Uncovering and Mitigating Destructive Multi-Embedding Attacks in Deepfake Proactive Forensics

TL;DR

This work reveals Multi-Embedding Attacks (MEA) as a fundamental vulnerability in proactive deepfake forensics, where a second watermark overwrites the original evidence and destroys forensic integrity. It introduces Adversarial Interference Simulation (AIS), a model-agnostic training paradigm that simulates MEA during fine-tuning and incentivizes sparse, stable watermark representations via a resilience loss, thereby preserving recoverability of the original watermark under interference. Empirical results show AIS markedly improves robustness across multiple baseline proactive forensic methods against MEA while maintaining high perceptual quality, suggesting AIS as a practical plug-and-play defense. The authors advocate treating MEA robustness as a new benchmark and highlight the real-world security implications for deployable proactive forensics systems.

Abstract

With the rapid evolution of deepfake technologies and the wide dissemination of digital media, personal privacy is facing increasingly serious security threats. Deepfake proactive forensics, which involves embedding imperceptible watermarks to enable reliable source tracking, serves as a crucial defense against these threats. Although existing methods show strong forensic ability, they rely on an idealized assumption of single watermark embedding, which proves impractical in real-world scenarios. In this paper, we formally define and demonstrate the existence of Multi-Embedding Attacks (MEA) for the first time. When a previously protected image undergoes additional rounds of watermark embedding, the original forensic watermark can be destroyed or removed, rendering the entire proactive forensic mechanism ineffective. To address this vulnerability, we propose a general training paradigm named Adversarial Interference Simulation (AIS). Rather than modifying the network architecture, AIS explicitly simulates MEA scenarios during fine-tuning and introduces a resilience-driven loss function to enforce the learning of sparse and stable watermark representations. Our method enables the model to maintain the ability to extract the original watermark correctly even after a second embedding. Extensive experiments demonstrate that our plug-and-play AIS training paradigm significantly enhances the robustness of various existing methods against MEA.

Figures (4)

• Figure 1: Illustration of the ideal proactive forensics pipeline and the threat posed by Multi-Embedding Attacks (MEA). (a) In the standard pipeline, the embedded forensic watermark is expected to withstand manipulations such as deepfake generation. (b) However, additional third-party embeddings (e.g., social media platforms or malicious actors) can overwrite and degrade the original watermark, leading to a complete failure of the proactive forensics mechanism.
• Figure 2: BER of primary watermarks before and after MEA on several state-of-the-art methods.
• Figure 3: Overview of the proposed framework. Figure (a) illustrates the general proactive forensics pipeline. Figure (b) depicts our proposed Adversarial Interference Simulation (AIS), a model-agnostic training paradigm applicable to various proactive forensic methods. Figure (c) shows the Multi-Embedding Attacks (MEA), where the invisibility constraint of watermark embedding typically causes new watermarks to overwrite the original forensic information.
• Figure 4: Visual comparison of different models before and after enhancement with AIS. From top to bottom are the original image $X$, the watermarked image $X_w$, the residual signal $\mathcal{R}(|X_w - X|)$, the watermarked image after fine-tuning with AIS $X_w^\prime$, and its residual $\mathcal{R}(|X_w^\prime - X|)$. To visualize the minute differences introduced by the watermark, the residual signal is amplified using the normalization function $\mathcal{R}(X) = (X - min(X)) / (max(X) -min(X))$. Image size: 256 × 256.