Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

2D-Malafide: Adversarial Attacks Against Face Deepfake Detection Systems

Chiara Galdi, Michele Panariello, Massimiliano Todisco, Nicholas Evans

TL;DR

The paper addresses the vulnerability of face deepfake detectors to adversarial perturbations by proposing 2D-Malafide, a lightweight attack that learns a small 2D convolutional filter per attack to generalize across samples. By training filters across multiple inputs and constraining perturbations, the method achieves transferable attacks demonstrated on FaceForensics++ under both white-box and black-box scenarios, with larger filter sizes yielding stronger degradation. GradCAM explainability reveals that the attack hides central artefacts and shifts detector attention, illustrating the failure modes of current FDD systems. This work highlights the need for robustness enhancements through image fidelity constraints and diverse training data to counter convolution-based perturbations in practical detection systems.

Abstract

We introduce 2D-Malafide, a novel and lightweight adversarial attack designed to deceive face deepfake detection systems. Building upon the concept of 1D convolutional perturbations explored in the speech domain, our method leverages 2D convolutional filters to craft perturbations which significantly degrade the performance of state-of-the-art face deepfake detectors. Unlike traditional additive noise approaches, 2D-Malafide optimises a small number of filter coefficients to generate robust adversarial perturbations which are transferable across different face images. Experiments, conducted using the FaceForensics++ dataset, demonstrate that 2D-Malafide substantially degrades detection performance in both white-box and black-box settings, with larger filter sizes having the greatest impact. Additionally, we report an explainability analysis using GradCAM which illustrates how 2D-Malafide misleads detection systems by altering the image areas used most for classification. Our findings highlight the vulnerability of current deepfake detection systems to convolutional adversarial attacks as well as the need for future work to enhance detection robustness through improved image fidelity constraints.

2D-Malafide: Adversarial Attacks Against Face Deepfake Detection Systems

TL;DR

The paper addresses the vulnerability of face deepfake detectors to adversarial perturbations by proposing 2D-Malafide, a lightweight attack that learns a small 2D convolutional filter per attack to generalize across samples. By training filters across multiple inputs and constraining perturbations, the method achieves transferable attacks demonstrated on FaceForensics++ under both white-box and black-box scenarios, with larger filter sizes yielding stronger degradation. GradCAM explainability reveals that the attack hides central artefacts and shifts detector attention, illustrating the failure modes of current FDD systems. This work highlights the need for robustness enhancements through image fidelity constraints and diverse training data to counter convolution-based perturbations in practical detection systems.

Abstract

We introduce 2D-Malafide, a novel and lightweight adversarial attack designed to deceive face deepfake detection systems. Building upon the concept of 1D convolutional perturbations explored in the speech domain, our method leverages 2D convolutional filters to craft perturbations which significantly degrade the performance of state-of-the-art face deepfake detectors. Unlike traditional additive noise approaches, 2D-Malafide optimises a small number of filter coefficients to generate robust adversarial perturbations which are transferable across different face images. Experiments, conducted using the FaceForensics++ dataset, demonstrate that 2D-Malafide substantially degrades detection performance in both white-box and black-box settings, with larger filter sizes having the greatest impact. Additionally, we report an explainability analysis using GradCAM which illustrates how 2D-Malafide misleads detection systems by altering the image areas used most for classification. Our findings highlight the vulnerability of current deepfake detection systems to convolutional adversarial attacks as well as the need for future work to enhance detection robustness through improved image fidelity constraints.
Paper Structure (7 sections, 1 equation, 3 figures, 1 table)

This paper contains 7 sections, 1 equation, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. 2D-Malafide
  4. Experimental Setup
  5. Experimental Results
  6. Explainability Analysis
  7. Conclusions

Figures (3)

  • Figure 1: The training procedure of the 2D-Malafide filter $\mathbf{m}$ for face images generated with the attack $a=$ FaceShifter against the face deepfake detector (FDD).
  • Figure 2: Examples of bona fide, baseline attack and four configurations of 2D-Malafide filter for the five deepfake attacks. Results are taken from training based on CADDM system.
  • Figure 3: GradCAM explainability results for Deepfakes $3\times3$ and FaceShifter $81\times81$ image samples classified with CADDM and SBI FDD systems applied on bona fide (a), baseline attack (b), and 2D-Malafide attacks processed with GradCAM label bona fide (c) and spoof (d).