Jiazhi Guan,Yi Zhao,Zhuoer Xu,Changhua Meng,Ke Xu,Youjian Zhao

DOI: https://doi.org/10.1609/aaai.v38i1.27762

2024-01-01

Abstract:The non-consensual exploitation of facial manipulation has emerged as a pressing societal concern. In tandem with the identification of such fake content, recent research endeavors have advocated countering manipulation techniques through proactive interventions, specifically the incorporation of adversarial noise to impede the manipulation in advance. Nevertheless, with insufficient consideration of robustness, we show that current methods falter in providing protection after simple perturbations, e.g., blur. In addition, traditional optimization-based methods face limitations in scalability as they struggle to accommodate the substantial expansion of data volume, a consequence of the time-intensive iterative pipeline. To solve these challenges, we propose a learning-based model, Adversarial Robust Safeguard (ARS), to generate desirable protection noise in a single forward process, concurrently exhibiting a heightened resistance against prevalent perturbations. Specifically, our method involves a two-way protection design, characterized by a basic protection component responsible for generating efficacious noise features, coupled with robust protection for further enhancement. In robust protection, we first fuse image features with spatially duplicated noise embedding, thereby accounting for inherent information redundancy. Subsequently, a combination comprising a differentiable perturbation module and an adversarial network is devised to simulate potential information degradation during the training process. To evaluate it, we conduct experiments on four manipulation methods and compare recent works comprehensively. The results of our method exhibit good visual effects with pronounced robustness against varied perturbations at different levels.

Jiting Zhou,Xinrui Zhao,Qian Xu,Pu Zhang,Zhihao Zhou

DOI: https://doi.org/10.1109/access.2024.3390217

IF: 3.9

2024-05-03

IEEE Access

Abstract:Face forgery detection aims to identify manipulated or altered facial images or videos created using artificial intelligence. Existing detection methods exhibit favorable performance on high-quality videos, but the videos in daily applications are commonly compressed into low-quality formats via social media. The detection difficulty is increased by the poor quality, indistinct detail features, and noises such as artifacts in these images or videos. To address this challenge, we propose a multi-scale dual-branch network for compressed face forgery, called MDCF-Net, effectively capturing cross-domain forgery features at various scales in compressed facial images. The MDCF-Net comprises two branches: an RGB domain branch utilizing Transformers to extract multi-scale fine-texture features from the original RGB images; a frequency domain branch designed to capture artifacts in low-quality videos by extracting global spectral features as a supplementary measure. Then, we introduce a feature fusion module (FFM) based on multi-head attention to merge diverse feature representations in a spatial-frequency complementary manner. Extensive comparative experiments on public datasets such as FaceForensics++, Celeb-DF, and WildDeepfake demonstrate the significant advantage of MDCF-Net in detecting highly compressed and low-quality forged images or videos, especially in achieving state-of-the-art performance on the FaceForensics++ low-quality dataset. Our approach presents a new perspective and technology for low-quality face forgery detection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chaofei Yang,Lei Ding,Yiran Chen,Hai Li

DOI: https://doi.org/10.48550/arXiv.2006.07421

2020-06-13

Abstract:Deepfake represents a category of face-swapping attacks that leverage machine learning models such as autoencoders or generative adversarial networks. Although the concept of the face-swapping is not new, its recent technical advances make fake content (e.g., images, videos) more realistic and imperceptible to Humans. Various detection techniques for Deepfake attacks have been explored. These methods, however, are passive measures against Deepfakes as they are mitigation strategies after the high-quality fake content is generated. More importantly, we would like to think ahead of the attackers with robust defenses. This work aims to take an offensive measure to impede the generation of high-quality fake images or videos. Specifically, we propose to use novel transformation-aware adversarially perturbed faces as a defense against GAN-based Deepfake attacks. Different from the naive adversarial faces, our proposed approach leverages differentiable random image transformations during the generation. We also propose to use an ensemble-based approach to enhance the defense robustness against GAN-based Deepfake variants under the black-box setting. We show that training a Deepfake model with adversarial faces can lead to a significant degradation in the quality of synthesized faces. This degradation is twofold. On the one hand, the quality of the synthesized faces is reduced with more visual artifacts such that the synthesized faces are more obviously fake or less convincing to human observers. On the other hand, the synthesized faces can easily be detected based on various metrics.

