人脸伪造与检测中的对抗攻防综述

doi:10.11959/j.issn.2096-109x.2023049

Abstract

Abstract:

Face forgery and detection has become a research hotspot.Face forgery methods can produce fake face images and videos.Some malicious videos, often targeting celebrities, are widely circulated on social networks, damaging the reputation of victims and causing significant social harm.As a result, it is crucial to develop effective detection methods to identify fake videos.In recent years, deep learning technology has made the task of face forgery and detection more accessible.Deep learning-based face forgery methods can generate highly realistic faces, while deep learning-based fake face detection methods demonstrate higher accuracy compared to traditional approaches.However, it has been shown that deep learning models are vulnerable to adversarial examples, which can lead to a degradation in performance.Consequently, games involving adversarial examples have emerged in the field of face forgery and detection, adding complexity to the original task.Both fakers and detectors now need to consider the adversarial security aspect of their methods.The combination of deep learning methods and adversarial examples is thus the future trend in this research field, particularly with a focus on adversarial attack and defense in face forgery and detection.The concept of face forgery and detection and the current mainstream methods were introduced.Classic adversarial attack and defense methods were reviewed.The application of adversarial attack and defense methods in face forgery and detection was described, and the current research trends were analyzed.Moreover, the challenges of adversarial attack and defense for face forgery and detection were summarized, and future development directions were discussed.

Key words: deepfake, fake face detection, adversarial example, social media forensics

CLC Number:

TP393

Shiyu HUANG, Feng YE, Tianqiang HUANG, Wei LI, Liqing HUANG, Haifeng LUO. Survey on adversarial attacks and defense of face forgery and detection[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 1-15.

