropriate photo or video images).
2</p>
    </sec>
    <sec id="sec-2">
      <title>Face recognition system</title>
      <p>
        Deep learning methods that have developed significantly in recent years are used in
our face recognition system. Their application allows achieving high accuracy [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
      </p>
      <p>In the general case, the process of face recognition using deep learning methods
can be described as follows:
1. User takes a photo of his face in a real-time mode.
2. Next, the module that finds the person's face in the image works. The found face is
sent to a module that processes unique features.
3. The unique features of a mathematical image along with a unique user ID are
compared with those already stored in the database.
4. The similarity of these two mathematical images is verified. If the difference
between them does not exceed a specified value, then the user is allowed to access
some resource or other type of service, that is, the authentication was successful. If
the difference between the images exceeds the specified value, the user is informed
that the authentication attempt has failed and the access to resource is failed.</p>
      <p>
        A trained deep convolutional neural network is used as a module that finds the face
in the image. The algorithm which is used to find the object is described in [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ].
Moreover, another trained convolutional neural network which is currently state-of-the-art
within the scope of this task is used as an algorithm for extracting important
features [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ].
      </p>
      <p>
        The described system does not work in real time mode, that is, the input of
algorithms is submitted with only one image of the user. Therefore, such a system is
vulnerable to special attacks on face recognition algorithms. Mainly, such as substitution
or spoofing attacks [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ].
      </p>
      <p>The general scheme of such attacks implementation is shown in Figure 2. If Figure
1 shows the correct biometric system, an attempt to spoof the attack will look like a
substitution of real data of the user to the image of his data (in our case, this is the
face).</p>
      <p>Let's analyze known attacks on face recognition systems that are built using deep
learning methods.
3</p>
    </sec>
    <sec id="sec-3">
      <title>Attacks on the face recognition systems</title>
      <p>
        Currently, there are two types of attacks on the face recognition systems:
 Adversarial attacks [
        <xref ref-type="bibr" rid="ref7 ref8">7, 8</xref>
        ].
 Spoofing attacks [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ].
      </p>
      <p>To begin with, adversarial attack information will be outlined and analyzed. This
type of attack is aimed specifically at convolutional neural networks.
3.1</p>
      <p>
        The essence of Adversarial attacks and methods of counteraction
In 2014, a team of Google and NYU researchers found out [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ] that attacking
convolutional neural networks is an extremely simple, carefully constructed push-in. Figure 3
shows an example of such an attack.
      </p>
      <p>
        We start with an image of a panda that is correctly recognized by deep learning
methods (neural network) as a “panda” with a confidence of 57.7%. If carefully
constructed noise is added to this, the neural network itself will assume that it is a Gibbon
image with 99.3% confidence. This is obviously an optical illusion, but only for the
neural network. For human vision, nothing has changed, and it is safe to say that both
images look like pandas – in fact, one cannot even say that some noise was added to
the original image to build an example on the right. But adding ordinary noise is not
the only type of attack. Another example is already aimed at bypassing of biometric
facial recognition system via creating special glasses. It is showed in [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ] that it is
possible to deceive face recognition software by creating Adversarial goggles
avoiding face recognition. An example of such goggles is shown in Figure 4.
      </p>
      <p>
        The most interesting thing about this type of attack is that it is completely
impossible to counteract it. There are only a few ways that can just reduce the likelihood of
an attack of this kind [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ]. One of the simplest and most violate ways is Adversarial
training. Its main point is to create a series of Adversarial examples for its own neural
network and then teach the model not to be mistaken with such examples. This
improves the overall situation, but sufficient resistance from this attack is not achieved.
In fact, an attacker may be able to make a new attack in the same way but with the
noise picked up for a new neural network. Such a struggle can go on indefinitely.
      </p>
      <p>
        The second way is Defensive Distillation. Its main point is that it trains the second
model, the upper layers of which are smoothed in the places that the attacker will
usually try to use, complicating their detection, which can lead to incorrect
categorization. The reason it works is that, unlike the first model, the second one is trained on
the “soft” output performance of the primary model, rather than the “hard” (0 or 1)
ones with real training data. This technique has been shown to be successful in
protecting against simple variants of such attacks, but has become vulnerable to newer
attacks. In particular, one can take the Carlin-Wagner attack as an example [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ],
which is a valid benchmark for evaluation of the neural network strength against
competitive attacks.
      </p>
      <p>
        Thus, as one can see, there are no explicit methods of defense against the attacks
under consideration. Therefore, the task of solving this issue is still a method of
research in the field of computer science or artificial intelligence [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ].
The situation is different with this type of attack. A spoofing attack is an attempt to
grant someone else's privileges or access rights through a photo, video or other data.