Computer Vision and Pattern Recognition,Cryptography and Security,Image and Video Processing

Yan Wang,Qindong Sun,Dongzhu Rong,Rong Geng

DOI: https://doi.org/10.1016/j.cviu.2024.104072

IF: 4.886

2024-07-13

Computer Vision and Image Understanding

Abstract:The viral spread of massive deepfake videos over social networks has caused serious security problems. Despite the remarkable advancements achieved by existing deepfake detection algorithms, deepfake videos over social networks are inevitably influenced by compression factors. This causes deepfake detection performance to be limited by the following challenging issues: (a) interfering with compression artifacts, (b) loss of feature information, and (c) aliasing of feature distributions. In this paper, we analyze the common mechanism between compression artifacts and deepfake artifacts, revealing the structural similarity between them and providing a reliable theoretical basis for enhancing the robustness of deepfake detection models against compression. Firstly, based on the common mechanism between artifacts, we design a frequency domain adaptive notch filter to eliminate the interference of compression artifacts on specific frequency bands. Secondly, to reduce the sensitivity of deepfake detection models to unknown noise, we propose a spatial residual denoising strategy. Thirdly, to exploit the intrinsic correlation between feature vectors in the frequency domain branch and the spatial domain branch, we enhance deepfake features using an attention-based feature fusion method. Finally, we adopt a multi-task decision approach to enhance the discriminative power of the latent space representation of deepfakes, achieving deepfake detection with robustness against compression. Extensive experiments show that compared with the baseline methods, the detection performance of the proposed algorithm on compressed deepfake videos has been significantly improved. In particular, our model is resistant to various types of noise disturbances and can be easily combined with baseline detection models to improve their robustness.

computer science, artificial intelligence,engineering, electrical & electronic

Zhibo Wang,Hengchang Guo,Zhifei Zhang,Mengkai Song,Siyan Zheng,Qian Wang,Ben Niu

DOI: https://doi.org/10.1145/3397166.3409141

2020-01-01

Abstract:The massive photos shared through the social networks nowadays, e.g., Facebook and Instagram, have aided malicious entities to snoop private information, especially by utilizing deep neural networks (DNNs) to learn from those personal photos. To protect photo privacy against DNNs, recent advances adopting adversarial examples could successfully fool DNNs. However, they are sensitive to those image compression methods that are commonly used on social networks to reduce transmission bandwidth or storage space. A recent work proposed to resist JPEG compression, while the compression methods adopted in social networks are black boxes, and variation of compression methods would significantly degrade the resistance. To the best of our knowledge, this paper gives the first attempt to investigate a generic compression-resistant scheme to protect photo privacy against DNNs in the social network scenario. We propose the Compression-Resistant Adversarial framework (ComReAdv) that can achieve adversarial examples robust to an unknown compression method. To this end, we design an encoding-decoding based compression approximation model (ComModel) to approximate the unknown compression method by learning the transformation from the original-compressed pairs of images queried through the social network. In addition, we involve the pre-trained differentiable ComModel into the optimization process of adversarial example generation and adapt existing attack algorithms to generate compression-resistant adversarial examples. Extensive experimental results on different social networks demonstrate the effectiveness and superior resistance of the proposed ComReAdv to unknown compression as compared to the state-of-the-art methods.

