Papers
Topics
Authors
Recent
Search
2000 character limit reached

MIDV-DynAttack: Hologram Verification Benchmark

Updated 8 July 2026
  • MIDV-DynAttack is a public benchmark designed to assess verification systems by challenging them with dynamic holographic fraud attacks that mimic real-world temporal variations.
  • It extends MIDV-Holo by adding 1,200 attack videos and introducing both static and dynamic template attacks to rigorously test appearance and temporal behavior under diverse conditions.
  • The evaluation protocol employs stratified 5-fold cross-validation and metrics such as recall, F-score, and AUC to measure generalization against unseen, sophisticated fraud methods.

Searching arXiv for MIDV-DynAttack and related hologram-verification work to ground the article in published papers. MIDV-DynAttack is a public benchmark for evaluating remote verification of optically variable devices on identity documents under realistic attack conditions, with particular emphasis on dynamic frauds that imitate the changing visual behavior of holograms rather than merely substituting them with static counterfeits. It was introduced together with a verification framework, HoloVerif, in work on the verification of dynamic holographic behavior in identity documents (Pouliquen et al., 7 Jul 2026). The benchmark extends MIDV-Holo by adding realistic static and dynamic attacks against identity-document specimens, and is explicitly designed as a challenge set for unseen frauds, not as a general-purpose training corpus (Pouliquen et al., 7 Jul 2026).

1. Definition and motivation

MIDV-DynAttack was introduced to address a specific evaluation gap in automated document-security verification: prior datasets and methods could cover static frauds such as paper photocopies, printed overlays, or screen replays, but they did not permit rigorous public evaluation against real, dynamic fraud cases, including “handcrafted hologram” attacks (Pouliquen et al., 7 Jul 2026). The benchmark therefore targets the hardest setting in which a forged document region is engineered to exhibit not only visually plausible hologram-like content, but also temporally varying behavior.

The central premise is that a genuine optically variable device is constrained along two axes: its appearance and its temporal evolution under motion, viewpoint change, and illumination change (Pouliquen et al., 7 Jul 2026). Existing approaches had often verified only one of these axes. Some methods focused on hue or saturation changes, or on detecting “hologram-like” pixels, while others classified visual appearances without robustly validating both appearance conformity and behavioral validity (Pouliquen et al., 7 Jul 2026). MIDV-DynAttack was constructed to expose precisely these weaknesses.

A plausible implication is that MIDV-DynAttack should be understood not merely as a larger fraud collection, but as a benchmark that operationalizes a stricter definition of hologram verification: verifying the authenticity of a specific hologram rather than detecting generic temporal color variation.

2. Construction and relation to MIDV-Holo

MIDV-DynAttack extends MIDV-Holo by adding 1,200 new attack videos, thereby tripling the number of attack samples compared to the original dataset (Pouliquen et al., 7 Jul 2026). The benchmark retains the same application setting as MIDV-Holo: remote verification of the holographic or photo region of identity documents using commodity smartphones. All sequences were captured with one of three phones: Apple iPhone 7, Xiaomi Redmi Note 8 Pro, or Motorola G7 (Pouliquen et al., 7 Jul 2026).

A defining design choice is that MIDV-DynAttack is intended for testing only. It does not include training or validation splits, because its purpose is to assess generalization to unseen attacks (Pouliquen et al., 7 Jul 2026). For that reason, the recommended usage is in conjunction with the original MIDV-Holo, while maintaining identity-level separation across train, validation, and test splits (Pouliquen et al., 7 Jul 2026).

The benchmark also has an explicit asymmetry between genuine and fraudulent data. The authors state that they did not create new genuine samples, only attacks, because they did not have access to the original holographic layer of MIDV-Holo (Pouliquen et al., 7 Jul 2026). MIDV-DynAttack is therefore intentionally not a balanced extension of MIDV-Holo. Instead, it functions as a targeted stress test for verification systems.

This design distinguishes MIDV-DynAttack from datasets built for conventional supervised classification. A plausible implication is that performance on MIDV-DynAttack is intended to reflect out-of-distribution fraud robustness rather than in-distribution interpolation.

