Making DeepFakes More Spurious: Evading Deep Face Forgery Detection via Trace Removal Attack

Liu, C; Chen, H; Zhu, T; Zhang, J; Zhou, W

Making DeepFakes More Spurious: Evading Deep Face Forgery Detection via Trace Removal Attack

Liu, C Chen, H Zhu, T

Zhang, J Zhou, W

Permalink

Publisher:: Institute of Electrical and Electronics Engineers (IEEE)
Publication Type:: Journal Article
Citation:: IEEE Transactions on Dependable and Secure Computing, 2023, 20, (6), pp. 5182-5196
Issue Date:: 2023-11-01

Closed Access

	Filename	Description	Size
	Making_DeepFakes_More_Spurious_Evading_Deep_Face_Forgery_Detection_via_Trace_Removal_Attack.pdf	Published version	5.64 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Liu, C
dc.contributor.author	Chen, H
dc.contributor.author	Zhu, T https://orcid.org/0000-0003-3411-7947
dc.contributor.author	Zhang, J
dc.contributor.author	Zhou, W
dc.date.accessioned	2024-03-13T22:34:51Z
dc.date.available	2024-03-13T22:34:51Z
dc.date.issued	2023-11-01
dc.identifier.citation	IEEE Transactions on Dependable and Secure Computing, 2023, 20, (6), pp. 5182-5196
dc.identifier.issn	1545-5971
dc.identifier.issn	1941-0018
dc.identifier.uri	http://hdl.handle.net/10453/176648
dc.description.abstract	DeepFakes are raising significant social concerns. Although various Despite various DeepFake detectors having been developed as countermeasures, their vulnerability under attacks remains further explorations. Recently, several attacks, such as adversarial attacks, have successfully fooled DeepFake detectors. However, existing attacks suffer from detector-specific designs, requiring detector-side knowledge, leading to poor transferability. Moreover, they only consider simplified security scenarios; but less is known about the attacking performance in complex scenarios where the capability of detectors or attackers varies. To fill the gap, we propose a novel, detector-agnostic trace removal attack. The attack removes all possible counterfeiting traces arising from the original DeepFake manufacture procedure to make DeepFakes essentially more "realistic"and thus able to defeat arbitrary or unknown detectors. Concretely, we first perform an in-depth DeepFake trace discovery, identifying three intrinsic traces: spatial anomalies, spectral disparities, and noise fingerprints. Then an adversarial learning-based trace removal network (TR-Net) involving one generator and multiple discriminators is proposed. Each discriminator is responsible for one individual trace representation to avoid inner-trace interference. All discriminators are optimized in parallel to enforce the generator to remove various traces simultaneously. We additionally craft heterogeneous security scenarios where the detectors are embedded with different levels of defense and the attackers own varying background data knowledge. The experimental results show that the proposed trace removal attack can significantly compromise the detection accuracy of six state-of-the-art DeepFake detectors while causing only a negligible degradation in visual quality.
dc.language	en
dc.publisher	Institute of Electrical and Electronics Engineers (IEEE)
dc.relation	http://purl.org/au-research/grants/arc/DP200100946
dc.relation.ispartof	IEEE Transactions on Dependable and Secure Computing
dc.relation.isbasedon	10.1109/TDSC.2023.3241604
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject	0803 Computer Software, 0804 Data Format, 0805 Distributed Computing
dc.subject.classification	Strategic, Defence & Security Studies
dc.subject.classification	4604 Cybersecurity and privacy
dc.subject.classification	4606 Distributed computing and systems software
dc.title	Making DeepFakes More Spurious: Evading Deep Face Forgery Detection via Trace Removal Attack
dc.type	Journal Article
utslib.citation.volume	20
utslib.for	0803 Computer Software
utslib.for	0804 Data Format
utslib.for	0805 Distributed Computing
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	University of Technology Sydney/Strength - CCSP - Centre for Cyber Security and Privacy
utslib.copyright.status	closed_access	*
dc.date.updated	2024-03-13T22:34:47Z
pubs.issue	6
pubs.publication-status	Published
pubs.volume	20
utslib.citation.issue	6

Abstract:

DeepFakes are raising significant social concerns. Although various Despite various DeepFake detectors having been developed as countermeasures, their vulnerability under attacks remains further explorations. Recently, several attacks, such as adversarial attacks, have successfully fooled DeepFake detectors. However, existing attacks suffer from detector-specific designs, requiring detector-side knowledge, leading to poor transferability. Moreover, they only consider simplified security scenarios; but less is known about the attacking performance in complex scenarios where the capability of detectors or attackers varies. To fill the gap, we propose a novel, detector-agnostic trace removal attack. The attack removes all possible counterfeiting traces arising from the original DeepFake manufacture procedure to make DeepFakes essentially more "realistic"and thus able to defeat arbitrary or unknown detectors. Concretely, we first perform an in-depth DeepFake trace discovery, identifying three intrinsic traces: spatial anomalies, spectral disparities, and noise fingerprints. Then an adversarial learning-based trace removal network (TR-Net) involving one generator and multiple discriminators is proposed. Each discriminator is responsible for one individual trace representation to avoid inner-trace interference. All discriminators are optimized in parallel to enforce the generator to remove various traces simultaneously. We additionally craft heterogeneous security scenarios where the detectors are embedded with different levels of defense and the attackers own varying background data knowledge. The experimental results show that the proposed trace removal attack can significantly compromise the detection accuracy of six state-of-the-art DeepFake detectors while causing only a negligible degradation in visual quality.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/176648