Jiaming Zhang,Qi Yi,Dongyuan Lu,Jitao Sang

2023-09-03

Abstract:In light of the growing concerns regarding the unauthorized use of facial recognition systems and its implications on individual privacy, the exploration of adversarial perturbations as a potential countermeasure has gained traction. However, challenges arise in effectively deploying this approach against unauthorized facial recognition systems due to the effects of JPEG compression on image distribution across the internet, which ultimately diminishes the efficacy of adversarial perturbations. Existing JPEG compression-resistant techniques struggle to strike a balance between resistance, transferability, and attack potency. To address these limitations, we propose a novel solution referred to as \emph{low frequency adversarial perturbation} (LFAP). This method conditions the source model to leverage low-frequency characteristics through adversarial training. To further enhance the performance, we introduce an improved \emph{low-mid frequency adversarial perturbation} (LMFAP) that incorporates mid-frequency components for an additive benefit. Our study encompasses a range of settings to replicate genuine application scenarios, including cross backbones, supervisory heads, training datasets, and testing datasets. Moreover, we evaluated our approaches on a commercial black-box API, \texttt{Face++}. The empirical results validate the cutting-edge performance achieved by our proposed solutions.

Computer Vision and Pattern Recognition,Image and Video Processing

Junhao Dong,Yuan Wang,Jianhuang Lai,Xiaohua Xie

DOI: https://doi.org/10.1109/tifs.2023.3266702

IF: 7.231

2023-05-02

IEEE Transactions on Information Forensics and Security

Abstract:DeepFake face swapping presents a significant threat to online security and social media, which can replace the source face in an arbitrary photo/video with the target face of an entirely different person. In order to prevent this fraud, some researchers have begun to study the adversarial methods against DeepFake or face manipulation. However, existing works mainly focus on the white-box setting or the black-box setting driven by abundant queries, which severely limits the practical application of these methods. To tackle this problem, we introduce a practical adversarial attack that does not require any queries to the facial image forgery model. Our method is built on a substitute model based on face reconstruction and then transfers adversarial examples from the substitute model directly to inaccessible black-box DeepFake models. Specially, we propose the Transferable Cycle Adversary Generative Adversarial Network (TCA-GAN) to construct the adversarial perturbation for disrupting unknown DeepFake systems. We also present a novel post-regularization module for enhancing the transferability of generated adversarial examples. To comprehensively measure the effectiveness of our approaches, we construct a challenging baseline of DeepFake adversarial attacks for future development. Extensive experiments impressively show that the proposed adversarial attack method makes the visual quality of DeepFake face images plummet so that they are easier to be detected by humans and algorithms. Moreover, we demonstrate that the proposed algorithm can be generalized to offer face image protection against various face translation methods.

computer science, theory & methods,engineering, electrical & electronic

Zuomin Qu,Wei Lu,Xiangyang Luo,Qian Wang,Xiaochun Cao

2024-09-20

Abstract:The misuse of deep learning-based facial manipulation poses a potential threat to civil rights. To prevent this fraud at its source, proactive defense technology was proposed to disrupt the manipulation process by adding invisible adversarial perturbations into images, making the forged output unconvincing to the observer. However, their non-directional disruption of the output may result in the retention of identity information of the person in the image, leading to stigmatization of the individual. In this paper, we propose a novel universal framework for combating facial manipulation, called ID-Guard. Specifically, this framework requires only a single forward pass of an encoder-decoder network to generate a cross-model universal adversarial perturbation corresponding to a specific facial image. To ensure anonymity in manipulated facial images, a novel Identity Destruction Module (IDM) is introduced to destroy the identifiable information in forged faces targetedly. Additionally, we optimize the perturbations produced by considering the disruption towards different facial manipulations as a multi-task learning problem and design a dynamic weights strategy to improve cross-model performance. The proposed framework reports impressive results in defending against multiple widely used facial manipulations, effectively distorting the identifiable regions in the manipulated facial images. In addition, our experiments reveal the ID-Guard's ability to enable disrupted images to avoid face inpaintings and open-source image recognition systems.

