NullSwap: Proactive Identity Cloaking Against Deepfake Face Swapping

TL;DR

This work addresses the challenge of defending against Deepfake face swapping by shifting focus from protecting the manipulated target to cloaking the source identity. It introduces NullSwap, a fully black-box proactive perturbation framework comprising Identity Extraction, Perturbation Block, Feature Block, and Cloaking Block, coupled with Dynamic Loss Weighting to balance multiple identity-loss signals from different recognition tools. The method achieves high visual fidelity while significantly reducing identity leakage across several face-recognition models and face-swapping approaches, outperforming prior proactive perturbations in both in-dataset and cross-dataset settings. The results demonstrate strong generalization to unseen data and black-box attacks, highlighting the practical potential of identity-centric defensive perturbations for mitigating Deepfake risks in real-world scenarios.

Abstract

Suffering from performance bottlenecks in passively detecting high-quality Deepfake images due to the advancement of generative models, proactive perturbations offer a promising approach to disabling Deepfake manipulations by inserting signals into benign images. However, existing proactive perturbation approaches remain unsatisfactory in several aspects: 1) visual degradation due to direct element-wise addition; 2) limited effectiveness against face swapping manipulation; 3) unavoidable reliance on white- and grey-box settings to involve generative models during training. In this study, we analyze the essence of Deepfake face swapping and argue the necessity of protecting source identities rather than target images, and we propose NullSwap, a novel proactive defense approach that cloaks source image identities and nullifies face swapping under a pure black-box scenario. We design an Identity Extraction module to obtain facial identity features from the source image, while a Perturbation Block is then devised to generate identity-guided perturbations accordingly. Meanwhile, a Feature Block extracts shallow-level image features, which are then fused with the perturbation in the Cloaking Block for image reconstruction. Furthermore, to ensure adaptability across different identity extractors in face swapping algorithms, we propose Dynamic Loss Weighting to adaptively balance identity losses. Experiments demonstrate the outstanding ability of our approach to fool various identity recognition models, outperforming state-of-the-art proactive perturbations in preventing face swapping models from generating images with correct source identities.

Figures (3)

• Figure 1: ArcFace ArcFace[8] extracted embeddings of images for two facial identities, clustered via t-SNE tSNE[17]. NullSwap aims to insert the perturbation that blinds the identity extractors of face swapping models, such that the perturbed embedding ($e^{'}_{s_1}$) no longer belongs to the original identity of embeddings ($e_{s_1}$ and $e_{s_2}$).
• Figure 2: Demonstration of the proposed NullSwap framework. The input image $I_s$ is passed through the ID Extraction module and Perturbation Block to generate identity-guided perturbation. A Feature Block executes shallow-level feature extraction on $I_s$ and passes to the Cloaking Block together with the perturbation for the reconstruction of identity-cloaked $I^{'}_s$.
• Figure 3: Visualization of face swapping performance regarding different perturbation algorithms against different generative models.