Figures/Tables 12

References 107

[1]	KINGMA D P , WELLING M . Auto-encoding variational bayes[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2014.
[2]	GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial networks[J]. Communications of the ACM, 2020,63(11): 139-144.
[3]	THIES J , ZOLLHOFER M , STAMMINGER M ,et al. Face2face:Real-time face capture and reenactment of rgb videos[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2016: 2387-2395.
[4]	THIES J , ZOLLH?FER M , NIE?NER M . Deferred neural rendering:image synthesis using neural textures[J]. ACM Transactions on Graphics (TOG), 2019,38(4): 1-12.
[5]	FaceSwap[EB].
[6]	DeepFakes[EB].
[7]	LI L , BAO J , YANG H ,et al. Faceshifter:towards high fidelity and occlusion aware face swapping[J]. arXiv Preprint arXiv:1912.13457, 2019.
[8]	MIRZA M , OSINDERO S . Conditional generative adversarial nets[C]// Proceedings of the Conference on Neural Information Processing Systems (NIPS). 2014.
[9]	CHOI Y , CHOI M , KIM M ,et al. Stargan:unified generative adversarial networks for multi-domain image-to-image translation[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2018: 8789-8797.
[10]	HE Z , ZUO W , KAN M ,et al. Attgan:Facial attribute editing by only changing what you want[J]. IEEE transactions on image processing, 2019,28(11): 5464-5478.
[11]	LIU M , DING Y , XIA M ,et al. Stgan:a unified selective transfer network for arbitrary image attribute editing[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2019: 3673-3682.
[12]	KARRAS T , LAINE S , AILA T . A style-based generator architecture for generative adversarial networks[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2019: 4401-4410.
[13]	KARRAS T , LAINE S , AITTALA M ,et al. Analyzing and improving the image quality of stylegan[C]// Proceedings of the IEEE/CVF conference on Computer Vision and Pattern Recognition (CVPR). 2020: 8110-8119.
[14]	KARRAS T , AITTALA M , LAINE S ,et al. Alias-free generative adversarial networks[C]// Advances in Neural Information Processing Systems. 2021: 852-863.
[15]	SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2015.
[16]	HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern recognition (CVPR). 2016: 770-778.
[17]	CHOLLET F . Xception:deep learning with depthwise separable convolutions[C]// Proceedings of the IEEE Conference on Computer vision and Pattern recognition (CVPR). 2017: 1251-1258.
[18]	HOWARD A G , ZHU M , CHEN B ,et al. Mobilenets:efficient convolutional neural networks for mobile vision applications[J]. arXiv Preprint arXiv:1704.04861, 2017.
[19]	TAN M , LE Q . Efficientnet:rethinking model scaling for convolutional neural networks[C]// International Conference on Machine Learning (ICML). 2019: 6105-6114.
[20]	DOSOVITSKIY A , BEYER L , KOLESNIKOV A ,et al. An image is worth 16x16 words:transformers for image recognition at scale[J]. arXiv Preprint arXiv:2010.11929, 2020.
[21]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2014.
[22]	林点, 潘理, 易平 . 面向图像识别的卷积神经网络鲁棒性研究进展[J]. 网络与信息安全学报, 2022,8(3): 111-122.
	LIN D , PAN L , YI P . Research on the robustness of convolutional neural networks in image recognition[J]. Chinese Journal of Network and Information Security, 2022,8(3): 111-122.
[23]	ZHANG J , LI C . Adversarial examples:opportunities and challenges[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,31(7): 2578-2593.
[24]	乔通, 姚宏伟, 潘彬民 ,等. 基于深度学习的数字图像取证技术研究进展[J]. 网络与信息安全学报, 2021,7(5): 13-28.
	QIAO T , YAO H W , PAN B M ,et al. Research progress of digital image forensic techniques based on deep learning[J]. Chinese Journal of Network and Information Security, 2021,7(5): 13-28.
[25]	董琳, 黄丽清, 叶锋 ,等. 人脸伪造检测泛化性方法综述[J]. 计算机科学, 2022,49(2): 12-30.
	DONG L , HUANG L Q , YE F ,et al. Survey on generalization methods of face forgery detection[J]. Computer Science, 2022,49(2): 12-30.
[26]	NGUYEN T T , NGUYEN Q V H , NGUYEN D T ,et al. Deep learning for deepfakes creation and detection:a survey[J]. Computer Vision and Image Understanding, 2022,223:103525.
[27]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2015.
[28]	KURAKIN A , GOODFELLOW I J , BENGIO S . Adversarial examples in the physical world[M]// Artificial Intelligence Safety and Security. 2018: 99-112.
[29]	PAPERNOT N , MCDANIEL P , GOODFELLOW I ,et al. Practical black-box attacks against machine learning[C]// Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 2017: 506-519.
[30]	MOOSAVI-DEZFOOLI S M , FAWZI A , FROSSARD P . Deepfool:a simple and accurate method to fool deep neural networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 2574-2582.