Computer Vision and Pattern Recognition,Artificial Intelligence

Zhong-Han Niu,Yu-Bin Yang

DOI: https://doi.org/10.1016/j.patcog.2023.109382

IF: 8

2023-01-01

Pattern Recognition

Abstract:The increasing use of deep neural networks exposes themselves to adversarial attacks in the real world drawn from closed-set and open-set, which poses great threats to their application in safety-critical sys-tems. Since adversarial attacks tend to mislead an original model by adding small perturbations into clean images, an intuitive idea of defensing adversarial attacks is eliminating perturbations as much as possi-ble to mitigate attacking effects. However, such elimination-based strategies unfortunately fail to achieve satisfactory robustness. Aiming to investigate the intrinsic reasons for this phenomenon, systematic ex-periments are carried out in this paper to indicate that even a 20% residual perturbation can still preserve and exhibit attacking effects as strong as a full one. Our study also indicates that there are strong cor-relations between perturbations and legitimate images. Thus, breaking the correlation across multiple bands is more effective in mitigating attacking effects. Based on these findings, this paper proposes an efficient defense strategy called "Frequency-Adaptive Compression and rEconstruction (FACE)" to improve the robustness of the model to adversarial attacks. Specifically, low-frequency bands containing semantic information are compressed by a down-sampling operation, while the channel width of high-frequency bands is squeezed and further compressed by adding noise before the Tanh activating function. Mean-while, attachment spaces of perturbations are also squeezed to the extent as much as possible. Finally, a clean output is obtained by upsampling together with expanded reconstruction. Experiments are ex-tensively conducted on widely used datasets to demonstrate the effectiveness of the proposed method. For closed-set attacks, FACE outperforms the STOA elimination-based methods on ImageNet, achieving a 27.9% improvement. For the MNIST open-set attacks, it not only reduces the success rate of targeted at-tack by a large margin (from 100% to 24.7%), but also mitigates attacking effects with an FPR-95 value of 0.3.(c) 2023 Elsevier Ltd. All rights reserved.

Yao Zhu,Yuefeng Chen,Xiaodan Li,Rong Zhang,Xiang Tian,Bolun Zheng,Yaowu Chen

2023-03-21

Abstract:With the development of deep learning technology, the facial manipulation system has become powerful and easy to use. Such systems can modify the attributes of the given facial images, such as hair color, gender, and age. Malicious applications of such systems pose a serious threat to individuals' privacy and reputation. Existing studies have proposed various approaches to protect images against facial manipulations. Passive defense methods aim to detect whether the face is real or fake, which works for posterior forensics but can not prevent malicious manipulation. Initiative defense methods protect images upfront by injecting adversarial perturbations into images to disrupt facial manipulation systems but can not identify whether the image is fake. To address the limitation of existing methods, we propose a novel two-tier protection method named Information-containing Adversarial Perturbation (IAP), which provides more comprehensive protection for {facial images}. We use an encoder to map a facial image and its identity message to a cross-model adversarial example which can disrupt multiple facial manipulation systems to achieve initiative protection. Recovering the message in adversarial examples with a decoder serves passive protection, contributing to provenance tracking and fake image detection. We introduce a feature-level correlation measurement that is more suitable to measure the difference between the facial images than the commonly used mean squared error. Moreover, we propose a spectral diffusion method to spread messages to different frequency channels, thereby improving the robustness of the message against facial manipulation. Extensive experimental results demonstrate that our proposed IAP can recover the messages from the adversarial examples with high average accuracy and effectively disrupt the facial manipulation systems.

