Misleading Deep-Fake Detection with GAN Fingerprints
This addresses the vulnerability of deep-fake detection methods for security applications, but it is incremental as it builds on existing counterattack research.
The paper tackles the problem of deep-fake detection by introducing a novel class of counterattacks that remove GAN fingerprints from the frequency spectrum of generated images, showing that adversaries can often evade detection.
Generative adversarial networks (GANs) have made remarkable progress in synthesizing realistic-looking images that effectively outsmart even humans. Although several detection methods can recognize these deep fakes by checking for image artifacts from the generation process, multiple counterattacks have demonstrated their limitations. These attacks, however, still require certain conditions to hold, such as interacting with the detection method or adjusting the GAN directly. In this paper, we introduce a novel class of simple counterattacks that overcomes these limitations. In particular, we show that an adversary can remove indicative artifacts, the GAN fingerprint, directly from the frequency spectrum of a generated image. We explore different realizations of this removal, ranging from filtering high frequencies to more nuanced frequency-peak cleansing. We evaluate the performance of our attack with different detection methods, GAN architectures, and datasets. Our results show that an adversary can often remove GAN fingerprints and thus evade the detection of generated images.