Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

XAI-Based Detection of Adversarial Attacks on Deepfake Detectors

Ben Pinhasov, Raz Lapid, Rony Ohayon, Moshe Sipper, Yehudit Aperstein

TL;DR

This work tackles the vulnerability of deepfake detectors to adversarial inputs by introducing an XAI-based adversarial detector that leverages interpretability maps. The methodology combines a dataset augmentation pipeline on FF++ with multiple $\ell_\infty$ attacks, two pre-trained detectors (XceptionNet and EfficientNetB4ST), and a Detect-ResNet50-based adversarial detector that uses embeddings from both the image and its XAI map. The study demonstrates that XAI-informed features can improve detection of attacked inputs without degrading the base detector and analyzes the trade-offs in model finetuning, computational overhead, and transferability across backbones. The results suggest that XAI-enhanced defenses offer a promising path toward more robust and trustworthy deepfake detection in real-world deployments, while also highlighting limitations related to attack diversity and resource demands. Future work is directed at expanding XAI techniques, improving real-time performance, and exploring broader ethical implications for deploying explainable defenses in media-safety contexts.

Abstract

We introduce a novel methodology for identifying adversarial attacks on deepfake detectors using eXplainable Artificial Intelligence (XAI). In an era characterized by digital advancement, deepfakes have emerged as a potent tool, creating a demand for efficient detection systems. However, these systems are frequently targeted by adversarial attacks that inhibit their performance. We address this gap, developing a defensible deepfake detector by leveraging the power of XAI. The proposed methodology uses XAI to generate interpretability maps for a given method, providing explicit visualizations of decision-making factors within the AI models. We subsequently employ a pretrained feature extractor that processes both the input image and its corresponding XAI image. The feature embeddings extracted from this process are then used for training a simple yet effective classifier. Our approach contributes not only to the detection of deepfakes but also enhances the understanding of possible adversarial attacks, pinpointing potential vulnerabilities. Furthermore, this approach does not change the performance of the deepfake detector. The paper demonstrates promising results suggesting a potential pathway for future deepfake detection mechanisms. We believe this study will serve as a valuable contribution to the community, sparking much-needed discourse on safeguarding deepfake detectors.

XAI-Based Detection of Adversarial Attacks on Deepfake Detectors

TL;DR

This work tackles the vulnerability of deepfake detectors to adversarial inputs by introducing an XAI-based adversarial detector that leverages interpretability maps. The methodology combines a dataset augmentation pipeline on FF++ with multiple attacks, two pre-trained detectors (XceptionNet and EfficientNetB4ST), and a Detect-ResNet50-based adversarial detector that uses embeddings from both the image and its XAI map. The study demonstrates that XAI-informed features can improve detection of attacked inputs without degrading the base detector and analyzes the trade-offs in model finetuning, computational overhead, and transferability across backbones. The results suggest that XAI-enhanced defenses offer a promising path toward more robust and trustworthy deepfake detection in real-world deployments, while also highlighting limitations related to attack diversity and resource demands. Future work is directed at expanding XAI techniques, improving real-time performance, and exploring broader ethical implications for deploying explainable defenses in media-safety contexts.

Abstract

We introduce a novel methodology for identifying adversarial attacks on deepfake detectors using eXplainable Artificial Intelligence (XAI). In an era characterized by digital advancement, deepfakes have emerged as a potent tool, creating a demand for efficient detection systems. However, these systems are frequently targeted by adversarial attacks that inhibit their performance. We address this gap, developing a defensible deepfake detector by leveraging the power of XAI. The proposed methodology uses XAI to generate interpretability maps for a given method, providing explicit visualizations of decision-making factors within the AI models. We subsequently employ a pretrained feature extractor that processes both the input image and its corresponding XAI image. The feature embeddings extracted from this process are then used for training a simple yet effective classifier. Our approach contributes not only to the detection of deepfakes but also enhances the understanding of possible adversarial attacks, pinpointing potential vulnerabilities. Furthermore, this approach does not change the performance of the deepfake detector. The paper demonstrates promising results suggesting a potential pathway for future deepfake detection mechanisms. We believe this study will serve as a valuable contribution to the community, sparking much-needed discourse on safeguarding deepfake detectors.
Paper Structure (15 sections, 4 equations, 1 figure, 13 tables)

This paper contains 15 sections, 4 equations, 1 figure, 13 tables.

Table of Contents

  1. Introduction
  2. Previous Work
  3. Methodology
  4. Dataset Preparation
  5. Deepfake Detection Models
  6. Adversarial Attacks
  7. XAI Techniques
  8. Adversarial Attack Detection
  9. Experiments
  10. Computational Overhead Experiments
  11. Results
  12. Computational Overhead Results
  13. Discussion
  14. Conclusions
  15. Appendix

Figures (1)

  • Figure 1: Frame analysis in suspected deepfake videos involves face extraction and classification using deepfake detectors. If classified as fake, the frame is labeled as fake. If classified as real, the face undergoes XAI map creation. The resulting XAI map and face are processed through a backbone model to generate embeddings, which are then input into the classification head to determine 'unattacked' or 'attacked' status.