research-article

Defeating DeepFakes via Adversarial Visual Reconstruction

Authors:

Tieniu TanAuthors Info & Claims

MM '22: Proceedings of the 30th ACM International Conference on Multimedia

Pages 2464 - 2472

https://doi.org/10.1145/3503161.3547923

Published: 10 October 2022 Publication History

Abstract

Existing DeepFake detection methods focus on passive detection, i.e., they detect fake face images by exploiting the artifacts produced during DeepFake manipulation. These detection-based methods have their limitation that they only work for ex-post forensics but cannot erase the negative influences of DeepFakes. In this work, we propose a proactive framework for combating DeepFake before the data manipulations. The key idea is to find a well defined substitute latent representation to reconstruct target facial data, leading the reconstructed face to disable the DeepFake generation. To this end, we invert face images into latent codes with a well trained auto-encoder, and search the adversarial face embeddings in their neighbor with the gradient descent method. Extensive experiments on three typical DeepFake manipulation methods, facial attribute editing, face expression manipulation, and face swapping, have demonstrated the effectiveness of our method in different settings.

Supplementary Material

MP4 File (MM22-fp736.mp4)

Presentation video

Download
20.62 MB

References

[1]

Rameen Abdal, Yipeng Qin, and Peter Wonka. 2019. Image2stylegan: How to embed images into the stylegan latent space?. In ICCV. 4432--4441.

[2]

Darius Afchar, Vincent Nozick, Junichi Yamagishi, and Isao Echizen. 2018. Mesonet: a compact facial video forgery detection network. In WIFS. 1--7.

[3]

Akshay Agarwal, Richa Singh, Mayank Vatsa, and Nalini K Ratha. 2020. Image transformation based defense against adversarial perturbation on deep learning models. IEEE Transactions on Dependable and Secure Computing, Vol. 18, 5 (2020), 2106--2121.

[4]

Shruti Agarwal, Hany Farid, Yuming Gu, Mingming He, Koki Nagano, and Hao Li. 2019. Protecting World Leaders Against Deep Fakes. In CVPRW. 38--45.

[5]

Renwang Chen, Xuanhong Chen, Bingbing Ni, and Yanhao Ge. 2020. SimSwap: An Efficient Framework For High Fidelity Face Swapping. In ACMMM. 2003--2011.

[6]

Yunjey Choi, Minje Choi, Munyoung Kim, Jung-Woo Ha, Sunghun Kim, and Jaegul Choo. 2018. Stargan: Unified generative adversarial networks for multi-domain image-to-image translation. In CVPR. 8789--8797.

[7]

Jesse Davis and Mark Goadrich. 2006. The relationship between Precision-Recall and ROC curves. In ICML. 233--240.

[8]

Jiankang Deng, Jia Guo, Niannan Xue, and Stefanos Zafeiriou. 2019. Arcface: Additive angular margin loss for deep face recognition. In CVPR. 4690--4699.

[9]

Apurva Gandhi and Shomik Jain. 2020. Adversarial Perturbations Fool Deepfake Detectors. In IJCNN. 1--8.

[10]

Ian J. Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative Adversarial Nets. In NIPS. 2672--2680.

[11]

Weinan Guan, Wei Wang, Jing Dong, Bo Peng, and Tieniu Tan. 2021. Robust Face-Swap Detection Based on 3D Facial Shape Information. arXiv preprint arXiv:2104.13665 (2021).

[12]

Keke He, Zhanxiong Wang, Yanwei Fu, Rui Feng, Yu-Gang Jiang, and Xiangyang Xue. 2017. Adaptively weighted multi-task deep network for person attribute classification. In ACMMM. 1636--1644.

[13]

Zhenliang He, Wangmeng Zuo, Meina Kan, Shiguang Shan, and Xilin Chen. 2019. Attgan: Facial attribute editing by only changing what you want. TIP, Vol. 28, 11 (2019), 5464--5478.

Digital Library

[14]

Qidong Huang, Jie Zhang, Wenbo Zhou, Weiming Zhang, and Nenghai Yu. 2021. Initiative Defense against Facial Manipulation. In AAAI. 1619--1627.

[15]

Shehzeen Hussain, Paarth Neekhara, Malhar Jere, Farinaz Koushanfar, and Julian J. McAuley. 2021. Adversarial Deepfakes: Evaluating Vulnerability of Deepfake Detectors to Adversarial Examples. In WACV. 3347--3356.

[16]

Justin Johnson, Alexandre Alahi, and Li Fei-Fei. 2016. Perceptual losses for real-time style transfer and super-resolution. In ECCV. 694--711.

[17]

Amin Jourabloo and Xiaoming Liu. 2015. Pose-invariant 3D face alignment. In ICCV. 3694--3702.