Some examples of such attacks include:
 Photo Attack: An attacker uses someone else's photo. The image is printed or
displayed on a digital device.
 Video Attack: A more sophisticated way to fool a system that typically requires
looping video of a person's face. This approach makes it possible to use facial
expressions and facial movements to make them look more "natural" than the
previous method.
 3-D Mask Attack: During this type of attack, the mask is used as a forgery tool.
      </p>
      <p>This is more complicated attack than video playback. This allows you to use facial
movements and to bypass some additional layers of protection, such as depth
sensors.</p>
      <p>There are many different approaches to counteracting attacks of this type. The
most popular modern solutions include:
 Live Face Detection: A mechanism based on an analysis of how “live” is a test
face. This is usually done by checking eye movements, such as blinking and face
movement.
 Contextual information exploration: By exploring the surroundings of an image,
we can try to detect whether a digital device or photo paper was in the area found.
 Texture analysis: In this method, small textured portions of the input image are
probed to find patterns in fake and real images.
 User Interaction: By inviting the user to perform a specific action (turn their head
left or right, smile or blink their eyes), the algorithm can detect whether the action
was performed naturally.</p>
      <p>
        Of course, one cannot ignore the special technical means specially designed to
counteract such attacks. In practice, it was possible to offer Apple a list of
deeprendering and 3D-usage methods that allow for fake support with great precision [
        <xref ref-type="bibr" rid="ref11">11</xref>
        ].
However, this high-end equipment is exclusively the proprietary campaign used by
large companies in secure regional programs.
      </p>
      <p>During research and testing, it has been found that an extremely high level of
realtime counterfeit detection can be achieved with a standard medium quality camera.
We offer a new method of recognition spoofing attacks, which is based on the use of
convolutional neural networks.
4</p>
    </sec>
    <sec id="sec-4">
      <title>The proposed method and experimental research</title>
      <p>As mentioned above, convolutional neural networks perform very well in computer
vision tasks. Therefore choosing the approach to developing the method, it was
decided to use them.</p>
      <p>
        As is known from [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ], in order to teach a neural network a specific task, it is
necessary to have specific data. In our case, the training aims at recognizing the spoofing
attack, that is, detecting a fake face in the system, provided that only one face image
and no more additional information is fed to the decision algorithm.
      </p>
      <p>As a result, the proposed method consists of using a convolutional neural network
that receives biometric images of human faces at the input (128x128 pixels in our
experiments) and outputs a binary solution: whether the input image is spoofed or not.</p>
      <p>
        The convolutional neural network (CNN) was first proposed by Jan Lekun in 1988
and aims at effective pattern recognition [
        <xref ref-type="bibr" rid="ref13 ref14">13, 14</xref>
        ]. The main idea when constructing
convolutional neural networks is to alternate subsampling layers or pooling layers.
This is some approximation to the functioning of the visual cortex [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ], in which
socalled simple cells responding to straight lines at different angles and complex cells
whose reaction is associated with the activation of a particular set of simple cells were
discovered. This artificial neural network architecture was named because of the
convolution operation, the essence of which is that each fragment of the image is
multiplied by the convolution matrix (nucleus) element by element, and the result is
summed up and written to a similar position of the original image.
      </p>
      <p>
        Usually standard methods are used to train convolutional neural networks, most
often the backpropagation method is the gradient calculation method used for updating
the weights of a multilayer perceptron [
        <xref ref-type="bibr" rid="ref16 ref17">16, 17</xref>
        ]. This is an iterative gradient algorithm
that is used to minimize the error of the multilayer perceptron and obtain the desired
output [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ]. The basic idea of this method of training is to propagate error signals
from the network outputs to its inputs, in the direction opposite to the direct
propagation of signals in the normal mode [
        <xref ref-type="bibr" rid="ref17">17</xref>
        ]. To implement convolutional neural network
training in the proposed method of detecting spoofing attacks, data belonging to Idiap
Research Institute and contained in the Replay-Attack database were used [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ].
      </p>
      <p>The Replay-Attack database consists of 1,300 video clips of attempted photo and
video attacks for 50 different people under different lighting conditions. Data from
this database is already divided into 3 subgroups, including:
 Train data that will be used to train the anti-forgery classifier.
 Validation data used to find the optimal classification threshold.