Computer Vision and Pattern Recognition

Feng Ding,Guopu Zhu,Yingcan Li,Xinpeng Zhang,Pradeep K Atrey,Siwei Lyu

DOI: https://doi.org/10.1109/tmm.2021.3098422

IF: 7.3

2021-01-01

IEEE Transactions on Multimedia

Abstract:Generating falsified faces by artificial intelligence, widely known as DeepFake, has attracted attention worldwide since 2017. Given the potential threat brought by this novel technique, forensics researchers dedicated themselves to detect the video forgery. Except for exposing falsified faces, there could be extended research directions for DeepFake such as anti-forensics. It can disclose the vulnerability of current DeepFake forensics methods. Besides, it could also enable DeepFake videos as tactical weapons if the falsified faces are more subtle to be detected. In this paper, we propose a GAN model to behave as an anti-forensics tool. It features a novel architecture with additional supervising modules for enhancing image visual quality. Besides, a loss function is designed to improve the efficiency of the proposed model. After experimental evaluations, we show that the DeepFake forensics detectors are susceptible to attacks launched by the proposed method. Besides, the proposed method can efficiently produce anti-forensics videos in satisfying visual quality without noticeable artifacts. Compared with the other anti-forensics approaches, this is tremendous progress achieved for DeepFake anti-forensics. The attack launched by our proposed method can be truly regarded as DeepFake anti-forensics as it can fool detecting algorithms and human eyes simultaneously.

computer science, information systems,telecommunications, software engineering

Paarth Neekhara,Brian Dolhansky,Joanna Bitton,Cristian Canton Ferrer

DOI: https://doi.org/10.48550/arXiv.2011.09957

2020-11-20

Abstract:Facially manipulated images and videos or DeepFakes can be used maliciously to fuel misinformation or defame individuals. Therefore, detecting DeepFakes is crucial to increase the credibility of social media platforms and other media sharing web sites. State-of-the art DeepFake detection techniques rely on neural network based classification models which are known to be vulnerable to adversarial examples. In this work, we study the vulnerabilities of state-of-the-art DeepFake detection methods from a practical stand point. We perform adversarial attacks on DeepFake detectors in a black box setting where the adversary does not have complete knowledge of the classification models. We study the extent to which adversarial perturbations transfer across different models and propose techniques to improve the transferability of adversarial examples. We also create more accessible attacks using Universal Adversarial Perturbations which pose a very feasible attack scenario since they can be easily shared amongst attackers. We perform our evaluations on the winning entries of the DeepFake Detection Challenge (DFDC) and demonstrate that they can be easily bypassed in a practical attack scenario by designing transferable and accessible adversarial attacks.

Computer Vision and Pattern Recognition

S. Asha,P. Vinod,Varun G. Menon

DOI: https://doi.org/10.1007/s10207-023-00695-x

2023-05-04

International Journal of Information Security

Abstract:Advances in artificial intelligence have led to a surge in digital forensics, resulting in numerous image manipulation and processing tools. Hackers and cybercriminals utilize these techniques to create counterfeit images and videos by placing perturbations on facial traits. We propose a novel defensive framework that employs temporal and spatially aware features to efficiently identify deepfakes. This paper utilizes the facial landmarks in the video to train a self-attenuated VGG16 neural model to obtain the spatial attributes. Further, we generate optical flow feature vectors that extract temporal characteristics from the spatial vector. Another necessity of deepfake detection systems is the need for cross-dataset generalization. We built a custom dataset comprising samples from FaceForensics, Celeb-DF, and Youtube videos. Experimental analysis shows that the system achieves a detection accuracy of 98.4%. We evaluate the robustness of our proposed framework under various adversarial settings, employing the Adversarial Robustness Toolbox, Foolbox, and CleverHans tools. The experimental evaluation shows that the proposed method can classify real and fake videos with an accuracy of 74.27% under diverse holistic conditions. An extensive empirical investigation to evaluate the cross-dataset generalization capacity of the proposed framework is also performed.