[18]

Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. 2018. Progressive Growing of GANs for Improved Quality, Stability, and Variation. In ICLR.

[19]

Tero Karras, Samuli Laine, and Timo Aila. 2019. A style-based generator architecture for generative adversarial networks. In CVPR. 4401--4410.

[20]

Tero Karras, Samuli Laine, Miika Aittala, Janne Hellsten, Jaakko Lehtinen, and Timo Aila. 2020. Analyzing and improving the image quality of stylegan. In CVPR. 8110--8119.

[21]

Iryna Korshunova, Wenzhe Shi, Joni Dambre, and Lucas Theis. 2017. Fast face-swap using convolutional neural networks. In ICCV. 3677--3685.

[22]

Kimin Lee, Kibok Lee, Honglak Lee, and Jinwoo Shin. 2018. A Simple Unified Framework for Detecting Out-of-Distribution Samples and Adversarial Attacks. In NIPS. 7167--7177.

[23]

Dongze Li, Wei Wang, Hongxing Fan, and Jing Dong. 2021. Exploring Adversarial Fake Images on Face Manifold. In CVPR. 5789--5798.

[24]

Lingzhi Li, Jianmin Bao, Ting Zhang, Hao Yang, Dong Chen, Fang Wen, and Baining Guo. 2020a. Face x-ray for more general face forgery detection. In CVPR. 5001--5010.

[25]

Shasha Li, Shitong Zhu, Sudipta Paul, Amit Roy-Chowdhury, Chengyu Song, Srikanth Krishnamurthy, Ananthram Swami, and Kevin S Chan. 2020b. Connecting the dots: Detecting adversarial perturbations using context inconsistency. In ECCV. 396--413.

[26]

Yuezun Li, Xin Yang, Baoyuan Wu, and Siwei Lyu. 2019. Hiding faces in plain sight: Disrupting ai face synthesis with adversarial perturbations. arXiv preprint arXiv:1906.09288 (2019).

[27]

Ming Liu, Yukang Ding, Min Xia, Xiao Liu, Errui Ding, Wangmeng Zuo, and Shilei Wen. 2019. STGAN: A unified selective transfer network for arbitrary image attribute editing. In CVPR. 3673--3682.

[28]

Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E Houle, and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. In ICLR.

[29]

Scott McCloskey and Michael Albright. 2019. Detecting GAN-generated imagery using saturation cues. In ICIP. 4584--4588.

[30]

Anish Mittal, Anush Krishna Moorthy, and Alan Conrad Bovik. 2012. No-reference image quality assessment in the spatial domain. TIP, Vol. 21, 12 (2012), 4695--4708.

Digital Library

[31]

Paarth Neekhara, Brian Dolhansky, Joanna Bitton, and Cristian Canton-Ferrer. 2021. Adversarial Threats to DeepFake Detection: A Practical Perspective. In CVPRW. 923--932.

[32]

Alejandro Newell, Kaiyu Yang, and Jia Deng. 2016. Stacked hourglass networks for human pose estimation. In ECCV. Springer, 483--499.

[33]

Nicolas Papernot and Patrick McDaniel. 2018. Deep k-nearest neighbors: Towards confident, interpretable and robust deep learning. arXiv preprint arXiv:1803.04765 (2018).

[34]

Albert Pumarola, Antonio Agudo, Aleix M Martinez, Alberto Sanfeliu, and Francesc Moreno-Noguer. 2020. Ganimation: One-shot anatomically consistent facial animation. IJCV, Vol. 128, 3 (2020), 698--713.

[35]

Hua Qi, Qing Guo, Felix Juefei-Xu, Xiaofei Xie, Lei Ma, Wei Feng, Yang Liu, and Jianjun Zhao. 2020. DeepRhythm: Exposing deepfakes with attentional visual heartbeat rhythms. In ACMMM. 4318--4327.

[36]

Andreas Rossler, Davide Cozzolino, Luisa Verdoliva, Christian Riess, Justus Thies, and Matthias Nießner. 2019. Faceforensics: Learning to detect manipulated facial images. In CVPR. 1--11.

[37]

Leonid I Rudin, Stanley Osher, and Emad Fatemi. 1992. Nonlinear total variation based noise removal algorithms. Physica D: nonlinear phenomena, Vol. 60, 1--4 (1992), 259--268.

[38]

Nataniel Ruiz, Sarah Adel Bargal, and Stan Sclaroff. 2020. Disrupting deepfakes: Adversarial attacks against conditional image translation networks and facial manipulation systems. In ECCV. Springer, 236--251.

[39]

Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Y Zhao. 2020. Fawkes: Protecting privacy against unauthorized deep learning models. In $$USENIX$$ Security Symposium. 1589--1604.