 Test data to measure the effectiveness of the method developed.</p>
      <p>Persons who appear in one of the datasets (train, valid, or test) do not appear in any
other dataset. After some experiments, it was decided to integrate this method
immediately after the face image was found on the input. This is due to the fact that, in
some examples, a spoofing attack, the face finding algorithm did not find the face in
the glossy type photos.</p>
      <p>The problem in our work is formulated as follows: a biometric image of the face is
fed to the input of the spoofing attack recognition algorithm. At the output, the
algorithm should give one of two possible binary values:
 1 (or «yes») - if the input is classified as a spoofing attack,
 0 (or «no») - if the input is classified as a real image.</p>
      <p>An image argumentation algorithm was developed to extend our data, and the
following types of argumentation were used:
</p>
      <p>Adding a Gaussian noise with a value scale  0.05  255 , where scale is a standard
deviation from the normal noise-generating distribution;
 Adding a Gaussian Blur with a value sigma  0.5 , where sigma is the standard
deviation of a Gaussian filter;
 Rotations from -45 to 45 degrees;
 Zoom in or zoom out.</p>
      <p>The next stage of the study was the justification of special metrics to measure the
effectiveness of the developed method. Because as a result of detecting an attack, a
binary decision is made (yes / no), we have the following set of possible situations
(Table 1). In our case, the null hypothesis is defined as follows: at the entrance to the
spoofing recognition algorithm, we consider that the input image is an attempt to
spoof the attack, which is denoted as H0. Then, the alternative hypothesis is defined as
this: the input image that is fed to the input of the recognition algorithm is not an
attempt to spoof the attack and is denoted as H1. For each input image, a decision or
conclusion is drawn that accepts or rejects the null hypothesis, i.e. whether it is an
attempt to spoof the attack or not.</p>
      <p>For all input data, the decision rule is: if the output of the algorithm is less than 0.5,
then it is assumed that the image is not an attempt to spoof the attack, otherwise it is
assumed that the image is a spoofing attack.</p>
      <p>Table 1 shows the following terms:
 True positive – the model correctly recognized the spoofing attack;
 False positive – the model recognized the spoofing attack as a real face image;
 True negative – the model correctly recognized the real face image;
 False negative – the model recognized the real face image as a spoofing attack.</p>
      <p>False positives and False negatives are also called 1st and 2nd order errors.
Depending on the system in which the algorithm is used, attention to one of the errors
becomes greater. For example, if we take our situation into account, attention should
be paid to a 1st-order error, since, when a model recognizes a spoofing attack for a
real face, it can lead to critical consequences. Otherwise, for example, we have a
system for recognizing spam emails on the e-mail box, then there will already be more
attention to the error of the 2nd kind, since, when a non-spam email is recognized by
the algorithm as spam, it can lead to that an important email may be transferred to the
spam folder and not reach the end user.</p>
      <p>After defining the basic concepts involved in evaluating the performance of a
classification algorithm, let's determine what our model performance test is. Suppose we
have trained our network on training data, and we need to know how the model would
behave when dealing with data that was not in the training sample. To do this, there is
or creates a special set of images that the algorithm has not yet seen. During testing,
all results are stored in a special form, depending on Table 1. Thus, after testing
throughout the test sample, we have four values that are the results of the model. Such
values are the number of results True positive, True negative, False positive, False
negative. But these are just basic metrics and, to better evaluate the performance of
the model, use other custom metrics. In our work, such metrics are Precision and
Recall:</p>
      <sec id="sec-4-1">
        <title>Precision </title>
        <p>True positives</p>
      </sec>
      <sec id="sec-4-2">
        <title>True positives  False positives</title>
      </sec>
      <sec id="sec-4-3">
        <title>Re call </title>
        <p>True positives
True positives  False negatives
,
(1)
(2)
 True positives - the total number of correctly recognized attacks;
 False positives - the total number of false unrecognized attacks;
 False negatives is the total number of mis-recognized attacks.</p>
        <p>
          Thus, in formulas (1) and (2), Precision shows the proportion of detected attacks
from all attacks that were in the data set, whereas Recall shows the proportion of
correctly recognized attacks from all images that were recognized as attacks [
          <xref ref-type="bibr" rid="ref19">19</xref>
          ]. The
choice of such metrics is due to the fact that they show how big the error of the 1st
kind is, on which we focus our attention.
        </p>
        <p>After defining the necessary metrics and data processing methods, the next step is
to develop a neural network architecture. Figure 5 shows its architecture.</p>
        <p>
          From Figure 4 you can see that our neural network has 5 convolutional blocks
consisting of a Convolutional (Conv2D) layer and a MaxPooling2D layer. The last digit
in the Output Shape value indicates the number of filters in the convolutional layer, in
all convolutional layers the filter size is 3x3, and the relu activation function [
          <xref ref-type="bibr" rid="ref20">20</xref>
          ] and
the padding value equals same. Filter size in MaxPooling2D layer is 2x2. After the
last convolutional block, there is a Flatten layer that changes the dimension of a 3-D
matrix into a 1-D vector, followed by two Dense layers, the first size 1024 neurons
with relu activation function, the second one with 1 neuron and sigmoidal activation
function [
          <xref ref-type="bibr" rid="ref20">20</xref>
          ] to obtain the probability of a substitution attack.








