隨著生成對抗網絡 (Generative Adversarial Network) 的快速發展，生成高度逼真的圖像變得相對容易，人工智慧在資訊安全的議題越來越受到關注。近年來深偽圖像和影片 (DeepFake) 與對抗式攻擊 (Adversarial Attack) 的技術蓬勃發展，導致遭有心人士濫用而造成威脅。深偽技術旨在合成誤導人類視覺系統的高質量圖像，而對抗式攻擊則試圖誤導深度神經網絡做出錯誤的預測，成功防禦結合兩者攻擊之技術是十分有挑戰性的。眾所皆知，目前還沒有方法可以有效解決此類議題。本研究設計了一種基於統計假設檢驗的新型誘騙機制針對對抗性和臉部操縱攻擊進行防禦。其基於兩個子網絡的欺騙性模型，以最大概似損失訓練來生成具有特定分佈的二維隨機變量。通常假設網絡架構對攻擊者是透明的，而訓練策略資訊、包括損失函數和優化器等則無法得知。因此本研究在測試階段使用假設檢定，使攻擊者難以常見的對抗性擾動損失生成具攻擊性的影像。綜合實驗表明，本研究提出的誘騙機制成功地防禦了常見的對抗式攻擊，並使其攻擊間接提高了假設檢定的統計檢定力，從而實現了對白盒和黑盒攻擊的 100% 深偽技術檢測準確率。此外，假設檢定還可以檢測出對抗式攻擊的足跡，並且其效果能夠泛化至影像壓縮失真與未曾訓練過的深偽技術。

Highly realistic imaging and video synthesis have become possible and relatively simple tasks with the rapid growth of generative adversarial networks (GANs). GAN-related applications, such as DeepFake image and video manipulation and adversarial attacks, have been used to disrupt and confound the truth in images and videos over social media. DeepFake technology aims to synthesize high visual quality image content that can mislead the human vision system, while the adversarial perturbation attempts to mislead the deep neural networks to a wrong prediction. Defense strategy becomes difficult when adversarial perturbation and DeepFake are combined. It is well-known that there is no promising approach to resolve the combined issue. In this study, a novel deceptive mechanism based on statistical hypothesis testing against DeepFake manipulation and adversarial attacks was examined. Firstly, a deceptive model based on two isolated sub-networks was designed to generate two-dimensional random variables with a specific distribution for detecting the DeepFake image and video. This research proposes a maximum likelihood loss for training the deceptive model with two isolated sub-networks. Afterward, a novel hypothesis was proposed for a testing scheme to detect the DeepFake video and images with a well-trained deceptive model. The network architecture was generally assumed to be transparent to attackers, but the training strategy, including the loss function and optimization, remained inaccessible. Therefore, it was difficult to generate promising adversarial examples for the common adversarial perturbation loss (i.e., cross-entropy), leading to an ineffective attack. The proposed decoy mechanism successfully defended the common adversarial attacks and indirectly improved the power of hypothesis test to achieve 100% detection accuracy for both white-box and black-box attacks. Additionally, hypothesis testing can also identify the antagonistic behavior of the adversarial attack. The comprehensive experiments demonstrated that the decoy effect can be generalized to compressed and unseen manipulation methods for both DeepFake and attack detection.

Afchar, D., Nozick, V., Yamagishi, J., and Echizen, I. Mesonet: a compact facial video forgery detection network. In 2018 IEEE International Workshop on Information Forensics and Security (WIFS) (2018), IEEE, pp. 1–7.

Afchar, D., Nozick, V., Yamagishi, J., and Echizen, I. Mesonet: a compact facial video forgery detection network. In 2018 IEEE International Workshop on Information Forensics and Security (WIFS) (2018), IEEE, pp. 1–7.

Akhtar, N., and Mian, A. Threat of adversarial attacks on deep learning in computer vision: A survey. Ieee Access 6 (2018), 14410–14430.

Athalye, A., Carlini, N., and Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning (2018), PMLR, pp. 274–283.

Bazarevsky, V., Kartynnik, Y., Vakunov, A., Raveendran, K., and Grundmann, M. Blazeface: Sub-millisecond neural face detection on mobile gpus. arXiv preprint arXiv:1907.05047 (2019).

Carlini, N., and Farid, H. Evading deepfake-image detectors with white-and black-box attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (2020), pp. 658–659.

Carlini, N., and Wagner, D. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp) (2017), Ieee, pp. 39–57.

Chai, L., Bau, D., Lim, S.-N., and Isola, P. What makes fake images detectable? understanding properties that generalize. In European Conference on Computer Vision (2020), Springer, pp. 103–120.

