Poisoned Forgery Face: Towards Backdoor Attacks on Face Forgery Detection

TL;DR

This paper reveals a novel backdoor attack method on face forgery detection models, demonstrating how trigger patterns can deceive detectors and highlighting the need for improved defenses.

Contribution

It introduces the Poisoned Forgery Face framework for clean-label backdoor attacks, including a scalable trigger generator and a stealthy poisoning strategy, surpassing state-of-the-art baselines.

Findings

Achieves +16.39% attack success rate over baselines

Reduces trigger visibility by 12.65% in $L_infty$ norm

Demonstrates robustness against backdoor defenses

Abstract

The proliferation of face forgery techniques has raised significant concerns within society, thereby motivating the development of face forgery detection methods. These methods aim to distinguish forged faces from genuine ones and have proven effective in practical applications. However, this paper introduces a novel and previously unrecognized threat in face forgery detection scenarios caused by backdoor attack. By embedding backdoors into models and incorporating specific trigger patterns into the input, attackers can deceive detectors into producing erroneous predictions for forged faces. To achieve this goal, this paper proposes \emph{Poisoned Forgery Face} framework, which enables clean-label backdoor attacks on face forgery detectors. Our approach involves constructing a scalable trigger generator and utilizing a novel convolving process to generate translation-sensitive trigger patterns. Moreover, we employ a relative embedding method based on landmark-based regions to enhance the stealthiness of the poisoned samples. Consequently, detectors trained on our poisoned samples are embedded with backdoors. Notably, our approach surpasses SoTA backdoor baselines with a significant improvement in attack success rate (+16.39\% BD-AUC) and reduction in visibility (-12.65\% $L_\infty$). Furthermore, our attack exhibits promising performance against backdoor defenses. We anticipate that this paper will draw greater attention to the potential threats posed by backdoor attacks in face forgery detection scenarios. Our codes will be made available at \url{https://github.com/JWLiang007/PFF}