        </p>
        <p>
          The optimization of the neural network weights was performed using the Adam
algorithm [
          <xref ref-type="bibr" rid="ref21">21</xref>
          ], which is given below.
        </p>
        <p>The input to the algorithm:
  : Learning speed (standard setting   0.001 );
   108 ;
1,2 0,1 : Exponential decay rates for moment estimates (default settings
 m0  0 (Initialization of the first moment vector);
 0  0 (Initialization of the second moment vector);
 t  0 (Initializing time step).</p>
        <p>Until t converges, we perform the following operations in a loop:
t  t 1 ;
gt   ft (t 1) (Take a gradient with respect to the stochastic function of each
time step t);
mt  1mt1  (1 1)gt (Update the rejected value of the first moment);
  t   2 t 1  (1   2 )gt 2 (Update the rejected value of the second moment);
mt 
 t </p>
        <p>mt
1   t1
 t
1   t 2
 t  t 1  .</p>
        <p>(Calculate the rejected value of the first moment);
(Calculate the rejected value of the second moment);</p>
        <p>mt
 t </p>
        <p>(Update parameters).</p>
        <p>At the output of the algorithm we get  t (Result parameters).</p>
        <p>
          The training of the neural network was held with the following parameters:
 learning_rate = 0.001;
 epochs = 25;
 batch_size = 32;
 loss: binary_crossentropy,
learning rate – a training step or rate at which weights change. If you choose too
much of a learning step, the function can jump over the global minimum and
never collapse, and vice versa, if set too small, the function can get stuck in the local
minimum and never get out of it;
 epochs – number of training cycles, that is, how many times the model should go
through all training data;
 batch size – the number of images that are fed into the model at the same time (to
made the model geared towards generalizing the data and to speed up the learning
process);
 loss - a special function that is used to optimize the neural network. Loss helps
optimize neural network parameters. Our goal is to minimize loss to the neural
network by optimizing its parameters (weights). Loss is calculated by using a
special function, comparing the target (real) value and the predicted value with a
neural network. Then we use Adam gradient descent method to update the neural
network weights so that loss is minimized. So we train a neural network.
Therefore, loss is a function of losses, it is in charge of what the neural network will
study, in our case the task of binary classification, so the choice falls on
binary_crossentropy loss [
          <xref ref-type="bibr" rid="ref22">22</xref>
          ]. It is defined as follows:
        </p>
        <p>H p (q)  
1 N</p>
        <p> yi log( yi )  (1  yi ) log(1  yi ) ,
N i1
(3)
yi is a label predicted by the neural network.</p>
        <p>That is, binary_crossentropy loss measures the effectiveness of a classification
model whose output is a probability value between 0 and 1. Loss increases when the
predicted probability deviates from the real value. The ideal model should have a
value of loss function close to zero.</p>
        <p>
          All software was programmed in Python using the following frameworks:
tensorflow [
          <xref ref-type="bibr" rid="ref23">23</xref>
          ], opencv [
          <xref ref-type="bibr" rid="ref24">24</xref>
          ], imgaug [
          <xref ref-type="bibr" rid="ref25">25</xref>
          ].
5
        </p>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>The results of the experiment</title>
      <p>After 20 epochs, the model began to show signs of retraining, so the end of training
occurred on the 20th epoch. Loss of our network was 0.1796 and the overall accuracy
on the validation data was 0.9485. Figure 6 shows how the training loss and
validation loss of our model varied over the training period. You can also see in Figure 7
how the model's accuracy in training and validation data has changed.</p>
      <p>You can see that in Figure 6, our loss function drops throughout the training. This
means that the model was able to find the difference in the distribution of data in the
real image of the human face and in the fake. Figure 7 confirms the above, we see
how accuracy (the number of correctly predicted values) increases with each epoch.
You can also see that the results of the test set are worse on both charts. This is
because the training data is seen and memorized by the model and not by the test data.
Therefore, the effectiveness of the test sample is less than the training sample.</p>
      <p>
        The next step to improving the model's efficiency is finding the best decision
threshold, which is 0.5 by default. The main criterion is the balance between false
positive rate (FPR) and false negative rate (FNR) values [
        <xref ref-type="bibr" rid="ref26">26</xref>
        ]. Figure 8 shows how
FPRs and FNRs change with the decision threshold being changed. The optimal
threshold is usually the value where these two metrics have the smallest values
relative to each other [
        <xref ref-type="bibr" rid="ref27">27</xref>
        ]. This is usually the point of intersection.
