Uncovering and Mitigating Destructive Multi-Embedding Attacks in Deepfake Proactive Forensics

TL;DR

This paper identifies the vulnerability of current deepfake forensic watermarks to multi-embedding attacks and proposes a training paradigm that enhances watermark robustness against such attacks.

Contribution

It formally defines Multi-Embedding Attacks and introduces Adversarial Interference Simulation, a training method that improves watermark resilience without changing network architecture.

Findings

Enhanced robustness of watermark extraction after multiple embeddings

Significant improvement in defending against Multi-Embedding Attacks

Applicable to various existing forensic methods

Abstract

With the rapid evolution of deepfake technologies and the wide dissemination of digital media, personal privacy is facing increasingly serious security threats. Deepfake proactive forensics, which involves embedding imperceptible watermarks to enable reliable source tracking, serves as a crucial defense against these threats. Although existing methods show strong forensic ability, they rely on an idealized assumption of single watermark embedding, which proves impractical in real-world scenarios. In this paper, we formally define and demonstrate the existence of Multi-Embedding Attacks (MEA) for the first time. When a previously protected image undergoes additional rounds of watermark embedding, the original forensic watermark can be destroyed or removed, rendering the entire proactive forensic mechanism ineffective. To address this vulnerability, we propose a general training paradigm named Adversarial Interference Simulation (AIS). Rather than modifying the network architecture, AIS explicitly simulates MEA scenarios during fine-tuning and introduces a resilience-driven loss function to enforce the learning of sparse and stable watermark representations. Our method enables the model to maintain the ability to extract the original watermark correctly even after a second embedding. Extensive experiments demonstrate that our plug-and-play AIS training paradigm significantly enhances the robustness of various existing methods against MEA.