What problem does this paper attempt to address?

The main problem that this paper attempts to solve is that the existing face forgery detection models are vulnerable to adversarial examples, especially the adversarial perturbations generated in global images. These adversarial examples cannot achieve satisfactory performance due to high detectability. To solve these problems, the author proposes an attack framework based on adversarial semantic masks (Adversarial Semantic Mask Attack, ASMA) to generate adversarial examples with good transferability and stealth. ### Specific Problems and Solutions 1. **Limitations of Existing Methods**: - Existing adversarial attack methods mainly attack forgery detection models by adding generated adversarial noise on the entire face image. - The adversarial examples generated by this method have a large area of adversarial noise, resulting in poor stealth of the generated adversarial examples and being easily recognized by human eyes. 2. **Proposed Solutions**: - **ASMA Framework**: By introducing the adversarial semantic mask generation model, the generated perturbations are restricted within the local semantic area, thereby improving stealth. - **Adaptive Semantic Mask Selection Strategy**: Use Class Activation Mapping (CAM) to select more appropriate adversarial semantic mask areas to ensure low perceptibility in practical applications. - **Experimental Verification**: Extensive experiments were carried out on the publicly available Deepfake Detection Challenge (DFDC) dataset, proving that the proposed method has superior performance compared to other representative adversarial attack algorithms. ### Mathematical Formulas - Adversarial Example Update Formula: \[ g_t=\nabla_x\Delta(x, x') \] where \(\Delta(x, x')\) is the feature distance metric function, which is used to calculate the difference between the original sample \(x\) and the adversarial sample \(x'\). - Update Adversarial Example: \[ x'_{t + 1}=x'_t+\alpha\cdot\text{sign}(g_t) \] where \(\alpha\) is the attack step size, which is used to control the size of the perturbation. - Project the Adversarial Example into the Neighborhood of the Original Sample: \[ x'_{t + 1}=\text{clip}(x'_{t + 1}, x-\epsilon, x+\epsilon) \] where \(\epsilon\) is the constraint value of the perturbation range. ### Summary This paper solves the problem of the vulnerability of existing face forgery detection models to global adversarial example attacks by proposing the ASMA framework, while improving the stealth and transferability of adversarial examples. The experimental results show that ASMA performs well in both white - box and black - box attacks on multiple classical models, and has important research significance and application value.