      </p>
      <p>As can be seen in Figure 8, the optimal decision threshold should be 0.59 in order
to minimize the first-order error and the second-order error. From the figure you can
see that further false negative rate does not increase much relative to how false
positive rate decreases. The decision was made to set a decision threshold of 0.7 because
it is more important for our system to reduce 1st order error.</p>
      <p>When the optimal decision threshold has been found, the final step of our
experiment is to measure the performance of our model on new data. In our case, such data
is the test data specified in paragraph 4 of this article. Thus, according to the metrics
of paragraph 4, the results of the algorithm are shown in table 2.</p>
      <p>The values in the table were calculated on an already trained model. Metrics were
calculated using formulas (1) and (2). As you can see from these metrics, the
probability that an attack will be detected is 94.98%. It should be noted that models with
different parameters and architectures were tested. The table shows the results of the
best model, the details of which were given in paragraph 4.
6</p>
    </sec>
    <sec id="sec-6">
      <title>Conclusions</title>
      <p>
        This paper examines existing attacks on face recognition systems. A method of
counteracting Spoofing attack based on the use of artificial convolutional neural network
was developed. The probability that an attack will be detected by our system is
94.98%. Out of the box, only adversarial attacks remain, and still remain unbeatable.
It can be noted that if you use real-time recognition, adversarial noise-based attacks
will lose their relevance. Further work should focus on the recognition of the special
eyepieces that were mentioned in paragraph 3 of this article. In addition, the obtained
research results can be useful for various methods to improve the reliability and
security of biometric systems [
        <xref ref-type="bibr" rid="ref28 ref29">28, 29</xref>
        ]. These results can be used in other computer
science applications [
        <xref ref-type="bibr" rid="ref30 ref31 ref32 ref33 ref34 ref35 ref36">30-36</xref>
        ].
      </p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          1.
          <string-name>
            <surname>A.K. Jain</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          <string-name>
            <surname>Flynn</surname>
          </string-name>
          ,
          <article-title>and</article-title>
          <string-name>
            <given-names>A.A.</given-names>
            <surname>Ross</surname>
          </string-name>
          , “Introduction to biometrics”,
          <source>in Handbook of Biometrics</source>
          .
          <year>2008</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          2.
          <string-name>
            <given-names>D.</given-names>
            <surname>Maltoni</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Maio</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.K.</given-names>
            <surname>Jain</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Prabhakar</surname>
          </string-name>
          ,
          <source>Handbook of Fingerprint Recognition</source>
          ,
          <year>2003</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          3.
          <article-title>Deep Residual Learning for Image Recognition Kaiming He Xiangyu Zhang Shaoqing Ren Jian Sun</article-title>
          . https://arxiv.org/pdf/1512.03385.pdf
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          <article-title>4. YOLOv3: An Incremental Improvement Joseph Redmon</article-title>
          , Ali Farhadi University of Washington. https://arxiv.org/abs/
          <year>1804</year>
          .02767
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          5. FaceNet:
          <article-title>A Unified Embedding for Face Recognition and Clustering</article-title>
          . https://arxiv.org/pdf/1503.03832.pdf
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          6.
          <string-name>
            <surname>Lazarick</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          <article-title>"Spoofs, subversion and suspicion: Terms and concepts."</article-title>
          <source>In Proc. NIST Int. Biometric Perform. Conf. (IBPC)</source>
          .
          <year>2012</year>
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          7.
          <string-name>
            <given-names>Adversarial</given-names>
            <surname>Examples</surname>
          </string-name>
          :
          <article-title>Attacks and Defenses for Deep Learning Xiaoyong Yuan</article-title>
          , Pan He, Qile Zhu, Xiaolin Li∗
          <article-title>National Science Foundation Center for Big Learning</article-title>
          , University of Florida. https://arxiv.org/pdf/1712.07107.pdf
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          8. Explaining and
          <string-name>
            <given-names>Harnessing Adversarial</given-names>
            <surname>Examples. Ian J. Goodfellow</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Jonathon</given-names>
            <surname>Shlens</surname>
          </string-name>
          &amp;
          <article-title>Christian Szegedy Google Inc</article-title>
          ., Mountain View, CA. https://arxiv.org/pdf/1412.6572.pdf
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          9.
          <article-title>Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-</article-title>
          <string-name>
            <surname>Art Face Recognition Mahmood Sharif</surname>
          </string-name>
          Carnegie Mellon University Pittsburgh, https://www.cs.cmu.edu/ ~sbhagava/papers/face-rec-ccs16.pdf
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          10.
          <source>Towards Evaluating the Robustness of Neural Networks Nicholas Carlini David</source>
          Wagner University of California, Berkeley, https://arxiv.org/pdf/1608.04644.pdf
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          11.
