Evading Deepfake-Image Detectors with White- and Black-Box Attacks
This reveals critical security flaws in image-forensic systems used for detecting disinformation, which is an incremental but important finding for cybersecurity and media integrity.
The paper tackled the vulnerability of deepfake-image detectors by showing that state-of-the-art forensic classifiers can be evaded with attacks, reducing their accuracy to near-0% AUC in some cases, such as flipping the lowest bit of each pixel to achieve an AUC of 0.0005.
It is now possible to synthesize highly realistic images of people who don't exist. Such content has, for example, been implicated in the creation of fraudulent social-media profiles responsible for dis-information campaigns. Significant efforts are, therefore, being deployed to detect synthetically-generated content. One popular forensic approach trains a neural network to distinguish real from synthetic content. We show that such forensic classifiers are vulnerable to a range of attacks that reduce the classifier to near-0% accuracy. We develop five attack case studies on a state-of-the-art classifier that achieves an area under the ROC curve (AUC) of 0.95 on almost all existing image generators, when only trained on one generator. With full access to the classifier, we can flip the lowest bit of each pixel in an image to reduce the classifier's AUC to 0.0005; perturb 1% of the image area to reduce the classifier's AUC to 0.08; or add a single noise pattern in the synthesizer's latent space to reduce the classifier's AUC to 0.17. We also develop a black-box attack that, with no access to the target classifier, reduces the AUC to 0.22. These attacks reveal significant vulnerabilities of certain image-forensic classifiers.