Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FaceSwapGuard: Safeguarding Facial Privacy from DeepFake Threats through Identity Obfuscation

Li Wang, Zheng Li, Xuhong Zhang, Shouling Ji, Shanqing Guo

TL;DR

FaceSwapGuard (FSG) tackles the risk of DeepFake face-swapping by proactively perturbing user images to disrupt identity features during swapped-face generation. By optimizing perturbations within a budget $\epsilon$ using a surrogate identity encoder and random transformations, FSG achieves strong transferability across unseen face-swapping models and maintains human-perceptible similarity. Empirical results show dramatic reductions in face-match rates (FMR) from over 90% to under 10% across both academic recognizers and commercial APIs, along with increased perceptual divergence in swapped outputs. The approach remains robust under adaptive attacks (e.g., denoising, compression) and generalizes to diffusion-based models, offering practical facial privacy protection in real-world social-media contexts.

Abstract

DeepFakes pose a significant threat to our society. One representative DeepFake application is face-swapping, which replaces the identity in a facial image with that of a victim. Although existing methods partially mitigate these risks by degrading the quality of swapped images, they often fail to disrupt the identity transformation effectively. To fill this gap, we propose FaceSwapGuard (FSG), a novel black-box defense mechanism against deepfake face-swapping threats. Specifically, FSG introduces imperceptible perturbations to a user's facial image, disrupting the features extracted by identity encoders. When shared online, these perturbed images mislead face-swapping techniques, causing them to generate facial images with identities significantly different from the original user. Extensive experiments demonstrate the effectiveness of FSG against multiple face-swapping techniques, reducing the face match rate from 90\% (without defense) to below 10\%. Both qualitative and quantitative studies further confirm its ability to confuse human perception, highlighting its practical utility. Additionally, we investigate key factors that may influence FSG and evaluate its robustness against various adaptive adversaries.

FaceSwapGuard: Safeguarding Facial Privacy from DeepFake Threats through Identity Obfuscation

TL;DR

FaceSwapGuard (FSG) tackles the risk of DeepFake face-swapping by proactively perturbing user images to disrupt identity features during swapped-face generation. By optimizing perturbations within a budget using a surrogate identity encoder and random transformations, FSG achieves strong transferability across unseen face-swapping models and maintains human-perceptible similarity. Empirical results show dramatic reductions in face-match rates (FMR) from over 90% to under 10% across both academic recognizers and commercial APIs, along with increased perceptual divergence in swapped outputs. The approach remains robust under adaptive attacks (e.g., denoising, compression) and generalizes to diffusion-based models, offering practical facial privacy protection in real-world social-media contexts.

Abstract

DeepFakes pose a significant threat to our society. One representative DeepFake application is face-swapping, which replaces the identity in a facial image with that of a victim. Although existing methods partially mitigate these risks by degrading the quality of swapped images, they often fail to disrupt the identity transformation effectively. To fill this gap, we propose FaceSwapGuard (FSG), a novel black-box defense mechanism against deepfake face-swapping threats. Specifically, FSG introduces imperceptible perturbations to a user's facial image, disrupting the features extracted by identity encoders. When shared online, these perturbed images mislead face-swapping techniques, causing them to generate facial images with identities significantly different from the original user. Extensive experiments demonstrate the effectiveness of FSG against multiple face-swapping techniques, reducing the face match rate from 90\% (without defense) to below 10\%. Both qualitative and quantitative studies further confirm its ability to confuse human perception, highlighting its practical utility. Additionally, we investigate key factors that may influence FSG and evaluate its robustness against various adaptive adversaries.

Paper Structure

This paper contains 30 sections, 5 equations, 12 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Face Swapping
  4. Defense Method
  5. Methodology of FaceSwapGuard
  6. Motivation and Intuition
  7. Protected Image Computation
  8. Maximizing Identity features
  9. Transferability and Robustness
  10. Face-swapped Image Generation
  11. Threat model
  12. Face swapping under protection
  13. Evaluation
  14. Experimental Setup
  15. Baseline Results
  16. ...and 15 more sections

Figures (12)

  • Figure 1: A high-level illustration of FSG. The source image depicts the victim, while the DeepFake replaces the target image's identity with the victim's.
  • Figure 2: The overview framework of our FSG. Before sharing photos on social media platforms, users can utilize FSG to compute corresponding protected image by iteratively adding adversarial perturbations to their source image. When an adversary scrapes the protected image for malicious DeepFake, the resulting face-swapped image deviates from the user's identity, making it difficult for both machines and humans to accurately match the user’s genuine identity.
  • Figure 3: FMRs on face verification APIs under different budgets.
  • Figure 4: FMRs between the generated images and source images under different defenses.
  • Figure 5: Visualization of face-swapped images under different defenses.
  • ...and 7 more figures