引用本文
  • 邹书桥,陈鹏,戴娇,王茜,韩冀中.一种增强深度伪造检测对抗鲁棒性的算法[J].信息安全学报,已采用    [点击复制]
  • Zou Shuqiao,Chen Peng,Dai Jiao,Wang Xi,Han Jizhong.An Algorithm for Enhancing the Robustness of DeepFake Detection[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 2734次   下载 144  
一种增强深度伪造检测对抗鲁棒性的算法
邹书桥, 陈鹏, 戴娇, 王茜, 韩冀中
0
(中国科学院信息工程研究所)
摘要:
近年来,基于深度学习的人脸生成和操纵技术已经能够合成逼真的伪造人脸视频,又被称为深度伪造。这种伪造人脸视频逼真程度高、制作成本低廉,可能给社会带来巨大的潜在威胁。因此,许多研究者研发了众多基于深度学习的伪造人脸检测算法,虽然这些方法在准确度上取得了令人满意的结果,但很少有研究者关注这些检测方法的安全性,例如在对抗攻击下的算法鲁棒性。有研究表明,深度伪造检测器极易受到来自对抗攻击的干扰,使它无法正确识别出伪造人脸。因而本文针对性地提出了一种提高深度伪造检测的对抗鲁棒性的算法,通过预先设定了不可训练的类别中心,显式地增大类间离散度。再基于固定中心的中心损失最小化样本与类别中心的相对距离,在学习过程中进一步提高类内紧致度,实现提高模型对抗鲁棒性的效果。由于本文提出的方法没有使用对抗样本进行数据增强,而是仅采用原始数据进行训练,因此在干净样本上具有非常高的准确率。固定中心的中心损失最大化了不同类别样本在隐空间中到决策边界的距离,有效增强了检测模型的鲁棒性。在 FaceForensics++数据集上的实验结果表明,本文所提出的方法比之前的方法不仅没有降低干净样本的准确率,还提高了模型对于FGSM、PGD、APGD、C&W、MI-FGSM等攻击方法的对抗鲁棒性。
关键词:  深度伪造  伪造人脸  人脸检测  对抗攻击  对抗防御
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.05
投稿时间:2021-11-22修订日期:2022-02-17
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目),国家重点基础研究发展计划(973计划)
An Algorithm for Enhancing the Robustness of DeepFake Detection
Zou Shuqiao, Chen Peng, Dai Jiao, Wang Xi, Han Jizhong
(Institute of Information Engineering,Chinese Academy of Sciences)
Abstract:
In recent years, face generation and manipulation technology based on deep learning have enabled the creation of sophis-ticated forged facial video, also known as Deepfakes. This kind of forged facial video has a high degree of fidelity and low production cost, which may bring a huge potential threat to the society. Therefore, researchers have developed many algorithms for detecting fake faces based on deep learning. Although these methods have achieved satisfactory results in accuracy, few researchers pay attention to the safety of these detection methods, such as their performance under adver-sarial attack. Studies have shown that Deepfakes detectors are extremely susceptible to interference from adversarial samples, making them unable to correctly identify forged faces. Therefore, this paper proposes an algorithm to improve the adversarial robustness of Deepfake detection, pre-set the non-trainable category center, and explicitly increase the inter-class dispersion. Then the center loss of the fixed center is used to minimize the relative distance between the sam-ple and the center of the class, and the compactness within the class is further improved in the learning process. Since the method proposed in this paper does not use adversarial samples for data augmentation, but only uses raw data for training, it has very high accuracy on clean samples. The center loss of the fixed center maximizes the distance between samples of different categories to the decision boundary in the latent space, which effectively enhances the robustness of the detection model.The experimental results on the FaceForensics++ dataset show that the method proposed in this pa-per not only does not reduce the accuracy of clean samples, but also improves the model"s robustness to FGSM, PGD, APGD, C&W, MI-FGSM and other attack algorithms.
Key words:  Deepfakes  forged face  face detection  adversarial attack  adversarial defense