3. Attack taxonomy

MIDV-DynAttack contains two principal attack families: static template attacks and dynamic template attacks (Pouliquen et al., 7 Jul 2026). The former aim to induce temporal variation from essentially static artifacts through lighting or presentation manipulations; the latter use handcrafted dynamic templates to imitate holographic motion and diffraction more directly.

Static template attacks

The static family comprises 750 videos (Pouliquen et al., 7 Jul 2026). These attacks use a static printed template, but attempt to fool verification systems by creating temporal effects through illumination and capture conditions. They are meant to defeat methods that infer authenticity from per-frame color changes or brightness and saturation fluctuations without verifying the actual hologram shape and content (Pouliquen et al., 7 Jul 2026).

Category Composition
Natural Light (NL) - Paper 150 ID cards / 100 passports, no lamination
Natural Light (NL) - Plastic 200 ID cards, laminated; half with minimal reflections, half with deliberate multi-source reflections
LED-light - Plastic 50 ID cards, illuminated with multi-color LED rings
Laser light - Plastic 50 ID cards, with a red laser moving across the document
Swap - Paper 100 ID cards / 100 passports, using multiple printed templates swapped in front of the camera

Within Swap - Paper, two modes are described: swapping between two printed documents, and swapping between three printed documents (Pouliquen et al., 7 Jul 2026). These attacks are notable because they are not single-template counterfeits; they deliberately create multiple plausible holographic views by manipulating different printed templates so that the sequence appears to display correct temporal diversity (Pouliquen et al., 7 Jul 2026).

Dynamic template attacks

The dynamic family comprises 450 videos and constitutes the core novelty of the dataset (Pouliquen et al., 7 Jul 2026). In these attacks, the adversary uses handcrafted dynamic templates—color-printed, modified with holographic materials or layers, and then recaptured—to imitate holographic motion and diffraction (Pouliquen et al., 7 Jul 2026). They are designed to defeat systems that verify only generic hologram-like behavior without enforcing precise OVD appearance.

Category Composition
Plain holo 100 ID cards / 50 passports, homogeneous holographic material with continuous diffraction patterns
Leaf holo 100 ID cards / 50 passports, polygonal light patterns shaped like leaves
Double sticker 50 ID cards, flower-shaped holographic element with a “genuine” sticker not overlapping the photo ROI
Complete mask 50 ID cards, rough mask over the entire printed document
Star and world 50 ID cards, flower shape combined with a world-like hologram pattern

The dataset groups these dynamic attacks into two conceptual subclasses: random holographic overlay and mimicking the original holograms (Pouliquen et al., 7 Jul 2026). The first class includes Plain holo and Leaf holo; the second includes Double sticker, Complete mask, and Star and world (Pouliquen et al., 7 Jul 2026).

4. Evaluation protocol and benchmark role

The benchmark protocol associated with MIDV-DynAttack follows the protocol of Pouliquen et al. and uses grouped, stratified 5-fold cross-validation, with identity-level separation so that the same identity does not appear in more than one split (Pouliquen et al., 7 Jul 2026). This is presented as crucial for avoiding identity leakage and artificially inflated performance.

Training and calibration are performed only on the original MIDV-Holo “Vanilla” split, which excludes the Photo Replacement attack, while testing is conducted on the MIDV-Holo test split plus the entire MIDV-DynAttack dataset (Pouliquen et al., 7 Jul 2026). The main reported results use 5 FPS, defined as one frame out of three from a 15 FPS extraction, with supplementary results also provided at 15 FPS (Pouliquen et al., 7 Jul 2026). Each sequence is rectified through a private tracking and registration process and then cropped to isolate the OVD ROI (Pouliquen et al., 7 Jul 2026).

The reported metrics are structured around the benchmark’s attack-centric purpose. They include Recall on fraud-only subsets, F-score on subsets containing both legit and fraud samples, and AUC on the combined test set through ROC analysis (Pouliquen et al., 7 Jul 2026). The benchmark is intentionally challenging because MIDV-DynAttack contains unseen attacks only, and those attacks are specifically designed to exploit weaknesses in current hologram-verification systems (Pouliquen et al., 7 Jul 2026).