Chen, G.-L., Hsu, C.-C., and Wu, M.-H. Adaptive distribution learning with statistical hypothesis testing for covid-19 ct scan classification. In Proceedings of the IEEE/CVF International Conference on Computer Vision (2021), pp. 471–479.

Chen, S., Yao, T., Chen, Y., Ding, S., Li, J., and Ji, R. Local relation learning for face forgery detection. In Proceedings of the AAAI Conference on Artificial Intelligence (2021), vol. 35, pp. 1081–1088.

Chen, Z., Xie, L., Pang, S., He, Y., and Zhang, B. Magdr: Mask-guided detection and reconstruction for defending deepfakes. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2021), pp. 9014–9023.

Ciftci, U. A., Demir, I., and Yin, L. Fakecatcher: Detection of synthetic portrait videos using biological signals. IEEE Transactions on Pattern Analysis and Machine Intelligence (2020). 37

Dai, T., Feng, Y., Chen, B., Lu, J., and Xia, S.-T. Deep image prior based defense against adversarial examples. Pattern Recognition 122 (2022), 108249.

Dolhansky, B., Howes, R., Pflaum, B., Baram, N., and Ferrer, C. C. The deepfake detection challenge (dfdc) preview dataset. arXiv preprint arXiv:1910.08854 (2019).

Dong, X., Bao, J., Chen, D., Zhang, T., Zhang, W., Yu, N., Chen, D., Wen, F., and Guo, B. Protecting celebrities from deepfake with identity consistency transformer. arXiv preprint arXiv:2203.01318 (2022).

Durall, R., Keuper, M., and Keuper, J. Watch your up-convolution: Cnn based generative deep neural networks are failing to reproduce spectral distributions. In Proceed ings of the IEEE/CVF conference on computer vision and pattern recognition (2020), pp. 7890–7899.

Frank, J., Eisenhofer, T., Schönherr, L., Fischer, A., Kolossa, D., and Holz, T. Lever aging frequency analysis for deep fake image recognition. In International Conference on Machine Learning (2020), PMLR, pp. 3247–3258.

Gandhi, A., and Jain, S. Adversarial perturbations fool deepfake detectors. In 2020 International Joint Conference on Neural Networks (IJCNN) (2020), IEEE, pp. 1–8.

Giudice, O., Guarnera, L., and Battiato, S. Fighting deepfakes by detecting gan dct anomalies. Journal of Imaging 7, 8 (2021), 128.

Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., and Bengio, Y. Generative adversarial nets. Advances in neural information processing systems 27 (2014).

Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).

Gragnaniello, D., Marra, F., Poggi, G., and Verdoliva, L. Analysis of adversarial attacks against cnn-based image forgery detectors. In 2018 26th European Signal Processing Conference (EUSIPCO) (2018), IEEE, pp. 967–971.

Guarnera, L., Giudice, O., and Battiato, S. Fighting deepfake by exposing the convo lutional traces on images. IEEE Access 8 (2020), 165085–165098.

Güera, D., and Delp, E. J. Deepfake video detection using recurrent neural networks. In 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS) (2018), IEEE, pp. 1–6.

Haliassos, A., Mira, R., Petridis, S., and Pantic, M. Leveraging real talking faces via self-supervision for robust forgery detection. arXiv preprint arXiv:2201.07131 (2022).

Haliassos, A., Vougioukas, K., Petridis, S., and Pantic, M. Lips don't lie: A generalisable and robust approach to face forgery detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2021), pp. 5039–5049.

He, K., Zhang, X., Ren, S., and Sun, J. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition (2016), pp. 770–778. 38

Hsu, C.-C., Lee, C.-Y., and Zhuang, Y.-X. Learning to detect fake face images in the wild. In 2018 International Symposium on Computer, Consumer and Control (IS3C) (2018), IEEE, pp. 388–391.

Hsu, C.-C., Zhuang, Y.-X., and Lee, C.-Y. Deep fake image detection based on pairwise learning. Applied Sciences 10, 1 (2020), 370.

Hussain, S., Neekhara, P., Jere, M., Koushanfar, F., and McAuley, J. Adversarial deepfakes: Evaluating vulnerability of deepfake detectors to adversarial examples. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (2021), pp. 3348–3357.

Jia, S., Ma, C., Yao, T., Yin, B., Ding, S., and Yang, X. Exploring frequency adversarial attacks for face forgery detection. arXiv preprint arXiv:2203.15674 (2022).

Kelley, H. J. Gradient theory of optimal flight paths. Ars Journal 30, 10 (1960), 947–954.