[31]	PAPERNOT N , MCDANIEL P , JHA S ,et al. The limitations of deep learning in adversarial settings[C]// 2016 IEEE European Symposium on Security and Privacy (EuroS＆P). 2016: 372-387.
[32]	MARDY A , MAKELOV A , SCHMIDT L ,et al. Towards deep learning models resistant to adversarial attacks[C]// Proceedings of the International Conference on Learning Representations(ICLR). 2018.
[33]	MOOSAVI-DEZFOOLI S M , FAWZI A , FAWZI O ,et al. Universal adversarial perturbations[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition(CVPR). 2017: 1765-1773.
[34]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// 2017 IEEE Symposium on Security and Privacy (S＆P). 2017: 39-57.
[35]	LIU Y , CHEN X , LIU C ,et al. Delving into transferable adversarial examples and black-box attacks[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2017: 1-24.
[36]	DONG Y , LIAO F , PANG T ,et al. Boosting adversarial attacks with momentum[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern recognition (CVPR). 2018: 9185-9193.
[37]	SHI Y , WANG S , HAN Y . Curls ＆ whey:boosting black-box adversarial attacks[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR). 2019: 6519-6527.
[38]	XIE C , ZHANG Z , ZHOU Y ,et al. Improving transferability of adversarial examples with input diversity[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2019: 2730-2739.
[39]	DONG Y , PANG T , SU H ,et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2019: 4312-4321.
[40]	WANG W , YIN B , YAO T ,et al. Delving into data:effectively substitute training for black-box attack[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2021: 4761-4770.
[41]	FAN M , GUO W , YU S ,et al. Enhance transferability of adversarial examples with model architecture[J]. arXiv Preprint arXiv:2202.13625, 2022.
[42]	NESTEROV Y , SPOKOINY V . Random gradient-free minimization of convex functions[J]. Foundations of Computational Mathematics, 2017,17(2): 527-566.
[43]	ILYAS A , ENGSTROM L , ATHALYE A ,et al. Black-box adversarial attacks with limited queries and information[C]// International Conference on Machine Learning (ICML). 2018: 2137-2146.
[44]	ILYAS A , ENGSTROM L , MADRY A . Prior convictions:Black-box adversarial attacks with bandits and priors[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2019.
[45]	GUO C , GARDNER J , YOU Y ,et al. Simple black-box adversarial attacks[C]// International Conference on Machine Learning (ICML). 2019: 2484-2493.
[46]	LI H , XU X , ZHANG X ,et al. Qeba:Query-efficient boundary-based black box attack[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2020: 1221-1230.
[47]	MAHO T , FURON T , LE MERRER E . Surfree:a fast surrogate-free black-box attack[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2021: 10430-10439.
[48]	ABBASI M , GAGNé C . Robustness to adversarial examples through an ensemble of specialists[C]// Proceedings of the International Conference on Learning Representations Workshops (ICLR). 2017.
[49]	HE W , WEI J , CHEN X ,et al. Adversarial example defense:ensembles of weak defenses are not strong[C]// 11th USENIX Workshop on Offensive Technologies (WOOT 17). 2017.
[50]	PAPERNOT N , MCDANIEL P , WU X ,et al. Distillation as a defense to adversarial perturbations against deep neural networks[C]// 2016 IEEE Symposium on Security and Privacy (S＆P). 2016: 582-597.
[51]	YE N , LI Q , ZHOU X Y ,et al. Amata:an annealing mechanism for adversarial training acceleration[C]// Proceedings of the AAAI Conference on Artificial Intelligence(AAAI). 2021,35(12): 10691-10699.
[52]	SHAFAHI A , NAJIBI M , GHIASI M A ,et al. Adversarial training for free![J]. Advances in Neural Information Processing Systems, 2019,32.
[53]	YAN Z , GUO Y , ZHANG C . Deep defense:training DNNS with improved adversarial robustness[J]. Advances in Neural Information Processing Systems, 2018,31.
[54]	SONG C , HE K , WANG L ,et al. Improving the generalization of adversarial training with domain adaptation[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2019: 1-14.
[55]	DZIUGAITE G K , GHAHRAMANI Z , ROY D M . A study of the effect of jpg compression on adversarial images[J]. arXiv Preprint arXiv:1608.00853, 2016.
[56]	MUSTAFA A , KHAN S H , HAYAT M ,et al. Image super-resolution as a defense against adversarial attacks[J]. IEEE Transactions on Image Processing, 2019,29: 1711-1724.
[57]	MENG D , CHEN H . Magnet:a two-pronged defense against adversarial examples[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 135-147.