This protocol positions MIDV-DynAttack as a robustness benchmark rather than a closed-set classification benchmark. A plausible implication is that it tests whether a verifier has learned a transferable model of holographic validity, rather than attack-specific cues.

5. HoloVerif and the verification task defined by the benchmark

MIDV-DynAttack was introduced together with HoloVerif, a verification method whose structure reflects the benchmark’s central claim that genuine OVD verification must consider both appearance and dynamic behavior (Pouliquen et al., 7 Jul 2026). The system takes a rectified and pre-cropped OVD region and outputs a binary verdict, Legit / Non-Legit (Pouliquen et al., 7 Jul 2026).

Its pipeline has three stages: preprocessing to enhance the holographic signal, frame-level hologram detection, and sequence-level decision (Pouliquen et al., 7 Jul 2026). In preprocessing, a background image is estimated for the whole sequence using a per-pixel, per-channel median, then subtracted from each frame to remove static document content, including the bearer’s photo and other template elements (Pouliquen et al., 7 Jul 2026). A second deterministic step computes an HSV-derived normalizing mask

Nt(p)=It(S)(p)It(V)(p)maxt,p(It(S)(p)It(V)(p))N_{t}(p) = \frac{I_{t}^{(S)}(p) \cdot I_{t}^{(V)}(p)}{\max_{t',p'}\left(I_{t'}^{(S)}(p') \cdot I_{t'}^{(V)}(p')\right)}

and applies it multiplicatively to each RGB channel,

Ft(c)(p)=It(c)(p)Nt(p),c{R,G,B}.F_{t}^{(c)}(p) = I_{t}^{(c)}(p) \cdot N_{t}(p), \quad c \in \{R, G, B\}.

The stated effect is to suppress dark or unsaturated regions while preserving bright, highly saturated regions characteristic of holographic content (Pouliquen et al., 7 Jul 2026).

At frame level, HoloVerif predicts whether a preprocessed frame shows a Valid or Non-Valid holographic state (Pouliquen et al., 7 Jul 2026). Because frame-level labels are not naturally available, the method uses pseudo-labeling. For each preprocessed frame FtF_t, luminance Lt(p)[0,255]L_t(p)\in[0,255] is thresholded with T=5T=5, and the amount of change is defined as

Ct=Lt>TLt.C_t = \frac{|L_t > T|}{|L_t|}.

Frames are categorized as Bright if Ct>13C_t > \frac{1}{3}, Unsafe if Ft1F_{t-1} or Ft+1F_{t+1} is Bright, Dark if Ct<1e4C_t < 1e^{-4}, and Changing otherwise (Pouliquen et al., 7 Jul 2026). Unsafe and Dark frames are discarded. For Legit sequences, Bright frames are labeled Non-Valid and Changing frames Valid. For Non-legit sequences from static attacks, both Bright and Changing frames are labeled Non-Valid (Pouliquen et al., 7 Jul 2026). This permits training without any dynamic attack samples.

At sequence level, the method counts the proportion of frames classified as Valid and compares it to a calibrated threshold; if the ratio exceeds the threshold, the sequence is classified as Legit, otherwise Non-Legit (Pouliquen et al., 7 Jul 2026). The threshold is calibrated on a validation set to maximize F-score (Pouliquen et al., 7 Jul 2026).

In methodological terms, MIDV-DynAttack thus codifies a verification problem in which a successful system must reject attacks that mimic temporal variation, attacks that mimic shape, and attacks that manipulate presentation conditions to induce false dynamics.

6. Empirical findings and benchmark significance

The benchmark results reported with MIDV-DynAttack show a marked difference between systems that detect generic hologram-like signals and systems that verify more constrained holographic behavior (Pouliquen et al., 7 Jul 2026). HoloVerif is compared against the MIDV-Holo method, WSL, Direct Classifier, and the proposed HoloVerif (Pouliquen et al., 7 Jul 2026).

