Diffusion-Guided Adversarial Perturbation Injection for Generalizable Defense Against Facial Manipulations

TL;DR

AEGIS introduces a diffusion-guided adversarial perturbation method injected into latent space to enhance facial deepfake defense, overcoming pixel-level constraints and supporting both white-box and black-box scenarios.

Contribution

This work presents the first diffusion-guided paradigm for adversarial facial image generation aimed at identity shielding, improving effectiveness and transferability over existing methods.

Findings

AEGIS achieves robust disruption of deepfake manipulations in white-box settings.

It demonstrates strong transferability and effectiveness in black-box scenarios.

The method maintains high perceptual quality of images.

Abstract

Recent advances in GAN and diffusion models have significantly improved the realism and controllability of facial deepfake manipulation, raising serious concerns regarding privacy, security, and identity misuse. Proactive defenses attempt to counter this threat by injecting adversarial perturbations into images before manipulation takes place. However, existing approaches remain limited in effectiveness due to suboptimal perturbation injection strategies and are typically designed under white-box assumptions, targeting only simple GAN-based attribute editing. These constraints hinder their applicability in practical real-world scenarios. In this paper, we propose AEGIS, the first diffusion-guided paradigm in which the AdvErsarial facial images are Generated for Identity Shielding. We observe that the limited defense capability of existing approaches stems from the peak-clipping constraint, where perturbations are forcibly truncated due to a fixed $L_\infty$-bounded. To overcome this limitation, instead of directly modifying pixels, AEGIS injects adversarial perturbations into the latent space along the DDIM denoising trajectory, thereby decoupling the perturbation magnitude from pixel-level constraints and allowing perturbations to adaptively amplify where most effective. The extensible design of AEGIS allows the defense to be expanded from purely white-box use to also support black-box scenarios through a gradient-estimation strategy. Extensive experiments across GAN and diffusion-based deepfake generators show that AEGIS consistently delivers strong defense effectiveness while maintaining high perceptual quality. In white-box settings, it achieves robust manipulation disruption, whereas in black-box settings, it demonstrates strong cross-model transferability.