[40]

Yujun Shen, Jinjin Gu, Xiaoou Tang, and Bolei Zhou. 2020. Interpreting the latent space of gans for semantic face editing. In CVPR. 9243--9252.

[41]

Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. In ICLR.

[42]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR.

[43]

Hossein Talebi and Peyman Milanfar. 2018. NIMA: Neural image assessment. TIP, Vol. 27, 8 (2018), 3998--4011.

[44]

Justus Thies, Michael Zollhofer, Marc Stamminger, Christian Theobalt, and Matthias Nießner. 2016. Face2face: Real-time face capture and reenactment of rgb videos. In CVPR. 2387--2395.

[45]

Weihao Xia, Yulun Zhang, Yujiu Yang, Jing-Hao Xue, Bolei Zhou, and Ming-Hsuan Yang. 2022. Gan inversion: A survey. TPAMI (2022).

[46]

Chaofei Yang, Leah Ding, Yiran Chen, and Hai Li. 2021. Defending against gan-based deepfake attacks via transformation-aware adversarial faces. In IJCNN. IEEE, 1--8.

[47]

Xin Yang, Yuezun Li, and Siwei Lyu. 2019. Exposing deep fakes using inconsistent head poses. In ICASSP. 8261--8265.

[48]

Chin-Yuan Yeh, Hsi-Wen Chen, Shang-Lun Tsai, and Sheng-De Wang. 2020. Disrupting image-translation-based deepfake algorithms with adversarial attacks. In WACVW. 53--62.

[49]

Ning Yu, Larry S Davis, and Mario Fritz. 2019. Attributing fake images to gans: Learning and analyzing gan fingerprints. In ICCV. 7556--7566.

[50]

Weixia Zhang, Kede Ma, Jia Yan, Dexiang Deng, and Zhou Wang. 2018. Blind image quality assessment using a deep bilinear convolutional neural network. TCSVT, Vol. 30, 1 (2018), 36--47.

[51]

Jianli Zhou, Chao Liang, and Jun Chen. 2020. Manifold Projection for Adversarial Defense on Face Recognition. In ECCV. 288--305.

[52]

Peng Zhou, Xintong Han, Vlad I Morariu, and Larry S Davis. 2017. Two-stream neural networks for tampered face detection. In CVPRW. 1831--1839.

[53]

Jiapeng Zhu, Yujun Shen, Deli Zhao, and Bolei Zhou. 2020. In-domain gan inversion for real image editing. In ECCV. 592--608.

[54]

Jun-Yan Zhu, Philipp Kr"ahenbühl, Eli Shechtman, and Alexei A Efros. 2016. Generative visual manipulation on the natural image manifold. In ECCV. Springer, 597--613.io

Cited By

Liu YAn JZhang WWu DGu JLin ZWang WCai JKankanhalli MPrabhakaran BBoll SSubramanian RZheng LSingh VCesar PXie LXu D(2024)Disrupting Diffusion: Token-Level Attention Erasure Attack against Diffusion-based CustomizationProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3681243(3587-3596)Online publication date: 28-Oct-2024
https://dl.acm.org/doi/10.1145/3664647.3681243
Qu ZXi ZLu WLuo XWang QLi B(2024)DF-RAP: A Robust Adversarial Perturbation for Defending Against Deepfakes in Real-World Social Network ScenariosIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280319(3943-3957)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372803
Al-Maliki SQayyum AAli HAbdallah MQadir JHoang DNiyato DAl-Fuqaha A(2024)Adversarial Machine Learning for Social Good: Reframing the Adversary as an AllyIEEE Transactions on Artificial Intelligence10.1109/TAI.2024.33834075:9(4322-4343)Online publication date: Sep-2024
https://doi.org/10.1109/TAI.2024.3383407
Show More Cited By

Index Terms

Defeating DeepFakes via Adversarial Visual Reconstruction
1. Computing methodologies
  1. Artificial intelligence
    1. Computer vision
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

Security Implications of Deepfakes in Face Authentication
SAC '24: Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing

Deepfakes are media generated by deep learning and are nearly indistinguishable from real content to humans. Deepfakes have seen a significant surge in popularity in recent years. There have been numerous papers discussing their effectiveness in ...
Disrupting Deepfakes: Adversarial Attacks Against Conditional Image Translation Networks and Facial Manipulation Systems
Computer Vision – ECCV 2020 Workshops
Abstract
Face modification systems using deep learning have become increasingly powerful and accessible. Given images of a person’s face, such systems can generate new images of that same person under different expressions and poses. Some systems can also ...
Adversarial Attack on Deepfake Detection Using RL Based Texture Patches
Computer Vision – ECCV 2020 Workshops
Abstract
The advancements in GANs have made creating deepfake videos a relatively easy task. Considering the threat that deepfake videos pose for manipulating political opinion, recent research has focused on ways to better detect deepfake videos. Even ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MM '22: Proceedings of the 30th ACM International Conference on Multimedia

October 2022

7537 pages

ISBN:9781450392037

DOI:10.1145/3503161

General Chairs:
João Magalhães
NOVA University of Lisbon, Portugal
,
Alberto del Bimbo
University of Florence, Italy
,
Shin'ichi Satoh
National Institute of Informatics, Japan
,
Nicu Sebe
University of Trento, Italy
,
Program Chairs:
Xavier Alameda-Pineda
Inria, Grenoble, France
,
Qin Jin
Renmin University of China, China
,
Vincent Oria
New Jersey Institute of Technology, USA
,
Laura Toni
University College London, UK

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

the National Key Research and Development Program of China
National Natural Science Foundation of China

Conference

MM '22

Sponsor:

SIGMM

MM '22: The 30th ACM International Conference on Multimedia

October 10 - 14, 2022

Lisboa, Portugal

Acceptance Rates

Overall Acceptance Rate 2,145 of 8,556 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
731
Total Downloads

Downloads (Last 12 months)204
Downloads (Last 6 weeks)17

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu YAn JZhang WWu DGu JLin ZWang WCai JKankanhalli MPrabhakaran BBoll SSubramanian RZheng LSingh VCesar PXie LXu D(2024)Disrupting Diffusion: Token-Level Attention Erasure Attack against Diffusion-based CustomizationProceedings of the 32nd ACM International Conference on Multimedia10.1145/3664647.3681243(3587-3596)Online publication date: 28-Oct-2024
https://dl.acm.org/doi/10.1145/3664647.3681243
Qu ZXi ZLu WLuo XWang QLi B(2024)DF-RAP: A Robust Adversarial Perturbation for Defending Against Deepfakes in Real-World Social Network ScenariosIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280319(3943-3957)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372803
Al-Maliki SQayyum AAli HAbdallah MQadir JHoang DNiyato DAl-Fuqaha A(2024)Adversarial Machine Learning for Social Good: Reframing the Adversary as an AllyIEEE Transactions on Artificial Intelligence10.1109/TAI.2024.33834075:9(4322-4343)Online publication date: Sep-2024
https://doi.org/10.1109/TAI.2024.3383407
Wang CShi CWang SXia ZMa B(2024)Dual-Task Mutual Learning With QPHFM Watermarking for Deepfake DetectionIEEE Signal Processing Letters10.1109/LSP.2024.343810131(2740-2744)Online publication date: 2024
https://doi.org/10.1109/LSP.2024.3438101
Dong SChen BMa KZhao G(2024)Active Defense Against Voice Conversion Through Generative Adversarial NetworkIEEE Signal Processing Letters10.1109/LSP.2024.336503431(706-710)Online publication date: 2024
https://doi.org/10.1109/LSP.2024.3365034
Wang ZWang XXie YFu RWen ZTao JLiu YLi GQi XLu YLiu XLi Y(2024)A Noval Feature via Color Quantisation for Fake Audio Detection2024 IEEE 14th International Symposium on Chinese Spoken Language Processing (ISCSLP)10.1109/ISCSLP63861.2024.10800257(1-5)Online publication date: 7-Nov-2024
https://doi.org/10.1109/ISCSLP63861.2024.10800257
Zeng SWang WHuang FFang Y(2024)LOFT: Latent Space Optimization and Generator Fine-Tuning for Defending Against DeepfakesICASSP 2024 - 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP48485.2024.10447890(4750-4754)Online publication date: 14-Apr-2024
https://doi.org/10.1109/ICASSP48485.2024.10447890
Park JPark LAhn HKwon T(2024)Coexistence of Deepfake Defenses: Addressing the Poisoning ChallengeIEEE Access10.1109/ACCESS.2024.335378512(11674-11687)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3353785
Guo YWang XFu XLiu JLi ZHan J(2024)Generative Universal Nullifying Perturbation for Countering Deepfakes Through Combined Unsupervised Feature AggregationArtificial Neural Networks and Machine Learning – ICANN 202410.1007/978-3-031-72335-3_20(289-303)Online publication date: 17-Sep-2024
https://doi.org/10.1007/978-3-031-72335-3_20
Jiang TYu HMeng WQi P(2024)Towards Retentive Proactive Defense Against DeepFakesTools for Design, Implementation and Verification of Emerging Information Technologies10.1007/978-3-031-51399-2_8(139-153)Online publication date: 5-Jan-2024
https://doi.org/10.1007/978-3-031-51399-2_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten