Coherent adversarial deepfake video generation
Introduction
With the tremendous success of deep generative models [1], [2], [3], [4] and extensive entertainment needs, face creation and manipulation have been one of the most popular topics in recent years, known as DeepFake. Depending on the manipulation goal, current methods can be categorized into identity swap [5], [6] that replaces the target identity with the source identity instead, attributes editing [7], [8] which modifies the expression, hairstyle or other attributes while keeping the original identity, and face synthesis [3], [4] aiming to generate non-existent face images. Some of these methods generate high-quality fake videos that are imperceptible to human eyes.
However, invisible artifacts of deepfake videos can be easily perceived by deepfake detectors. Many face manipulation detection methods have been developed to mitigate the potential risk of deepfake videos. According to the ways of feature extraction, current face manipulation detection methods can be roughly categorized into two types: handcrafted feature-based detection and deep learning-based detection. And deep learning-based techniques usually achieve better performance especially faced with massive amounts of data.
CNN-based face manipulation detection methods have increased rapidly in recent years due to the development of deep learning. This type of detection methods usually extracts features with convolutional layers [9], [10], [11] construct a face forensics network based on image classification network architecture. Recently, Rossler et al. [12] proposed a general framework of face manipulation detection task, which adopts XceptionNet [13] as the main architecture and obtains a good performance. The CNN-based detection methods outperform human heuristic due to the powerful ability of deep neural networks and rich data sources. Thus many more effective methods are proposed [14], [15], [16] for better accuracy and transferability following this framework and brings a new challenge to deepfake video generation.
However, CNN-based detection methods can be easily fooled by adversarial attacks[17], which is an inherent vulnerability of CNN. This techniques can be an effective way to help to mislead the classification of CNN based detectors and can be be introduced as an ancillary way for face manipulation to fool the human eyes and CNN-based detectors simultaneously. To generate adversarial deepfake videos, current adversarial attack methods [18], [19], [20] commonly generate the adversarial perturbation frame by frame that will cause visual vibrations and are sensitive to human eyes at the video level. Moreover, the independently adversarial perturbation generation on each frame can also be easily detected from the video level. To demonstrate that the frame-independent adversarial perturbation generation can be easily detected, in this paper, we first propose a simple but novel framework inspired by the intrinsic coherence in time domain. We first utilize a denoising network to obtain an intermediate video, and calculate the coherence score [21] of original video and intermediate video respectively. We can easily classify whether the video has been perturbed according to the disparity of the coherence score. Therefore, how to simultaneously ensure the attack effectiveness and temporal consistency in perturbed manipulated videos is worthy of further research.
To address the problem caused by independent adversarial perturbation generation and preserve the temporal coherence of adjacent frames, we consider warping adversarial noises from the previous frame to the current one as a restriction. In this case, adversarial noises change position absolutely guided by the motion of the original video. Such a preliminary strategy is capable of making perturbed videos as coherent as possible. Although the preliminary strategy makes the perturbed videos smooth and stable, directly adding adversarial noise warped from the previous frame will lead to a reduction in attack success rate to a certain extent. To balance visual stability and attack success rate, we design a loss function to restrict the generation of adversarial noises. Thus we utilize the video optical flow between adjacent frames to restrict the generation of adversarial perturbation. Last but not least, an adaptive distortion cost is introduced, which is motivated by steganography, to metric the texture degrees of image regions and help to constrain the perturbations in complex texture areas (e.g., eyes, eyebrows, nose and hair) to keep the visual quality of videos. By doing this, we can not only guarantee the effectiveness of attack, but also preserve the coherence between frames as much as possible.
To verify the effectiveness of our method, we have conducted extensive experiments for different challenging cases. It demonstrates the effectiveness of our method when attacking different defense models, and the superiority of our method over several state-of-the-art ones. To summarize, the main contributions of our method are threefold as below:
- •
We propose a robust adversarial deepfake videos detector utilizing the coherence error over consecutive frames to distinguish the adversarial videos and clean ones. The detector can effectively detect weakly adversarial deepfake videos generated by current adversarial attack methods which add perturbations frame by frame on deepfake videos.
