Exploring Adversarial Fake Images on Face Manifold

TL;DR

This paper introduces a method to generate adversarial fake face images by searching on the face manifold, effectively fooling deepfake detection models while preserving image quality.

Contribution

It proposes a novel latent space optimization approach to create adversarial face images that bypass forensic detectors without adding suspicious noise.

Findings

Adversarial images reduce detection accuracy from over 90% to nearly 0%.

Manipulating style and noise vectors affects attack success rate.

Generated images mainly alter facial textures and attributes.

Abstract

Images synthesized by powerful generative adversarial network (GAN) based methods have drawn moral and privacy concerns. Although image forensic models have reached great performance in detecting fake images from real ones, these models can be easily fooled with a simple adversarial attack. But, the noise adding adversarial samples are also arousing suspicion. In this paper, instead of adding adversarial noise, we optimally search adversarial points on face manifold to generate anti-forensic fake face images. We iteratively do a gradient-descent with each small step in the latent space of a generative model, e.g. Style-GAN, to find an adversarial latent vector, which is similar to norm-based adversarial attack but in latent space. Then, the generated fake images driven by the adversarial latent vectors with the help of GANs can defeat main-stream forensic models. For examples, they make the accuracy of deepfake detection models based on Xception or EfficientNet drop from over 90% to nearly 0%, meanwhile maintaining high visual quality. In addition, we find manipulating style vector $z$ or noise vectors $n$ at different levels have impacts on attack success rate. The generated adversarial images mainly have facial texture or face attributes changing.