On the Vulnerability of DeepFake Detectors to Attacks Generated by Denoising Diffusion Models

TL;DR

This paper reveals that state-of-the-art deepfake detectors are vulnerable to attacks generated by denoising diffusion models, which can evade detection without perceptible image changes, highlighting a need for more robust detection methods.

Contribution

The study introduces a novel diffusion-based attack method on deepfake detectors and evaluates its effectiveness, exposing weaknesses in current detection approaches.

Findings

Single diffusion step significantly reduces detection likelihood.

Detectors trained on diffusion-based deepfakes have limited generalizability.

Diffusion-based attacks can evade detection without perceptible image quality loss.

Abstract

The detection of malicious deepfakes is a constantly evolving problem that requires continuous monitoring of detectors to ensure they can detect image manipulations generated by the latest emerging models. In this paper, we investigate the vulnerability of single-image deepfake detectors to black-box attacks created by the newest generation of generative methods, namely Denoising Diffusion Models (DDMs). Our experiments are run on FaceForensics++, a widely used deepfake benchmark consisting of manipulated images generated with various techniques for face identity swapping and face reenactment. Attacks are crafted through guided reconstruction of existing deepfakes with a proposed DDM approach for face restoration. Our findings indicate that employing just a single denoising diffusion step in the reconstruction process of a deepfake can significantly reduce the likelihood of detection, all without introducing any perceptible image modifications. While training detectors using attack examples demonstrated some effectiveness, it was observed that discriminators trained on fully diffusion-based deepfakes exhibited limited generalizability when presented with our attacks.