Turn Fake into Real: Adversarial Head Turn Attacks Against Deepfake Detection

TL;DR

This paper introduces AdvHeat, a novel 3D adversarial attack method that synthesizes face views to fool deepfake detectors in realistic scenarios, revealing their vulnerability to such attacks.

Contribution

The paper presents the first 3D adversarial head turn attack against deepfake detectors, demonstrating high success rates and better transferability than traditional 2D attacks.

Findings

AdvHeat achieves a 96.8% success rate in black-box scenarios.

AdvHeat outperforms conventional attacks in transferability and robustness.

Generated adversarial images appear natural and realistic.

Abstract

Malicious use of deepfakes leads to serious public concerns and reduces people's trust in digital media. Although effective deepfake detectors have been proposed, they are substantially vulnerable to adversarial attacks. To evaluate the detector's robustness, recent studies have explored various attacks. However, all existing attacks are limited to 2D image perturbations, which are hard to translate into real-world facial changes. In this paper, we propose adversarial head turn (AdvHeat), the first attempt at 3D adversarial face views against deepfake detectors, based on face view synthesis from a single-view fake image. Extensive experiments validate the vulnerability of various detectors to AdvHeat in realistic, black-box scenarios. For example, AdvHeat based on a simple random search yields a high attack success rate of 96.8% with 360 searching steps. When additional query access is allowed, we can further reduce the step budget to 50. Additional analyses demonstrate that AdvHeat is better than conventional attacks on both the cross-detector transferability and robustness to defenses. The adversarial images generated by AdvHeat are also shown to have natural looks. Our code, including that for generating a multi-view dataset consisting of 360 synthetic views for each of 1000 IDs from FaceForensics++, is available at https://github.com/twowwj/AdvHeaT.