computer science, information systems, theory & methods, software engineering

Congrui Li,Ziqiang Zheng,Yi Bin,Guoqing Wang,Yang Yang,Xuesheng Li,Heng Tao Shen

DOI: https://doi.org/10.1109/tmm.2023.3301242

IF: 7.3

2023-01-01

IEEE Transactions on Multimedia

Abstract:The existing face forgery algorithms have achieved remarkable progress in how to generate reasonable facial images and can even successfully deceive human beings. Considering public security, face forgery detection is of vital importance, making it essential to design face forgery detection algorithms to detect forgery images over the Internet. Despite the great success achieved by the existing Deepfake detection algorithms, they usually failed to achieve satisfactory Deepfake detection performance when deployed to handle the forgery videos in practice. One significant reason is compression. The videos over the Internet are inevitably compressed considering the transmission efficiency. To address this issue, in this paper, we propose a generic, simple yet effective “bleaching” pre-processing module based on the generative model and the high-level feature representations to produce a bleached image, which shares a similar appearance with the compressed images. The bleached images with recovered information can be identified accurately by the optimized Deepfake detection models without retraining. The proposed method has utilized a redesigned feature representation, which serves as a navigator to effectively and sufficiently alter the feature distribution in the high-dimensional space to remedy the difference between real facial images and forgery counterparts. Thus, the proposed method can successfully avoid misclassification. Comprehensive and extensive experiments are carried out on four low-quality Faceforensics++ datasets, demonstrating the effectiveness of our method in recovering the information loss caused by the compression artifacts across various backbones and compression.

computer science, information systems,telecommunications, software engineering

Delong Zhu,Yuezun Li,Baoyuan Wu,Jiaran Zhou,Zhibo Wang,Siwei Lyu

2024-12-02

Abstract:This paper investigates the feasibility of a proactive DeepFake defense framework, {\em FacePosion}, to prevent individuals from becoming victims of DeepFake videos by sabotaging face detection. The motivation stems from the reliance of most DeepFake methods on face detectors to automatically extract victim faces from videos for training or synthesis (testing). Once the face detectors malfunction, the extracted faces will be distorted or incorrect, subsequently disrupting the training or synthesis of the DeepFake model. To achieve this, we adapt various adversarial attacks with a dedicated design for this purpose and thoroughly analyze their feasibility. Based on FacePoison, we introduce {\em VideoFacePoison}, a strategy that propagates FacePoison across video frames rather than applying them individually to each frame. This strategy can largely reduce the computational overhead while retaining the favorable attack performance. Our method is validated on five face detectors, and extensive experiments against eleven different DeepFake models demonstrate the effectiveness of disrupting face detectors to hinder DeepFake generation.

Computer Vision and Pattern Recognition,Cryptography and Security

Qi Guo,Shanmin Pang,Zhikai Chen,Qing Guo

DOI: https://doi.org/10.1016/j.neucom.2024.129011

IF: 6

2024-12-02

Neurocomputing

Abstract:Face forgery by DeepFake is posing a potential threat to society. Previous studies have shown that adversarial examples can effectively disrupt DeepFake models. However, the practical application of adversarial examples to defend against DeepFake is limited due to the existence of various input transformations. To address this issue, we propose a R obust D eepFake D istortion A ttack (RDDA) method from the perspective of data augmentation, which uses adversarial autoaugment to generate robust and generalized adversarial examples to disrupt DeepFake. Specifically, we design an adversarial autoaugment module to synthesize diverse and challenging input transformations. Through coping with these transformations, the robustness and generalization ability of the adversarial examples in disrupting DeepFake models are greatly enhanced. In addition, we further improve the generalization ability of adversarial examples in handling specific input transformations by incremental learning. With RDDA and incremental learning, our generated adversarial examples can effectively protect personal privacy from being violated by DeepFake. Extensive experiments on public benchmarks demonstrate that our DeepFake defense method has better robustness and generalization ability than state-of-the-arts.

computer science, artificial intelligence

Zhikai Chen,Lingxi Xie,Shanmin Pang,Yong He,Bo Zhang

DOI: https://doi.org/10.1109/cvpr46437.2021.00890

2021-01-01

Computer Vision and Pattern Recognition

Abstract:1 Deepfakes raised serious concerns on the authenticity of visual contents. Prior works revealed the possibility to disrupt deepfakes by adding adversarial perturbations to the source data, but we argue that the threat has not been eliminated yet. This paper presents MagDR, a mask-guided detection and reconstruction pipeline for defending deepfakes from adversarial attacks. MagDR starts with a detection module that defines a few criteria to judge the abnormality of the output of deepfakes, and then uses it to guide a learnable reconstruction procedure. Adaptive masks are extracted to capture the change in local facial regions. In experiments, MagDR defends three main tasks of deepfakes, and the learned reconstruction pipeline transfers across input data, showing promising performance in defending both black-box and white-box attacks.