Kingma, D. P., and Ba, J. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014).

Kurakin, A., Goodfellow, I., Bengio, S., et al. Adversarial examples in the physical world, 2016.

Li, J., Xie, H., Li, J., Wang, Z., and Zhang, Y. Frequency-aware discriminative feature learning supervised by single-center loss for face forgery detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2021), pp. 6458–6467.

Li, L., Bao, J., Zhang, T., Yang, H., Chen, D., Wen, F., and Guo, B. Face x-ray for more general face forgery detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (2020), pp. 5001–5010.

Li, Y., and Lyu, S. Exposing deepfake videos by detecting face warping artifacts. arXiv preprint arXiv:1811.00656 (2018).

Li, Y., Yang, X., Sun, P., Qi, H., and Lyu, S. Celeb-df (v2): a new dataset for deepfake forensics. arXiv preprint arXiv:1909.12962 (2019).

Liu, H., Li, X., Zhou, W., Chen, Y., He, Y., Xue, H., Zhang, W., and Yu, N. Spatial-phase shallow learning: rethinking face forgery detection in frequency domain. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2021), pp. 772–781.

Liu, W., Wen, Y., Yu, Z., and Yang, M. Large-margin softmax loss for convolutional neural networks. In ICML (2016), vol. 2, p. 7.

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).

Marra, F., Gragnaniello, D., Cozzolino, D., and Verdoliva, L. Detection of gan-generated fake images over social networks. In Proc. of the IEEE Conference on Mul timedia Information Processing and Retrieval (April 2018), pp. 384–389. 39

Mo, H., Chen, B., and Luo, W. Fake faces identification via convolutional neural network. In Proceedings of the 6th ACM workshop on information hiding and multimedia security (2018), pp. 43–47.

Neekhara, P., Dolhansky, B., Bitton, J., and Ferrer, C. C. Adversarial threats to deepfake detection: A practical perspective. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2021), pp. 923–932.

Nirkin, Y., Wolf, L., Keller, Y., and Hassner, T. Deepfake detection based on discrep ancies between faces and their context. IEEE Transactions on Pattern Analysis and Machine Intelligence (2021).

Qian, Y., Yin, G., Sheng, L., Chen, Z., and Shao, J. Thinking in frequency: Face forgery detection by mining frequency-aware clues. In European Conference on Computer Vision (2020), Springer, pp. 86–103.

Qian, Y., Yin, G., Sheng, L., Chen, Z., and Shao, J. Thinking in frequency: Face forgery detection by mining frequency-aware clues. In European Conference on Computer Vision (2020), Springer, pp. 86–103.

Rey, D., and Neuhäuser, M. Wilcoxon-Signed-Rank Test. Springer Berlin Heidelberg, Berlin, Heidelberg, 2011, pp. 1658–1659.

Rossler, A., Cozzolino, D., Verdoliva, L., Riess, C., Thies, J., and Nießner, M. Faceforensics++: Learning to detect manipulated facial images. In Proceedings of the IEEE/CVF International Conference on Computer Vision (2019), pp. 1–11.

Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).

Tan, M., and Le, Q. Efficientnet: Rethinking model scaling for convolutional neural networks. In International conference on machine learning (2019), PMLR, pp. 6105–6114.

Ulyanov, D., Vedaldi, A., and Lempitsky, V. Deep image prior. In Proceedings of the IEEE conference on computer vision and pattern recognition (2018), pp. 9446–9454.

Wang, S.-Y., Wang, O., Zhang, R., Owens, A., and Efros, A. A. Cnn-generated images are surprisingly easy to spot... for now. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (2020), pp. 8695–8704.

Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., and Schmidhuber, J. Natural evolution strategies. The Journal of Machine Learning Research 15, 1 (2014), 949–980.

Xie, C., Tan, M., Gong, B., Yuille, A., and Le, Q. V. Smooth adversarial training. arXiv preprint arXiv:2006.14536 (2020).

Xie, C., Wu, Y., Maaten, L. v. d., Yuille, A. L., and He, K. Feature denoising for improving adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2019), pp. 501–509. 40

Xu, H., Ma, Y., Liu, H.-C., Deb, D., Liu, H., Tang, J.-L., and Jain, A. K. Adversarial attacks and defenses in images, graphs and text: A review. International Journal of Automation and Computing 17, 2 (2020), 151–178.

Zhuang, Y.-X., and Hsu, C.-C. Detecting generated image based on a coupled network with two-step pairwise learning. In 2019 IEEE International Conference on Image Processing (ICIP) (2019), IEEE, pp. 3212–3216.