Where the Devil Hides: Deepfake Detectors Can No Longer Be Trusted

TL;DR

This paper reveals the vulnerability of Deepfake detectors to malicious backdoor attacks via poisoned training data, proposing a stealthy trigger generator and poisoning scenarios to demonstrate the threat.

Contribution

It introduces a novel trigger generator for backdoor attacks on Deepfake detectors and analyzes two poisoning scenarios, highlighting security risks in third-party trained models.

Findings

Backdoors can be effectively injected into Deepfake detectors.

Stealthy triggers are hard to detect and can manipulate detector behavior.

Experiments confirm the practicality and effectiveness of the proposed method.

Abstract

With the advancement of AI generative techniques, Deepfake faces have become incredibly realistic and nearly indistinguishable to the human eye. To counter this, Deepfake detectors have been developed as reliable tools for assessing face authenticity. These detectors are typically developed on Deep Neural Networks (DNNs) and trained using third-party datasets. However, this protocol raises a new security risk that can seriously undermine the trustfulness of Deepfake detectors: Once the third-party data providers insert poisoned (corrupted) data maliciously, Deepfake detectors trained on these datasets will be injected ``backdoors'' that cause abnormal behavior when presented with samples containing specific triggers. This is a practical concern, as third-party providers may distribute or sell these triggers to malicious users, allowing them to manipulate detector performance and escape accountability. This paper investigates this risk in depth and describes a solution to stealthily infect Deepfake detectors. Specifically, we develop a trigger generator, that can synthesize passcode-controlled, semantic-suppression, adaptive, and invisible trigger patterns, ensuring both the stealthiness and effectiveness of these triggers. Then we discuss two poisoning scenarios, dirty-label poisoning and clean-label poisoning, to accomplish the injection of backdoors. Extensive experiments demonstrate the effectiveness, stealthiness, and practicality of our method compared to several baselines.