On MIDV-Holo Vanilla, HoloVerif achieves 95 ± 3 F-score and 96 ± 5 recall (Pouliquen et al., 7 Jul 2026). On MIDV-DynAttack Static, it reaches 93 ± 5 recall, compared with 72 ± 3 for MIDV-Holo and 81 ± 8 for WSL (Pouliquen et al., 7 Jul 2026). The most salient result concerns MIDV-DynAttack Dynamic, where HoloVerif reaches 61 ± 13 recall, compared with 3 ± 3 for MIDV-Holo and 2 ± 2 for WSL; the Direct Classifier attains 52 ± 20, but is described as not specifically verifying holographic behavior and instead exploiting generic cues (Pouliquen et al., 7 Jul 2026). On the combined Mix test, HoloVerif obtains 93 ± 2 AUC, matching the Direct Classifier and substantially exceeding the MIDV-Holo baseline and WSL (Pouliquen et al., 7 Jul 2026).

The per-attack analysis further clarifies the role of the benchmark. HoloVerif is reported to be very strong on Laser light and LED light static attacks, both at or near 100% recall, and strong on Plain holo dynamic attacks with 90 ± 9 recall (Pouliquen et al., 7 Jul 2026). It remains challenged by Leaf holo, Complete mask, and Star and world, where recall is lower but still substantially better than older hologram-specific baselines (Pouliquen et al., 7 Jul 2026). Document Swap is difficult for all methods, and the paper notes that HoloVerif’s background estimation can be misled if one of the swapped templates becomes the estimated background (Pouliquen et al., 7 Jul 2026).

The ablation study is central to the benchmark’s interpretive value. Pseudo labels only performs much worse overall, particularly on the main F-score; No augmentations reduces dynamic-attack performance substantially, lowering HoloVerif’s dynamic recall from 61 ± 13 to 29 ± 10 (Pouliquen et al., 7 Jul 2026). For the Direct Classifier, adding background subtraction sharply reduces performance on dynamic and static swap attacks, which is taken as evidence that much of its earlier success relied on spurious signals rather than genuine hologram verification (Pouliquen et al., 7 Jul 2026).

These results support the benchmark’s stated claim that methods detecting merely “some holographic behavior” fail badly on dynamic attacks, while generic fraud detectors may perform well for the wrong reasons (Pouliquen et al., 7 Jul 2026).

7. Interpretation, limitations, and future directions

MIDV-DynAttack formalizes a stricter problem than classical document-fraud detection. It is not sufficient for a system to detect temporal color variation, nor is it sufficient to detect generic non-document artifacts. The benchmark emphasizes verification of both behavioral validity and appearance conformity for a specific OVD (Pouliquen et al., 7 Jul 2026).

A common misconception would be to treat MIDV-DynAttack as simply an enlarged attack supplement to MIDV-Holo. The benchmark’s structure suggests a more specific role: it is a challenge set for evaluating whether a verifier generalizes to unseen dynamic forgeries (Pouliquen et al., 7 Jul 2026). Because it contains no newly collected genuine sequences, its utility lies primarily in stress-testing fraud recall and robustness, rather than in supporting complete supervised training pipelines.

The benchmark also exposes open technical issues. The authors point to the need for stronger temporal modeling, since the current method processes frames mostly as a set with final aggregation (Pouliquen et al., 7 Jul 2026). They also suggest focusing on critical regions, especially the bearer’s photo area, because photo replacement can leave valid holographic elements visible outside the modified region (Pouliquen et al., 7 Jul 2026). Additional proposed directions include combining model verification with attack detection, expanding the dataset with genuine samples, and evaluating precision/generalization more extensively (Pouliquen et al., 7 Jul 2026).

In this sense, MIDV-DynAttack occupies a specific position in document-security research: it is a benchmark designed to make hologram verification substantially harder and more realistic by introducing dynamic attacks that explicitly target the failure modes of existing methods (Pouliquen et al., 7 Jul 2026). Its significance lies not only in the quantity of added attacks, but in the way those attacks operationalize a research question that earlier public datasets did not adequately test.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to MIDV-DynAttack.