Gaojian Wang,Qian Jiang,Xin Jin,Xiaohui Cui

DOI: https://doi.org/10.1016/j.ins.2022.03.026

IF: 8.1

2022-06-01

Information Sciences

Abstract:DeepFakes are widespread on social networks, and they result in severe information concerns. Although various detection methods have been proposed, there are still practical limitations. Previous specific artifact-based methods were insufficient to capture fine-grained features, which limited their effectiveness against advanced DeepFakes. Current DNN-based detectors tend to trade high costs for performance improvement, and are not efficient enough, given that DeepFakes can be created easily by mobile apps, and DNN-based models require expensive computational resources. Furthermore, most methods lack generalizability under the cross-dataset scenario. In this work, we instead mine the more subtle and generalized defects of DeepFakes and propose the fused facial region_feature descriptor (FFR_FD), which is only a vector of the discriminative feature description, for effective and fast DeepFake detection. We show that DeepFake faces have fewer feature points than real ones, especially in facial regions. FFR_FD capitalizes on such key observations, and thus has strong generalizability. We train a random forest classifier with FFR_FD to achieve efficient detection. Extensive experiments on six large-scale DeepFake datasets demonstrate the effectiveness of our lightweight method. Our model generalizes well on the challenging Celeb-DF (v2) dataset, with 0.706 AUC, which is superior to most state-of-the-art methods.

computer science, information systems

Nataniel Ruiz,Sarah Adel Bargal,Stan Sclaroff

DOI: https://doi.org/10.48550/arXiv.2003.01279

2020-04-28

Abstract:Face modification systems using deep learning have become increasingly powerful and accessible. Given images of a person's face, such systems can generate new images of that same person under different expressions and poses. Some systems can also modify targeted attributes such as hair color or age. This type of manipulated images and video have been coined Deepfakes. In order to prevent a malicious user from generating modified images of a person without their consent we tackle the new problem of generating adversarial attacks against such image translation systems, which disrupt the resulting output image. We call this problem disrupting deepfakes. Most image translation architectures are generative models conditioned on an attribute (e.g. put a smile on this person's face). We are first to propose and successfully apply (1) class transferable adversarial attacks that generalize to different classes, which means that the attacker does not need to have knowledge about the conditioning class, and (2) adversarial training for generative adversarial networks (GANs) as a first step towards robust image translation networks. Finally, in gray-box scenarios, blurring can mount a successful defense against disruption. We present a spread-spectrum adversarial attack, which evades blur defenses. Our open-source code can be found at <a class="link-external link-https" href="https://github.com/natanielruiz/disrupting-deepfakes" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Cryptography and Security,Computers and Society,Machine Learning

Feng Ding,Bing Fan,Zhangyi Shen,Keping Yu,Gautam Srivastava,Kapal Dev,Shaohua Wan

DOI: https://doi.org/10.1109/tii.2022.3201572

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Falsified faces generated by DeepFake are severe threats to our community. Many smart systems in Industry 4.0, such as electronic payments and identity verification, rely on bioinformation authentication. These applications may compromise with forgeries generated by DeepFake. Notwithstanding many promising results on DeepFake forensics have been reported recently, we are now facing new security challenges brought by antiforensics attacks. With adversarial perturbations injected by antiforensics algorithms, falsified faces could masquerade themselves to disrupt forensics detectors as well as industrial applications. Therefore, to secure biometric data, in particular facial information, we propose a countermeasure against the attacks of DeepFake antiforensics. The proposed model features dual channels and multiple supervisors to capture biological attributes from manifold aspects. After training, the proposed method can purify antiforensics images by eliminating adversarial perturbations. With experimental evaluations, we show that purified faces are highly distinguishable from real ones. The proposed method is justified as a reliable defense tool for protecting facial bioinformation against antiforensics amid Industry 4.0.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial