UnGANable: Defending Against GAN-based Face Manipulation

View on arXiv ← Back to list

Authors: Zheng Li, Ning Yu, Ahmed Salem, Michael Backes, Mario Fritz, Yang Zhang

Published: 2022-10-03 14:20:01+00:00

Comment: Accepted by USENIX Security 2023

AI Summary

UnGANable is proposed as the first defense system against GAN-inversion-based face manipulation, a prevalent deepfake application. It operates by generating imperceptibly altered "cloaked images" from original "target images" to disrupt the GAN inversion process. This proactive defense aims to prevent adversaries from obtaining accurate latent codes, thereby thwarting subsequent malicious face manipulation effectively and with high utility.

Abstract

Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, against GAN-inversion-based face manipulation. In specific, UnGANable focuses on defending GAN inversion, an essential step for face manipulation. Its core technique is to search for alternative images (called cloaked images) around the original images (called target images) in image space. When posted online, these cloaked images can jeopardize the GAN inversion process. We consider two state-of-the-art inversion techniques including optimization-based inversion and hybrid inversion, and design five different defenses under five scenarios depending on the defender's background knowledge. Extensive experiments on four popular GAN models trained on two benchmark face datasets show that UnGANable achieves remarkable effectiveness and utility performance, and outperforms multiple baseline methods. We further investigate four adaptive adversaries to bypass UnGANable and show that some of them are slightly effective.

Key findings
UnGANable achieves remarkable effectiveness and utility in defending against GAN-inversion-based face manipulation, consistently outperforming multiple baseline image distortion methods. While some adaptive adversaries like spatial smoothing and increased inversion iterations show slight effectiveness, they incur significant computational costs or have limited impact. The defense is particularly effective on real images, requiring even lower perturbation budgets to achieve strong protection compared to generated images.
Approach
The system defends against GAN-inversion-based face manipulation by searching for minimally perturbed 'cloaked images' in the image space. These cloaked images are designed to maximize deviations in both the latent and feature spaces when an adversary attempts GAN inversion. Five different defense strategies are designed across various scenarios, depending on the defender's knowledge of the adversary's GAN models and inversion techniques.
Datasets
CelebA, FFHQ
Model(s)
UNKNOWN
Author countries
Germany, USA
← Previous
Next →