Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Evading Forensic Classifiers with Attribute-Conditioned Adversarial Faces (2306.13091v1)

Published 22 Jun 2023 in cs.CV, cs.CR, and cs.LG

Abstract: The ability of generative models to produce highly realistic synthetic face images has raised security and ethical concerns. As a first line of defense against such fake faces, deep learning based forensic classifiers have been developed. While these forensic models can detect whether a face image is synthetic or real with high accuracy, they are also vulnerable to adversarial attacks. Although such attacks can be highly successful in evading detection by forensic classifiers, they introduce visible noise patterns that are detectable through careful human scrutiny. Additionally, these attacks assume access to the target model(s) which may not always be true. Attempts have been made to directly perturb the latent space of GANs to produce adversarial fake faces that can circumvent forensic classifiers. In this work, we go one step further and show that it is possible to successfully generate adversarial fake faces with a specified set of attributes (e.g., hair color, eye size, race, gender, etc.). To achieve this goal, we leverage the state-of-the-art generative model StyleGAN with disentangled representations, which enables a range of modifications without leaving the manifold of natural images. We propose a framework to search for adversarial latent codes within the feature space of StyleGAN, where the search can be guided either by a text prompt or a reference image. We also propose a meta-learning based optimization strategy to achieve transferable performance on unknown target models. Extensive experiments demonstrate that the proposed approach can produce semantically manipulated adversarial fake faces, which are true to the specified attribute set and can successfully fool forensic face classifiers, while remaining undetectable by humans. Code: https://github.com/koushiksrivats/face_attribute_attack.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (45)
  1. A high school student created a fake 2020 candidate. twitter verified it. https://edition.cnn.com/2020/02/28/tech/fake-twitter-candidate-2020/index.html. Accessed: 2022-04-27.
  2. This person does not exist. https://this-person-does-not-exist.com/en. Accessed: 2022-04-27.
  3. Styleflow: Attribute-conditioned exploration of stylegan-generated images using conditional continuous normalizing flows. ACM Transactions on Graphics (TOG), 40(3):1–21, 2021.
  4. Advances in adversarial attacks and defenses in computer vision: A survey. IEEE Access, 9:155161–155196, 2021.
  5. State-of-the-art in the architecture, methods and applications of stylegan. arXiv preprint arXiv:2202.14020, 2022.
  6. Generative adversarial networks: A survey toward private and secure applications. ACM Computing Surveys (CSUR), 54(6):1–38, 2021.
  7. Adversarial robustness: From self-supervised pre-training to fine-tuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 699–708, 2020.
  8. Unrestricted adversarial attacks on imagenet competition. arXiv preprint arXiv:2110.09903, 2021.
  9. Generative adversarial nets. Advances in neural information processing systems, 27, 2014.
  10. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  11. A review on generative adversarial networks: Algorithms, theory, and applications. IEEE Transactions on Knowledge and Data Engineering, 2021.
  12. Eyes tell all: Irregular pupil shapes reveal gan-generated faces. In ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 2904–2908. IEEE, 2022.
  13. Gans trained by a two time-scale update rule converge to a local nash equilibrium. Advances in neural information processing systems, 30, 2017.
  14. Adv-attribute: Inconspicuous and transferable adversarial attack on face recognition. arXiv preprint arXiv:2210.06871, 2022.
  15. Countering malicious deepfakes: Survey, battleground, and horizon. International Journal of Computer Vision, pages 1–57, 2022.
  16. Stylefusion: A generative model for disentangling spatial segments. arXiv preprint arXiv:2107.07437, 2021.
  17. Progressive growing of gans for improved quality, stability, and variation. arXiv preprint arXiv:1710.10196, 2017.
  18. A style-based generator architecture for generative adversarial networks. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4401–4410, 2019.
  19. Analyzing and improving the image quality of stylegan. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 8110–8119, 2020.
  20. Exploring adversarial fake images on face manifold. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5789–5798, 2021.
  21. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  22. A self-supervised approach for adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 262–271, 2020.
  23. Improving diversity and quality of adversarial examples in adversarial transformation network. 2022.
  24. Defending Democracies: Combating Foreign Election Interference in a Digital Age. Oxford University Press, 2021.
  25. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP), pages 582–597. IEEE, 2016.
  26. Styleclip: Text-driven manipulation of stylegan imagery. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 2085–2094, 2021.
  27. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In European Conference on Computer Vision, pages 19–37. Springer, 2020.
  28. Learning transferable visual models from natural language supervision. In International Conference on Machine Learning, pages 8748–8763. PMLR, 2021.
  29. Encoding in style: a stylegan encoder for image-to-image translation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 2287–2296, 2021.
  30. Generative adversarial networks (gans) challenges, solutions, and future directions. ACM Computing Surveys (CSUR), 54(3):1–42, 2021.
  31. Constructing unrestricted adversarial examples with generative models. Advances in Neural Information Processing Systems, 31, 2018.
  32. Pie: Portrait image embedding for semantic control. ACM Transactions on Graphics (TOG), 39(6):1–14, 2020.
  33. Designing an encoder for stylegan image manipulation. ACM Transactions on Graphics (TOG), 40(4):1–14, 2021.
  34. Unsupervised discovery of interpretable directions in the gan latent space. In International conference on machine learning, pages 9786–9796. PMLR, 2020.
  35. Cnn-generated images are surprisingly easy to spot… for now. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 8695–8704, 2020.
  36. Gan-generated faces detection: A survey and new perspectives. arXiv preprint arXiv:2202.07145, 2022.
  37. Gan inversion: A survey. arXiv preprint arXiv:2101.05278, 2021.
  38. Egm: An efficient generative model for unrestricted adversarial examples. ACM Transactions on Sensor Networks (TOSN), 2022.
  39. Spatially transformed adversarial examples. arXiv preprint arXiv:1801.02612, 2018.
  40. Adv-makeup: A new imperceptible and transferable attack on face recognition. arXiv preprint arXiv:2105.03162, 2021.
  41. Attributing fake images to gans: Analyzing fingerprints in generated images. arXiv preprint arXiv:1811.08180, 2, 2018.
  42. Meta gradient adversarial attack. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7748–7757, 2021.
  43. Detecting and simulating artifacts in gan fake images. In 2019 IEEE International Workshop on Information Forensics and Security (WIFS), pages 1–6. IEEE, 2019.
  44. Domain generalization: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022.
  45. In-domain gan inversion for real image editing. In European conference on computer vision, pages 592–608. Springer, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Fahad Shamshad (21 papers)
  2. Koushik Srivatsan (5 papers)
  3. Karthik Nandakumar (57 papers)
Citations (5)
View on Semantic Scholar