Hiding Faces in Plain Sight: Defending DeepFakes by Disrupting Face Detection

TL;DR

This paper presents FacePoison, a proactive defense that contaminates input faces to disrupt DNN-based face detectors, thereby thwarting both training and inference of DeepFake models. It introduces VideoFacePoison, a temporal extension using optical flow to propagate perturbations across video frames with reduced computation. By adapting multiple adversarial attacks to attack intermediate detector features and employing an importance-guided pseudo-objective, the method achieves robust disruption across five detectors and eleven DeepFake models, with strong transferability and resilience to common perturbations. The approach is complementary to existing detectors, offering a practical, user-centric defense channel, though it is tailored to face-swap DeepFakes and relies on modern detectors, inviting further work on broader forgery techniques and defenses.

Abstract

This paper investigates the feasibility of a proactive DeepFake defense framework, {\em FacePosion}, to prevent individuals from becoming victims of DeepFake videos by sabotaging face detection. The motivation stems from the reliance of most DeepFake methods on face detectors to automatically extract victim faces from videos for training or synthesis (testing). Once the face detectors malfunction, the extracted faces will be distorted or incorrect, subsequently disrupting the training or synthesis of the DeepFake model. To achieve this, we adapt various adversarial attacks with a dedicated design for this purpose and thoroughly analyze their feasibility. Based on FacePoison, we introduce {\em VideoFacePoison}, a strategy that propagates FacePoison across video frames rather than applying them individually to each frame. This strategy can largely reduce the computational overhead while retaining the favorable attack performance. Our method is validated on five face detectors, and extensive experiments against eleven different DeepFake models demonstrate the effectiveness of disrupting face detectors to hinder DeepFake generation.

Figures (10)

• Figure 1: Examples of DeepFake, which involves replacing the original faces with synthesized faces while keeping the same facial expressions. These examples are from li2020celeb.
• Figure 2: Overview of FacePoison. The left part shows the typical generation process of DeepFake conducted by adversaries, covering the inference and training phase of DeepFake models. The right part shows how our method obstructs the DeepFake generation. The rationale is that our method disrupts face detection, leading to incorrect face detection results. It can pollute the input faces during either inference or training, ultimately hindering the DeepFake generation process.
• Figure 3: Overview of our method on disrupting face detection. Our method attacks multiple intermediate features with the instruction of importance-guided maps, amplifying the disturbance on key elements indicated by these maps. See text for details.
• Figure 4: Overview of the VideoFacePoison method on disrupting face detection in a video. Our method can propagate the FacePoison on a certain frame ($x_{(v)}$ in this example) to adjacent frames based on the optical flow algorithms. See text for details.
• Figure 5: Visual examples of using different adaptations to disrupt face detection. For each face detector, the top row corresponds to the original results and the bottom row is the results using our method.