Imperceptible Adversarial Examples for Fake Image Detection
This addresses the problem of making adversarial attacks on fake image detectors more imperceptible, which is incremental but important for improving security in image forensics.
The paper tackles the vulnerability of fake image detectors to adversarial perturbations by proposing a method that identifies and attacks only key pixels, reducing perturbation norms compared to existing works. Experiments on two datasets with three detectors show state-of-the-art performance in white-box and black-box attacks.
Fooling people with highly realistic fake images generated with Deepfake or GANs brings a great social disturbance to our society. Many methods have been proposed to detect fake images, but they are vulnerable to adversarial perturbations -- intentionally designed noises that can lead to the wrong prediction. Existing methods of attacking fake image detectors usually generate adversarial perturbations to perturb almost the entire image. This is redundant and increases the perceptibility of perturbations. In this paper, we propose a novel method to disrupt the fake image detection by determining key pixels to a fake image detector and attacking only the key pixels, which results in the $L_0$ and the $L_2$ norms of adversarial perturbations much less than those of existing works. Experiments on two public datasets with three fake image detectors indicate that our proposed method achieves state-of-the-art performance in both white-box and black-box attacks.