Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AVA: Inconspicuous Attribute Variation-based Adversarial Attack bypassing DeepFake Detection

Xiangtao Meng, Li Wang, Shanqing Guo, Lei Ju, Qingchuan Zhao

TL;DR

A new attribute-variation-based adversarial attack (AVA) that perturbs the latent space of DeepFake images via a combination of Gaussian prior and semantic discriminator to bypass such mitigation.

Abstract

While DeepFake applications are becoming popular in recent years, their abuses pose a serious privacy threat. Unfortunately, most related detection algorithms to mitigate the abuse issues are inherently vulnerable to adversarial attacks because they are built atop DNN-based classification models, and the literature has demonstrated that they could be bypassed by introducing pixel-level perturbations. Though corresponding mitigation has been proposed, we have identified a new attribute-variation-based adversarial attack (AVA) that perturbs the latent space via a combination of Gaussian prior and semantic discriminator to bypass such mitigation. It perturbs the semantics in the attribute space of DeepFake images, which are inconspicuous to human beings (e.g., mouth open) but can result in substantial differences in DeepFake detection. We evaluate our proposed AVA attack on nine state-of-the-art DeepFake detection algorithms and applications. The empirical results demonstrate that AVA attack defeats the state-of-the-art black box attacks against DeepFake detectors and achieves more than a 95% success rate on two commercial DeepFake detectors. Moreover, our human study indicates that AVA-generated DeepFake images are often imperceptible to humans, which presents huge security and privacy concerns.

AVA: Inconspicuous Attribute Variation-based Adversarial Attack bypassing DeepFake Detection

TL;DR

A new attribute-variation-based adversarial attack (AVA) that perturbs the latent space of DeepFake images via a combination of Gaussian prior and semantic discriminator to bypass such mitigation.

Abstract

While DeepFake applications are becoming popular in recent years, their abuses pose a serious privacy threat. Unfortunately, most related detection algorithms to mitigate the abuse issues are inherently vulnerable to adversarial attacks because they are built atop DNN-based classification models, and the literature has demonstrated that they could be bypassed by introducing pixel-level perturbations. Though corresponding mitigation has been proposed, we have identified a new attribute-variation-based adversarial attack (AVA) that perturbs the latent space via a combination of Gaussian prior and semantic discriminator to bypass such mitigation. It perturbs the semantics in the attribute space of DeepFake images, which are inconspicuous to human beings (e.g., mouth open) but can result in substantial differences in DeepFake detection. We evaluate our proposed AVA attack on nine state-of-the-art DeepFake detection algorithms and applications. The empirical results demonstrate that AVA attack defeats the state-of-the-art black box attacks against DeepFake detectors and achieves more than a 95% success rate on two commercial DeepFake detectors. Moreover, our human study indicates that AVA-generated DeepFake images are often imperceptible to humans, which presents huge security and privacy concerns.
Paper Structure (68 sections, 6 equations, 14 figures, 5 tables, 3 algorithms)

This paper contains 68 sections, 6 equations, 14 figures, 5 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Responsible disclosure
  3. Related Work and Threat Model
  4. DeepFake: Key Techniques
  5. DeepFake Detection
  6. Spatial-domain based detection
  7. Frequency-domain based detection
  8. Attacks against DeepFake Detection
  9. Reconstruction-based attacks
  10. Iterative adversarial attacks
  11. Threat Model
  12. Adversary
  13. Victim DeepFake detectors
  14. Approach
  15. Overview
  16. ...and 53 more sections

Figures (14)

  • Figure 1: The overall architecture of our proposed AVA attack.
  • Figure 2: On the StyleGAN dataset, the attack success rate of AVA with different Single candidate attributes against white-box DeepFake detections.
  • Figure 3: The impact ranking of various attributes on AVA's attack performance.
  • Figure 4: The success rate of AVA with different Multiple candidate attributes against white-box DeepFake detections in two benchmark datasets. The "+" refers to adding the attribute to form the Multiple candidate attributes of AVA.
  • Figure 5: The Success Rate vs. BRISQUE of various attacks.
  • ...and 9 more figures