CTV-FAS: Compensate Texts with Visuals for Generalizable Face Anti-spoofing

• The introduce of visual cues: the authors aim to solve the problem (some attacks cannot be described by texts) by introducing visual anchor, but the image input is already one kind of visual cues, is there any evidence that another visual cues can actually be helpful for existing visual cues? Also the idea which tries to solve the problem of text modality by designing on visual modality seems weird intuitively.
• For Fig.1: It is clear that from (a) the generalization is affected, but it is not that clear from (b) how the generalization is improved by V1. Is it because V1 is closer to T1? This part should be clear.
• The authors mainly target on two attacks: paper and replay attacks. Is this method also be effective for other attacks such as 3D mask?
• For SSCM: which part of visual encoder is updated during training? From Fig.2 (1), the teacher part is frozen, but from Eq. (2), the parameters of teacher is updated. It is not clear. And why masking can make the feature more robust for this task? More explanations are needed.
• For VAUM: we assume the part in Fig.2 (2) is applicable, the anchor for hard samples should be highly-related to the sample in training data, how can the authors make sure the anchors in training data can generalize well to unseen distributions? More proof is needed. Besides, the CLIP encoders are not fine-tuned, how can they have the knowledge of which attack is employed (print/replay/real) ? This is also weird.
• For AMIM: the calibration by the entropy is kind of widely-used technique in related field, the novelty of this part should be justified.
• For benchmark: the authors should compare more recent methods, they only compare with one method on 2024, which should not be enough.
• For ablation: are all the condions discussed in Tab.4? How about only using SSCM and AMIM?
• For Tab.7: what do you mean by only using one branch? Is this only during inference?
• For Fig. 3: it could be better and more clear if you show how each module influences the decision boundary on source/target distributions.

The weaknesses are listed as below: (1) The overall framework seems simple and the contributions are marginal. For instance, Self-Supervised Consistency Module (SSCM) is a simple application of self-supervised learning frameworks. It can hardly be noticed as a contribution. (2) The design of VAUM is intuitive. It adopts a moving average between current anchors and the hard samples. As a result, the choice of beta and the choice of hard samples can dramatically influence the final performance. There is no detailed ablation studies on the choice of beta and the choice of hard samples. (3) According to the ablation results in Tab. 4, with the help of VAUM, the baseline is significantly improved. However, it seems that baseline+VAUM does not use visual anchors for decision making. Then, how does it happen that VAUM helps improve the performance.

1. Regarding the limited innovation of SSCM: SSCM doesn't seem to be an innovative technology in essence. It seems that it is just a combination of two commonly used self-supervised learning paradigms, i.e., MoCo and MAE. Additionally, it seems unreasonable to directly increase the similarity between a severely damaged (75% masked) sample and an augmented sample. Data augmentations in contrastive learning typically rely on consistent augmentation methods to ensure alignment in representation/semantic space. The core idea of contrastive learning is that the two augmented samples should have a high consistency in representation/semantics space. While MAE, which based on masked content prediction, is an implicit mutual information maximization approach. Given the high redundancy in image data, partial pixel representation is sufficient to predict the original image. It aims to learn robust/universal visual representations by learning the correlation between pixels. In addition, the author also propose to use SimCLR loss in Sec. 3.5. I am quite confused about all the settings mentioned above and hope the author can explain the insight or motivation.

2. About the semantic prompts in VAUM: The semantic prompts mentioned in your article, as shown in Figure 2 (2), e.g., ‘This is a real face’, ‘This is a print face’, ‘This is a replay face’ are simple prefix-suffix templates of text prompts that may lack sufficient semantic richness, which may result in limited performance. Some works [1] related to VLMs have already pointed out this issue and proposed using LLMs for text enhancement, rewriting, and expansion to enhance semantics. So simple prefixes or suffixes template may not truly be considered as semantic prompts, and the most direct approach may be to use text with rich semantics.

3. Insufficient explanation of VAUM: The VAUM section lacks sufficient detail, particularly regarding the selective updating strategy. In addition, how many visual anchors and text anchors are used? These aspects are not clearly specified.

Limited Anchor Diversity Cause Generalization Limitations: The use of only three anchors (replay, print, real) may constrain the model’s ability to generalize to a wider range of open-world attacks, particularly those not represented in the training data. This limited diversity in anchors could impact the model's performance in real-world scenarios. Additionally, since the visual anchors are learned exclusively within the training domains and do not adapt to new patterns, the framework may face challenges when encountering previously unseen attack variations.

1. This work is very similar to the work [1] with the Teacher-Student mechanism and the combination process by exchanging the image-end and the text-end. Thus, this work may not be the first one doing that and I question the novelty of this work. Maybe the authors can address the differences and clarify the situation.
2. Although the method has achieved satisfying results on the cross-domain experiments, it is still fuzzy how to compose such modules together that can help address the domain generalization problem. Maybe the authors should discuss more about the motivation of this work and the relationship between the task and the proposed algorithm.
3. Some works, like [2] [3], are not cited and are essential to the field. The authors should pay more attention to this.
4. There is a lack of comparison between the baseline methods like CLIP, CoOp, CoOpOp in the experiments.

[1] Unified physical-digital face attack detection

[2] CFPL-FAS: Class Free Prompt Learning for Generalizable Face Anti-spoofing

[3] Style-conditional Prompt Token Learning for Generalizable Face Anti-spoofing

The SELF-SUPERVISED CONSISTENCY MODULE is a self-distillation technique, and its relathionship and motivation for the visual anchor is unclear. It looks like that this paper simply combines the SSCM with other modules (VAUM and AMIM )

There are some writing and presentation issues, including citation format. For example, "mean-weighted Ming & Li (2024)" should be "mean-weighted (Ming & Li, 2024)".

In the Introduction, this paper raised two questions "What visual cues are robust enough to differentiate between the real person and paper/replay attack? ", and "What visual anchors can compensate for the deficiency of semantic prompts". How is unclear how the questions are answered. It is suggested that the paper highlight the answers of these two questions somewhere in the paper.

Fig.3: the color used in the visualization is not discriminate. The advantage of the proposed method is unclear as shown in the Fig.3.

The dynamic visual anchor updating may result in bias toward visual characteristics seen during training.