          <string-name>
            <surname>Face</surname>
            <given-names>ID Security</given-names>
          </string-name>
          , Apple. https://www.apple.com/business/docs/site/FaceID_ Security_Guide.pdf
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          12. I. Goodfellow,
          <string-name>
            <given-names>Y.</given-names>
            <surname>Bengio</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Courville</surname>
          </string-name>
          , Deep Learning,
          <year>2016</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          13. Y. LeCun,
          <string-name>
            <given-names>B.</given-names>
            <surname>Boser</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. S.</given-names>
            <surname>Denker</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Henderson</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R. E.</given-names>
            <surname>Howard</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W.</given-names>
            <surname>Hubbard</surname>
          </string-name>
          and
          <string-name>
            <given-names>L. D.</given-names>
            <surname>Jackel</surname>
          </string-name>
          : Backpropagation Applied to Handwritten Zip Code Recognition,
          <source>Neural Computation</source>
          ,
          <volume>1</volume>
          (
          <issue>4</issue>
          ): pp.
          <fpage>541</fpage>
          -
          <lpage>551</lpage>
          ,
          <year>Winter 1989</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          14.
          <string-name>
            <surname>Convolutional Neural</surname>
          </string-name>
          <article-title>Networks (LeNet)</article-title>
          .
          <source>DeepLearning 0</source>
          .1. LISA Lab. http://deeplearning.net/tutorial/lenet.html
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          15.
          <string-name>
            <surname>M. Masakazu</surname>
            ,
            <given-names>K.</given-names>
          </string-name>
          <string-name>
            <surname>Mori</surname>
            ,
            <given-names>Y.</given-names>
          </string-name>
          <string-name>
            <surname>Mitari</surname>
            and
            <given-names>Y.</given-names>
          </string-name>
          <string-name>
            <surname>Kaneda</surname>
          </string-name>
          , “
          <article-title>Subject Independent Facial Expression Recognition with Robust Face Detection Using a Convolutional Neural Network”</article-title>
          ,
          <source>Neural Networks</source>
          <volume>16</volume>
          , No.
          <issue>5-6</issue>
          (
          <year>June 2003</year>
          ): pp.
          <fpage>555</fpage>
          -
          <lpage>559</lpage>
          . DOI:
          <volume>10</volume>
          .1016/s0893-
          <volume>6080</volume>
          (
          <issue>03</issue>
          )
          <fpage>00115</fpage>
          -
          <lpage>1</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          16.
          <string-name>
            <surname>Rumelhart</surname>
          </string-name>
          David E.,
          <string-name>
            <surname>Geoffrey</surname>
            <given-names>E.</given-names>
          </string-name>
          <string-name>
            <surname>Hinton</surname>
            , and
            <given-names>Ronald J.</given-names>
          </string-name>
          <string-name>
            <surname>Williams</surname>
          </string-name>
          .
          <article-title>“Learning Internal Representations by Error Propagation” (September 1,</article-title>
          <year>1985</year>
          ). doi:
          <volume>10</volume>
          .21236/ada164453.
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          17.
          <string-name>
            <surname>Le</surname>
            <given-names>Cun</given-names>
          </string-name>
          , Yann,
          <string-name>
            <given-names>Yoshua</given-names>
            <surname>Bengio</surname>
          </string-name>
          , and
          <string-name>
            <given-names>Geoffrey</given-names>
            <surname>Hinton</surname>
          </string-name>
          .
          <source>“Deep Learning.” Nature</source>
          <volume>521</volume>
          , No.
          <volume>7553</volume>
          (May
          <year>2015</year>
          ):
          <fpage>436</fpage>
          -
          <lpage>444</lpage>
          . DOI:
          <volume>10</volume>
          .1038/nature14539.
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          18.
          <string-name>
            <surname>Chingovska</surname>
          </string-name>
          ,
          <article-title>Ivana and Anjos, Andre and Marcel, Sebastien, On the Effectiveness of Local Binary Patterns in Face Anti-spoofing</article-title>
          ,
          <source>IEEE BIOSIG</source>
          <year>2012</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          19.
          <string-name>
            <surname>Ting K.M.</surname>
          </string-name>
          <article-title>Precision and Recall</article-title>
          . In: Sammut C.,
          <string-name>
            <surname>Webb</surname>
            <given-names>G.I.</given-names>
          </string-name>
          <article-title>(eds) Encyclopedia of Machine Learning</article-title>
          . Springer, Boston, MA,
          <year>2011</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          20.
          <string-name>
            <surname>C. Enyinna Nwankpa</surname>
          </string-name>
          , W. Ijomah, Anthony Gachagan, and Stephen Marshall,
          <source>Activation Functions: Comparison of Trends in Practice and Research for Deep Learning</source>
          ,
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          21.