[58]	YANG Y , ZHANG G , KATABI D ,et al. Me-net:towards effective adversarial robustness with matrix estimation[C]// International Conference on Machine Learning (ICML). 2019: 1-22.
[59]	ULYANOV D , VEDALDI A , LEMPITSKY V . Deep image prior[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern recognition (CVPR). 2018: 9446-9454.
[60]	JIA X , WEI X , CAO X ,et al. Comdefend:an efficient image compression model to defend adversarial examples[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2019: 6084-6092.
[61]	YANG C , DING L , CHEN Y ,et al. Defending against gan-based deepfake attacks via transformation-aware adversarial faces[C]// 2021 International Joint Conference on Neural Networks (IJCNN). 2021: 1-8.
[62]	WU Y , ABDALMAGEED W , NATARAJAN P . Mantra-net:manipulation tracing network for detection and localization of image forgeries with anomalous features[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019: 9543-9552.
[63]	HUANG Q , ZHANG J , ZHOU W ,et al. Initiative defense against facial manipulation[C]// Proceedings of the AAAI Conference on Artificial intelligence (AAAI). 2021,35(2): 1619-1627.
[64]	WANG R , HUANG Z , CHEN Z ,et al. Anti-forgery:towards a stealthy and robust deepfake disruption attack via adversarial perceptual-aware perturbations[J]. arXiv Preprint arXiv:2206.00477, 2022.
[65]	CHEN Z , XIE L , PANG S ,et al. Magdr:mask-guided detection and reconstruction for defending deepfakes[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2021: 9014-9023.
[66]	TRIPATHY S , KANNALA J , RAHTU E . Icface:interpretable and controllable face reenactment using GANs[C]// Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV). 2020: 3385-3394.
[67]	ANEJA S , MARKHASIN L , NIE?NER M . TAFIM:targeted adversarial attacks against facial image manipulations[C]// European Conference on Computer Vision (ECCV). 2022: 58-75.
[68]	CHEN R , CHEN X , NI B ,et al. Simswap:an efficient framework for high fidelity face swapping[C]// Proceedings of the 28th ACM International Conference on Multimedia. 2020: 2003-2011.
[69]	DONG J , XIE X . Visually maintained image disturbance against deepfake face swapping[C]// 2021 IEEE International Conference on Multimedia and Expo (ICME). 2021: 1-6.
[70]	DONG J , WANG Y , LAI J ,et al. Restricted black-box adversarial attack against deepfake face swapping[J]. arXiv Preprint arXiv:2204.12347, 2022.
[71]	RUIZ N , BARGAL S A , SCLAROFF S . Disrupting deepfakes:Adversarial attacks against conditional image translation networks and facial manipulation systems[C]// European Conference on Computer Vision (ECCV). 2020: 236-251.
[72]	YEH C Y , CHEN H W , TSAI S L ,et al. Disrupting image-translation-based deepfake algorithms with adversarial attacks[C]// Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision Workshops (WACV). 2020: 53-62.
[73]	ISOLA P , ZHU J Y , ZHOU T ,et al. Image-to-image translation with conditional adversarial networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2017: 1125-1134.
[74]	ZHU J Y , PARK T , ISOLA P ,et al. Unpaired image-to-image translation using cycle-consistent adversarial networks[C]// Proceedings of the IEEE International Conference on Computer Vision (CVPR). 2017: 2223-2232.
[75]	裘昊轩, 杜彦辉, 芦天亮 . 针对深度伪造的对抗攻击算法动态APGD设计[J]. 计算机工程与应用, 2022,58(24): 97-106.
	QIU H X , DU Y H , LU T L . Design of DAPGD of adversarial attack algorithm against deepfake[J]. Computer Engineering and Applications, 2022,58(24): 97-106.
[76]	CROCE F , HEIN M . Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks[C]// International Conference on Machine Learning. 2020: 2206-2216.
[77]	RUIZ N , BARGAL S A , SCLAROFF S . Protecting against image translation deepfakes by leaking universal perturbations from black-box neural networks[J]. arXiv Preprint arXiv:2006.06493, 2020.
[78]	PEARSON K . LIII.On lines and planes of closest fit to systems of points in space[J]. The London,Edinburgh,and Dublin Philosophical Magazine and Journal of Science, 1901,2(11): 559-572.
[79]	YEH C Y , CHEN H W , SHUAI H H ,et al. Attack as the best defense:nullifying image-to-image translation GANs via limit-aware adversarial attack[C]// Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). 2021: 16188-16197.
[80]	LYU L . Smart watermark to defend against deepfake image manipulation[C]// 2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS). 2021: 380-384.
[81]	HUANG H , WANG Y , CHEN Z ,et al. Cmua-watermark:a cross-model universal adversarial watermark for combating deepfakes[C]// Proceedings of the AAAI Conference on Artificial Intelligence (AAAI). 2022,36(1): 989-997.
