Take Fake as Real: Realistic-like Robust Black-box Adversarial Attack to Evade AIGC Detection

TL;DR

This paper introduces R²BA, a novel black-box adversarial attack that uses real-world post-processing techniques to evade AIGC detectors effectively, improving robustness and invisibility over existing methods.

Contribution

The paper proposes R²BA, a realistic-like adversarial attack leveraging post-processing fusion optimization to evade AIGC detectors, addressing limitations of prior attacks on multi-class and diffusion-based models.

Findings

R²BA achieves 15-72% improvement in anti-detection performance.

It demonstrates strong robustness against various AIGC detectors.

The attack maintains high invisibility and effectiveness in real-world scenarios.

Abstract

The security of AI-generated content (AIGC) detection is crucial for ensuring multimedia content credibility. To enhance detector security, research on adversarial attacks has become essential. However, most existing adversarial attacks focus only on GAN-generated facial images detection, struggle to be effective on multi-class natural images and diffusion-based detectors, and exhibit poor invisibility. To fill this gap, we first conduct an in-depth analysis of the vulnerability of AIGC detectors and discover the feature that detectors vary in vulnerability to different post-processing. Then, considering that the detector is agnostic in real-world scenarios and given this discovery, we propose a Realistic-like Robust Black-box Adversarial attack (R$^2$BA) with post-processing fusion optimization. Unlike typical perturbations, R$^2$BA uses real-world post-processing, i.e., Gaussian blur, JPEG compression, Gaussian noise and light spot to generate adversarial examples. Specifically, we use a stochastic particle swarm algorithm with inertia decay to optimize post-processing fusion intensity and explore the detector's decision boundary. Guided by the detector's fake probability, R$^2$BA enhances/weakens the detector-vulnerable/detector-robust post-processing intensity to strike a balance between adversariality and invisibility. Extensive experiments on popular/commercial AIGC detectors and datasets demonstrate that R$^2$BA exhibits impressive anti-detection performance, excellent invisibility, and strong robustness in GAN-based and diffusion-based cases. Compared to state-of-the-art white-box and black-box attacks, R$^2$BA shows significant improvements of 15\%--72\% and 21\%--47\% in anti-detection performance under the original and robust scenario respectively, offering valuable insights for the security of AIGC detection in real-world applications.