2D-Malafide: Adversarial Attacks Against Face Deepfake Detection Systems

TL;DR

This paper presents 2D-Malafide, a lightweight adversarial attack using 2D convolutional filters that significantly reduces the effectiveness of face deepfake detection systems, revealing their vulnerability.

Contribution

The paper introduces 2D-Malafide, a novel attack method leveraging 2D convolutional filters to craft transferable adversarial perturbations against deepfake detectors.

Findings

2D-Malafide significantly degrades detection accuracy

Attack effectiveness increases with larger filter sizes

Transferability of attacks across different images is demonstrated

Abstract

We introduce 2D-Malafide, a novel and lightweight adversarial attack designed to deceive face deepfake detection systems. Building upon the concept of 1D convolutional perturbations explored in the speech domain, our method leverages 2D convolutional filters to craft perturbations which significantly degrade the performance of state-of-the-art face deepfake detectors. Unlike traditional additive noise approaches, 2D-Malafide optimises a small number of filter coefficients to generate robust adversarial perturbations which are transferable across different face images. Experiments, conducted using the FaceForensics++ dataset, demonstrate that 2D-Malafide substantially degrades detection performance in both white-box and black-box settings, with larger filter sizes having the greatest impact. Additionally, we report an explainability analysis using GradCAM which illustrates how 2D-Malafide misleads detection systems by altering the image areas used most for classification. Our findings highlight the vulnerability of current deepfake detection systems to convolutional adversarial attacks as well as the need for future work to enhance detection robustness through improved image fidelity constraints.