[82]	QIU H , DU Y , LU T . The framework of cross-domain and model adversarial attack against deepfake[J]. Future Internet, 2022,14(2): 46.
[83]	DéSIDéRI J A . Multiple-gradient descent algorithm (MGDA) for multiobjective optimization[J]. Comptes Rendus Mathematique, 2012,350(5-6): 313-318.
[84]	KIM J , KIM M , KANG H ,et al. U-gat-it:unsupervised generative attentional networks with adaptive layer-instance normalization for image-to-image translation[C]// Proceedings of the International Conference on Learning Representations (ICLR). 2020.
[85]	HUSSAIN S , NEEKHARA P , JERE M ,et al. Adversarial deepfakes:evaluating vulnerability of deepfake detectors to adversarial examples[C]// Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV). 2021: 3348-3357.
[86]	AFCHAR D , NOZICK V , YAMAGISHI J ,et al. Mesonet:a compact facial video forgery detection network[C]// 2018 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 2018: 1-7.
[87]	CARLINI N , FARID H . Evading deepfake-image detectors with white-and black-box attacks[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPR). 2020: 658-659.
[88]	GANDHI A , JAIN S . Adversarial perturbations fool deepfake detectors[C]// 2020 International Joint Conference on Neural Networks (IJCNN). 2020: 1-8.
[89]	NEEKHARA P , DOLHANSKY B , BITTON J ,et al. Adversarial threats to deepfake detection:a practical perspective[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern recognition (CVPR). 2021: 923-932.
[90]	LIAO Q , LI Y , WANG X ,et al. Imperceptible adversarial examples for fake image detection[C]// Proceedings of the IEEE International Conference on Image Processing (ICIP). 2021.
[91]	LI D , WANG W , FAN H ,et al. Exploring adversarial fake images on face manifold[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR). 2021: 5789-5798.
[92]	JIA S , MA C , YAO T ,et al. Exploring frequency adversarial attacks for face forgery detection[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition(CVPR). 2022: 4103-4112.
[93]	FAN L , LI W , CUI X . Deepfake-image anti-forensics with adversarial examples attacks[J]. Future Internet, 2021,13(11): 288.
[94]	WANG Y , DING X , YANG Y ,et al. Perception matters:exploring imperceptible and transferable anti-forensics for GAN-generated fake face imagery detection[J]. Pattern Recognition Letters, 2021,146: 15-22.
[95]	ZHAO X , STAMM M C . Making GAN-generated images difficult to spot:a new attack against synthetic image detectors[J]. arXiv preprint arXiv:2104.12069, 2021.
[96]	LIU C , CHEN H , ZHU T ,et al. Making deepfakes more spurious:evading deep face forgery detection via trace removal attack[J]. IEEE Transactions on Dependable and Secure Computing, 2023.
[97]	KHAN S A , ARTUSI A , DAI H . Adversarially robust deepfake media detection using fused convolutional neural network predictions[J]. arXiv Preprint arXiv:2102.05950, 2021.
[98]	SZEGEDY C , VANHOUCKE V , IOFFE S ,et al. Rethinking the inception architecture for computer vision[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 2818-2826.
[99]	DUTTA H , PANDEY A , BILGAIYAN S . EnsembleDet:ensembling against adversarial attack on deepfake detection[J]. Journal of Electronic Imaging, 2021,30(6): 063030.
[100]	HOODA A , MANGAOKAR N , FENG R ,et al. Towards adversarially robust deepfake detection:an ensemble approach[J]. arXiv preprint arXiv:2202.05687, 2022.
[101]	LUO Y , YE F , WENG B ,et al. A novel defensive strategy for facial manipulation detection combining bilateral filtering and joint adversarial training[J]. Security and Communication Networks,2021, 2021.
[102]	WANG Z , GUO Y , ZUO W . Deepfake forensics via an adversarial game[J]. IEEE Transactions on Image Processing, 2022.
[103]	CHEN L , ZHANG Y , SONG Y ,et al. Self-supervised learning of adversarial example:towards good generalizations for deepfake detection[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 2022: 18710-18719.
[104]	JEONG Y , KIM D , RO Y ,et al. FrePGAN:robust deepfake detection using frequency-level perturbations[J]. arXiv Preprint arXiv:2202.03347, 2022.
[105]	HO J , JAIN A , ABBEEL P . Denoising diffusion probabilistic models[C]// Advances in Neural Information Processing Systems. 2020: 6840-6851.
[106]	ROMBACH R , BLATTMANN A , Lorenz D ,et al. High-resolution image synthesis with latent diffusion models[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 10684-10695.
[107]	SUN P , LI Y , QI H ,et al. Landmark breaker:obstructing deepfake by disturbing landmark extraction[C]// 2020 IEEE International Workshop on Information Forensics and Security (WIFS). 2020: 1-6.

