Adversarial Magnification to Deceive Deepfake Detection through Super Resolution

View on arXiv ← Back to list

Authors: Davide Alessandro Coccomini, Roberto Caldelli, Giuseppe Amato, Fabrizio Falchi, Claudio Gennaro

Published: 2024-07-02 21:17:36+00:00

AI Summary

This paper investigates the use of super-resolution (SR) techniques as a novel black-box adversarial attack to deceive deepfake detection systems. The authors demonstrate that minimal changes made by SR methods in the visual appearance of images can significantly impair the performance of deepfake detectors. The proposed attack effectively camouflages fake images (increasing false negatives) and can also generate false alarms on pristine images (increasing false positives), highlighting system vulnerabilities.

Abstract

Deepfake technology is rapidly advancing, posing significant challenges to the detection of manipulated media content. Parallel to that, some adversarial attack techniques have been developed to fool the deepfake detectors and make deepfakes even more difficult to be detected. This paper explores the application of super resolution techniques as a possible adversarial attack in deepfake detection. Through our experiments, we demonstrate that minimal changes made by these methods in the visual appearance of images can have a profound impact on the performance of deepfake detection systems. We propose a novel attack using super resolution as a quick, black-box and effective method to camouflage fake images and/or generate false alarms on pristine images. Our results indicate that the usage of super resolution can significantly impair the accuracy of deepfake detectors, thereby highlighting the vulnerability of such systems to adversarial attacks. The code to reproduce our experiments is available at: https://github.com/davide-coccomini/Adversarial-Magnification-to-Deceive-Deepfake-Detection-through-Super-Resolution

Key findings
The application of super-resolution significantly degrades the accuracy of deepfake detectors (Resnet50, Swin-Small, XceptionNet). It leads to a notable increase in False Negative Rate (FNR) up to 24.8% and, for some deepfake generation methods, a substantial increase in False Positive Rate (FPR) up to 23.9%. Despite these profound impacts on detection, the visual changes introduced by the SR attack are minimal, with high SSIM values around 0.97 and PSNR around 40dB.
Approach
The attack exploits super-resolution by detecting faces in video frames (using MTCNN), downscaling them, and then upscaling them back to original resolution using an SR model (EDSR) before re-pasting them into the frame. This process aims to smooth deepfake artifacts, making the manipulated images harder for deepfake detectors to identify, acting as a black-box attack.
Datasets
FaceForensics++ (FF++)
Model(s)
Resnet50, Swin-Small, XceptionNet (for deepfake detection); EDSR (for super-resolution attack); MTCNN (for face detection)
Author countries
Italy
← Previous
Next →