Anti-Forgery: Towards a Stealthy and Robust DeepFake Disruption Attack via Adversarial Perceptual-aware Perturbations (2206.00477v1)

Abstract: DeepFake is becoming a real risk to society and brings potential threats to both individual privacy and political security due to the DeepFaked multimedia are realistic and convincing. However, the popular DeepFake passive detection is an ex-post forensics countermeasure and failed in blocking the disinformation spreading in advance. To address this limitation, researchers study the proactive defense techniques by adding adversarial noises into the source data to disrupt the DeepFake manipulation. However, the existing studies on proactive DeepFake defense via injecting adversarial noises are not robust, which could be easily bypassed by employing simple image reconstruction revealed in a recent study MagDR. In this paper, we investigate the vulnerability of the existing forgery techniques and propose a novel \emph{anti-forgery} technique that helps users protect the shared facial images from attackers who are capable of applying the popular forgery techniques. Our proposed method generates perceptual-aware perturbations in an incessant manner which is vastly different from the prior studies by adding adversarial noises that is sparse. Experimental results reveal that our perceptual-aware perturbations are robust to diverse image transformations, especially the competitive evasion technique, MagDR via image reconstruction. Our findings potentially open up a new research direction towards thorough understanding and investigation of perceptual-aware adversarial attack for protecting facial images against DeepFakes in a proactive and robust manner. We open-source our tool to foster future research. Code is available at https://github.com/AbstractTeen/AntiForgery/.

DeepFake Disruption via Adversarial Perceptual-aware Perturbations

The paper "Anti-Forgery: Towards a Stealthy and Robust DeepFake Disruption Attack via Adversarial Perceptual-aware Perturbations" addresses a critical challenge posed by DeepFakes, where malicious actors use AI-generated synthetic media to threaten individual privacy and social stability. The authors propose an innovative anti-forgery method that introduces adversarial perceptual-aware perturbations to facial images, aiming to preemptively impair DeepFake generation and dissemination.

DeepFakes, powered by GANs, have posed significant challenges to privacy and security due to their capability to synthesize highly realistic images and videos. Traditional countermeasures focus on post-hoc detection, but these often fall short in tackling unknown synthetic techniques and fail to prevent misinformation propagation before damage occurs. Recognizing this limitation, the authors explore proactive defenses, injecting perturbations that interfere with the generation process itself, thereby preventing the creation of convincing DeepFakes.

Key to their approach is the use of the Lab color space to generate perceptual-aware perturbations, in contrast to previous methods relying on the RGB color space. The Lab space offers perceptual uniformity and independence across color channels, which allows for the implementation of visually inconspicuous, yet robustly effective, color perturbations. Here, perturbations are continuously applied across the image, enhancing resistance against common transformation attacks (e.g., image reconstruction, compression), a vulnerability of earlier techniques as highlighted by evaluation against adversarial methods such as MagDR.

Experiments demonstrate that the proposed method significantly disrupts various DeepFake techniques, including attribute editing using StarGAN, AttGAN, and Fader Network, as well as identity swapping and face reenactment using tools like Icface and Faceswap. Performance is assessed using metrics like MSE, PSNR, and SSIM, with notable improvements in robustness against input transformations, as the approach preserves acceptable image quality while introducing artifacts detectable even by simple classifiers.

This paper emphasizes the practical implications of adopting perceptual-aware perturbations that not only thwart current GAN-based generation methods but also expose weaknesses in adversarial training and input transformations, suggesting a trajectory for future research. Insights gained here advocate for extensive exploration into diverse perturbation strategies and testing across GAN architectures to refine and amplify anti-forgery defenses, promoting user privacy and deterring misuse. The open-source availability of their tool aims to encourage further research and adaptation.

As DeepFakes evolve, proactive techniques like this, capable of blocking synthetic alterations and enhancing detector efficacy, could form crucial layers in safeguarding media integrity. The intersection of perceptual science and adversarial learning presents a promising frontier for bolstering defenses against ever-advancing AI threats.