          <string-name>
            <surname>Diederik</surname>
            <given-names>P.</given-names>
          </string-name>
          <string-name>
            <surname>Kingma</surname>
          </string-name>
          , Jimmy Ba. “
          <article-title>Adam: A Method for Stochastic Optimization”</article-title>
          .
          <source>Submitted on 22 Dec</source>
          <year>2014</year>
          (
          <year>v1</year>
          ),
          <source>last revised 30 Jan</source>
          <year>2017</year>
          (this version,
          <year>v9</year>
          ). https://arxiv.org/abs/1412.6980.
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          22.
          <article-title>On Loss Functions for Deep Neural Networks in Classification, Katarzyna Janocha</article-title>
          , Wojciech Marian Czarnecki,
          <source>Faculty of Mathematics and Computer Science</source>
          , Jagiellonian University, Krakow, Poland,
          <year>2017</year>
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          23.
          <string-name>
            <surname>Martín</surname>
            <given-names>Abadi</given-names>
          </string-name>
          , Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen et al,
          <source>TensorFlow: Large-scale machine learning on heterogeneous systems</source>
          ,
          <year>2015</year>
          .
          <article-title>Software available from tensorflow</article-title>
          .org
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          24.
          <string-name>
            <surname>Bradski</surname>
            <given-names>G.</given-names>
          </string-name>
          ,
          <article-title>The OpenCV Library</article-title>
          , Dr.
          <source>Dobb's Journal of Software Tools</source>
          ,
          <year>2000</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref25">
        <mixed-citation>
          25.
          <string-name>
            <surname>Alexander</surname>
            <given-names>B.</given-names>
          </string-name>
          <string-name>
            <surname>Jung</surname>
          </string-name>
          , Imgaug, https://github.com/aleju/imgaug,2018
        </mixed-citation>
      </ref>
      <ref id="ref26">
        <mixed-citation>
          26.
          <string-name>
            <surname>Kimball</surname>
            <given-names>A.W.</given-names>
          </string-name>
          , “
          <article-title>Errors of the Third Kind in Statistical Consulting”</article-title>
          ,
          <source>Journal of the American Statistical Association</source>
          , Vol.
          <volume>52</volume>
          , No.
          <volume>278</volume>
          , (
          <year>June 1957</year>
          ), pp.
          <fpage>133</fpage>
          -
          <lpage>142</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref27">
        <mixed-citation>
          27.
          <string-name>
            <surname>Mark H. Zweig</surname>
          </string-name>
          ' and Gregory Campbell,
          <article-title>Receiver-Operating Characteristic (ROC) Plots: A Fundamental Evaluation Tool in Clinical Medicine</article-title>
          ,
          <year>1993</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref28">
        <mixed-citation>
          28.
          <string-name>
            <given-names>S.</given-names>
            <surname>Rassomakhin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kuznetsov</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Shlokin</surname>
          </string-name>
          ,
          <string-name>
            <surname>I. Belozertsev</surname>
          </string-name>
          and
          <string-name>
            <given-names>R.</given-names>
            <surname>Serhiienko</surname>
          </string-name>
          , “
          <article-title>Mathematical Model for the Probabilistic Minutia Distribution in Biometric Fingerprint Images”</article-title>
          ,
          <source>2018 IEEE Second International Conference on Data Stream Mining &amp; Processing (DSMP)</source>
          , Lviv, Ukraine,
          <year>2018</year>
          , pp.
          <fpage>514</fpage>
          -
          <lpage>518</lpage>
          . DOI:
          <volume>10</volume>
          .1109/DSMP.
          <year>2018</year>
          .8478496
        </mixed-citation>
      </ref>
      <ref id="ref29">
        <mixed-citation>
          29.
          <string-name>
            <given-names>A.</given-names>
            <surname>Kuznetsov</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kiyan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Uvarova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Serhiienko</surname>
          </string-name>
          and
          <string-name>
            <given-names>V.</given-names>
            <surname>Smirnov</surname>
          </string-name>
          , “
          <article-title>New Code Based Fuzzy Extractor for Biometric Cryptography”</article-title>
          , 2018 International Scientific-Practical Conference Problems of Infocommunications. Science and
          <string-name>
            <surname>Technology (PIC S&amp;T)</surname>
          </string-name>
          , Kharkiv, Ukraine,
          <year>2018</year>
          , pp.
          <fpage>119</fpage>
          -
          <lpage>124</lpage>
          . DOI:
          <volume>10</volume>
          .1109/INFOCOMMST.
          <year>2018</year>
          .8632040
        </mixed-citation>
      </ref>
      <ref id="ref30">
        <mixed-citation>
          30.