- •
To the best of our knowledge, we are the first attempt on generating coherent adversarial deepfake videos for fool the human eyes and CNN-based detectors simultaneously. And we demonstrate the effectiveness of our method in attacking different deepfake video detectors.
- •
We leverage the optical flow for restricting the generation of adversarial perturbations to keep the consistency between adjacent frames. We also introduce an adaptive distortion cost to constrain the total perturbations for improving the visual quality and the imperceptibility of adversarial deepfake videos.
The rest of the paper is organized as follows: we first make a brief summary of previous related work in Section 2. Next, our approach is described in detail in Section 3, including robust detection for weakly adversarial deepfake videos and coherent adversarial deepfake videos generation. Then we exhibit the experimental validation in Section 4. Finally, we conclude our work by discussing the significance of our result and related research prospects in Section 5.
Section snippets
Face manipulation methods
Face manipulation is indeed a classical research problem in computer vision and graphics. Early works [22], [23], [24] swap the faces between the source and the target automatically by building a face library or the active appearance model. It can be used for broad entertainment applications and face re-identification. Recent rapid progress in deep generative models [1], [2] has reignited the interests of both academia and industry. To achieve different goals, existing face manipulation methods
Methodology
In this section, we first show that the current adversarial deepfake video generation methods result in a decline in visual quality and are easily detectable at the video level, and thus we propose a robust detector for detecting current weakly adversarial deepfake videos. To solve this problem, we then immediately illustrated the proposed coherent adversarial deepfake videos generation framework together with its novel modules for better undetectability and higher visual quality. Finally, in
Datasets and networks
We validate the proposed framework on FaceForensics++ (FF++) [12] and CelebDF v2 [45]. FaceForensics++ includes four manipulated method such as Deepfakes [5], Face2Face [7], FaceSwap [6] and NeuralTextures [46], and it covers 4000 manipulated videos with 4 different manipulation and 1000 original videos. CelebDF v2 has 590 original videos and 5639 high-quality deepfake videos. For all experiments, we split FaceForensics++ and CelebDF v2 into a fixed training, validation, and test set according
Conclusion
In this paper, we propose a novel framework for generating coherent adversarial deepfake videos. Current deepfake videos generation methods can be easily detected by CNN-based deepfake detectors, thus ancillary techniques are required to help to evade detection. Adversarial attacks are commonly used in fooling the CNN-based classification models. However, current adversarial attack methods are powerless in keeping the coherence of video frames.
To reveal the weakness of current methods, we first
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work was supported in part by the Natural Science Foundation of China under Grant U20B2047, 62072421, 62002334, 62102386 and 62121002, Key Research and Development program of Anhui Province under Grant 2022k07020008, the Fundamental Research Funds for the Central Universities under Grant WK5290000003, Ant Group through CCF-Ant Innovative Research Program CCF-AFSG RF20210025, Alibaba Group through Alibaba Innovative Research Program. This work was also partly supported by Meituan and
References (49)
- et al.
Deep video portraits
ACM Transactions on Graphics (TOG)
(2018) - I. Goodfellow, J. Pougetabadie, M. Mirza, B. Xu, D. Wardefarley, S. Ozair, A. Courville, Y. Bengio, Generative...
- et al.
Auto-encoding variational bayes
arXiv preprint arXiv:1312.6114
(2013) - et al.
Progressive growing of gans for improved quality, stability, and variation
arXiv preprint arXiv:1710.10196
(2017) - et al.
Analyzing and improving the image quality of stylegan
Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition
(2020) - DeepFakes, Deepfakes github, 2017, (http://github.com/deepfakes/faceswap). Accessed July 28,...
- MarekKowalski, Faceswap github, (https://github.com/MarekKowalski/FaceSwap), Accessed July 28,...
- et al.
Face2face: Real-time face capture and reenactment of RGB videos
Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition
(2016) - et al.
Mesonet: a compact facial video forgery detection network
2018 IEEE International Workshop on Information Forensics and Security (WIFS)
(2018) - et al.
A deep learning approach to universal image manipulation detection using a new convolutional layer
Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security
(2016)