Metrics

Recommended 0

No Suggested Reading articles found!

对抗特性	实现方法	代表工作	优点	缺点
黑盒迁移性	查询法	文献[85]	无须训练替代模型	受查询次数限制
	替代模型法	文献[87-92]	不受查询次数限制	要训练结构相似的替代模型
	目标函数优化噪声	文献[85,87-88,93]	无须额外处理成本	效果有限，噪声依然分布于全图
对抗隐蔽性	核心区域加噪	文献[89-90]	减少加噪区域	注意力区域偏差，导致攻击效果不佳
	图像其他域中加噪	文献[92,94]	噪声较难察觉	黑盒攻击能力一般
	对抗性GAN	文献[91,95-96]	无须添加噪声	训练GAN需要计算成本
对抗鲁棒性	目标函数优化噪声	文献[85,89]	无须额外处理成本	无法考虑所有可能的图像处理
	对抗性GAN	文献[91,95-96]	不受图像处理防御影响	训练GAN需要计算成本
数据迁移性	目标函数优化噪声	文献[89]	提升对抗噪声生成效率	会降低特定图像攻击能力

防御方式	具体技术	代表工作	优点	缺点
梯度正则	Lipschitz 正则化^[85]	文献[88]	没有额外的处理开销	防御效果有限，仅有轻微的性能提升
模型集成	模型输出分数集成	文献[97,99]	集成各模型的优势进行投	需要训练多个用于集成的子模型，且无法
	正交梯度的模型集成	文献[100]	票，简单有效	防御可迁移的对抗方法
图像处理	深度图像先验^[59]	文献[88]	与具体模型结构无关，能兼	无法防御对抗性 GAN 的指纹去除攻击，
	双边滤波	文献[101]	容各种检测模型	且会导致图像质量降低而影响取证精度
	联合对抗训练	文献[101]	通用性强，能够防御多种形	需要额外生成对抗样本以供模型学习，计
对抗训练	噪声对抗训练	文献[103]	式的对抗攻击	算开销较大，且要控制训练数据比例
	频率域伪影对抗训练	文献[104]

Survey on adversarial attacks and defense of face forgery and detection

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 107

Related Articles 13

Metrics

Recommended 0

[1]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[2]	Jingwen LI, Yawen LI. Application and risk response of deep synthesis technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 184-190.
[3]	Wenxuan WU, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Deepfake detection method based on patch-wise lighting inconsistency [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 167-177.
[4]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.
[5]	Dian LIN, Li PAN, Ping YI. Research on the robustness of convolutional neural networks in image recognition [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 111-122.
[6]	Baolin QIU, Ping YI. Adversarial examples defense method based on multi-dimensional feature maps knowledge distillation [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 88-99.
[7]	Pengcheng WANG, Haibin ZHENG, Jianfei ZOU, Ling PANG, Hu LI, Jinyin CHEN. Robustness evaluation of commercial liveness detection platform [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 180-189.
[8]	Zhongyuan QIN, Zhaoxiang HE, Tao LI, Liquan CHEN. Adversarial example defense algorithm for MNIST based on image reconstruction [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 86-94.
[9]	Xiaojuan GONG, Tianqiang HUANG, Bin WENG, Feng YE, Chao XU, Lijun YOU. Deepfake swapped face detection based on double attention [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 151-160.
[10]	Bin WANG, Liang CHEN, Yaguan QIAN, Yankai GUO, Qiqi SHAO, Jiamin WANG. Moving target defense against adversarial attacks [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 113-120.
[11]	Ximeng LIU,Lehui XIE,Yaopeng WANG,Xuru LI. Adversarial attacks and defenses in deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 36-53.
[12]	Guanghan DUAN,Chunguang MA,Lei SONG,Peng WU. Research on structure and defense of adversarial example in deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(2): 1-11.
[13]	Fei YAN,Minglun ZHANG,Liqiang ZHANG. Adversarial examples detection method based on boundary values invariants [J]. Chinese Journal of Network and Information Security, 2020, 6(1): 38-45.