          <string-name>
            <surname>Bondarenko</surname>
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Liliya</surname>
            <given-names>B.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Oksana</surname>
            <given-names>K.</given-names>
          </string-name>
          , and
          <string-name>
            <surname>Inna</surname>
            <given-names>G.</given-names>
          </string-name>
          (
          <year>2019</year>
          ).
          <article-title>Modelling instruments in risk management</article-title>
          .
          <source>International Journal of Civil Engineering and Technology</source>
          ,
          <volume>10</volume>
          (
          <issue>1</issue>
          ), pp.
          <fpage>1561</fpage>
          -
          <lpage>1568</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref31">
        <mixed-citation>
          31.
          <string-name>
            <surname>Runovski</surname>
            <given-names>K.</given-names>
          </string-name>
          , and
          <string-name>
            <surname>Schmeisser</surname>
          </string-name>
          .
          <article-title>On the convergence of Fourier means and interpolation means</article-title>
          .
          <source>Journal of Computational Analysis and Applications</source>
          ,
          <volume>6</volume>
          (
          <issue>3</issue>
          ),
          <year>2004</year>
          , pp.
          <fpage>211</fpage>
          -
          <lpage>227</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref32">
        <mixed-citation>
          32.
          <string-name>
            <surname>Al-Azzeh</surname>
            <given-names>J.S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Al Hadidi</surname>
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Odarchenko</surname>
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Gnatyuk</surname>
            <given-names>S.</given-names>
          </string-name>
          , Shevchuk
          <string-name>
            <surname>Z.</surname>
          </string-name>
          , Hu
          <string-name>
            <surname>Z.</surname>
          </string-name>
          <article-title>Analysis of self-similar traffic models in computer networks</article-title>
          ,
          <source>International Review on Modelling and Simulations</source>
          , №
          <volume>10</volume>
          (
          <issue>5</issue>
          ), pp.
          <fpage>328</fpage>
          -
          <lpage>336</lpage>
          ,
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref33">
        <mixed-citation>
          33.
          <string-name>
            <surname>Chornei</surname>
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <given-names>Hans</given-names>
            <surname>Daduna</surname>
          </string-name>
          ,
          <string-name>
            <surname>V. M.</surname>
          </string-name>
          ,
          <string-name>
            <given-names>and Knopov P.</given-names>
            <surname>Controlled</surname>
          </string-name>
          <article-title>Markov fields with finite state space on graphs</article-title>
          .
          <source>Stochastic Models</source>
          , issue
          <volume>21</volume>
          (
          <issue>4</issue>
          ),
          <year>2005</year>
          , pp.
          <fpage>847</fpage>
          -
          <lpage>874</lpage>
          . DOI:
          <volume>10</volume>
          .1080/15326340500294520
        </mixed-citation>
      </ref>
      <ref id="ref34">
        <mixed-citation>
          34.
          <string-name>
            <given-names>R.</given-names>
            <surname>Odarchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Gnatyuk</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Gnatyuk</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Abakumova</surname>
          </string-name>
          ,
          <article-title>Security Key Indicators Assessment for Modern Cellular Networks</article-title>
          ,
          <source>Proceedings of the 2018 IEEE First International Conference on System Analysis &amp; Intelligent Computing (SAIC)</source>
          ,
          <source>Kyiv, Ukraine, October</source>
          <volume>8</volume>
          -
          <issue>12</issue>
          ,
          <year>2018</year>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>7</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref35">
        <mixed-citation>
          35.
          <string-name>
            <surname>Molodetska</surname>
            <given-names>K.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Brodskiy</surname>
            <given-names>Yu.</given-names>
          </string-name>
          ,
          <source>Fedushko S. Model of Assessment of InformationPsychological Influence in Social Networking Services Based on Information Insurance. COAPSN-2020. CEUR</source>
          . Vol
          <volume>2616</volume>
          ,
          <year>2020</year>
          . p.
          <fpage>187</fpage>
          -
          <lpage>198</lpage>
          . http://ceur-ws.org/Vol2616/paper16.pdf
        </mixed-citation>
      </ref>
      <ref id="ref36">
        <mixed-citation>
          36.
          <string-name>
            <surname>Tkach</surname>
            ,
            <given-names>B. P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Urmancheva</surname>
          </string-name>
          , L. B.
          <article-title>Numerical-analytic method for finding solutions of systems with distributed parameters and integral condition</article-title>
          .
          <source>Nonlinear Oscillations</source>
          ,
          <volume>12</volume>
          (
          <issue>1</issue>
          ),
          <year>2009</year>
          , pp.
          <fpage>113</fpage>
          -
          <lpage>122</lpage>
          . DOI:
          <volume>10</volume>
          .1007/s11072-009-0064-6
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>