A destructive active defense algorithm for deepfake face images

Research on deepfake based on face images

Currently, research on deepfake based on face images is in a stage of rapid development. In terms of algorithms, researchers are working hard to improve the authenticity and indistinguishability of generated face images, including improving the structure of generative adversarial networks, introducing attention mechanisms, and using multi-scale and multi-view training data. In terms of detection, researchers are also exploring more effective image recognition methods, including using deep learning models to extract image features, and methods that combine artificial intelligence and machine learning. The mainstream deepfake method based on face images is to tamper with the facial features of the face. By exchanging faces in the target face image and the original face image, the purpose of modifying the character’s identity has been developed from traditional 3D reconstruction technology to deepfake technology based on generative adversarial networks (Li et al., 2023b). By digitally modifying all or part of the features in the target face image to achieve the purpose of faking specific expressions, traditional graphics technology has developed into technology based on deep learning (Ali et al., 2024).

Kuang et al. (2021) proposed a novel face replacement method, using a generative adversarial network to seamlessly replace the face in the original image with a synthetic face. The synthetic face looks as natural as an ordinary face, but is different from the original face. The appearance is completely different. Wang et al. (2023) extended face replacement technology to style transfer. This study proposed a multi-image style transfer loss function to improve the realism of generated face images. Huang et al. (2023) proposed a novel implicit identity-driven framework for face swap detection. This strategy designs an explicit identity contrast loss and an implicit identity exploration loss, which supervises the convolutional neural network (CNN) to embed the face image into the implicit identity space, improving the face replacement effect. Han et al. (2023) proposed a method based on multi-classification tasks to distinguish multiple types of homologous deepfake face images. This method relies on the new network framework of FCD-Net, facial prominence saliency algorithm and contour detail feature extraction algorithm. Waseem et al. (2023) explored existing methods for deepfake images and videos for face and expression replacement, outlining publicly available datasets for benchmarking. With the development of deepfake technology, deepfake face images have become more sophisticated and difficult to identify, which has also created conditions for the abuse of deepfake and the leakage of personal privacy. Akhtar (2023) reviewed four types of deepfakes, including face manipulation (identity swapping), face re-creation, attribute manipulation, and whole face synthesis. For each category, the generation methods of deepfakes or face manipulations and the detection methods of these manipulations are described in detail.

Research on adversarial attacks and deepfake

Nowadays, research on adversarial attacks against deepfake is constantly developing. Mainstream research focuses on the interpretability, robustness and development of detection algorithms of generative models, and has made progress in image and video processing, network architecture optimization and multi-modal learning. In addition, researchers are committed to designing more accurate adversarial examples to improve the robustness of the model. Neekhara et al. (2021) conducted adversarial attacks on deepfake detectors in a black box environment, studied the degree of transfer of adversarial perturbations between different models, and proposed techniques to improve the transferability of adversarial capabilities. The research also generalizes adversarial perturbations to create more accessible attacks, constituting very feasible attack scenarios that can be easily shared among attackers. Dong et al. (2023) proposed a practical adversarial attack that does not require any query on the deepfake face images model. The method is built on a surrogate model based on face reconstruction, and then transfers adversarial examples from the surrogate model directly to an inaccessible black-box deepfake model. Pinhasov et al. (2024) exploited the power of AI to develop a defensible deepfake detector. This research generates interpretability graphs for a given method, providing visualization of decision-making factors in AI models, employing pre-trained feature extractors to process input images and their corresponding AI images, enhancing understanding of possible adversarial attacks, pinpoint potential vulnerabilities. Qu et al. (2024) proposed a robust adversarial perturbation strategy that provides persistent protection for OSN-compressed face images. This study incorporates the trained ComGAN as a sub-module of the target deepfake model, introducing a novel target-level destruction-aware constraint during training. Khan et al. (2024) proposed adversarial feature similarity learning, which integrated three basic deep feature learning paradigms to maximize the difference between adversarial perturbed examples and unperturbed examples by optimizing the similarity between samples and weight vectors. The similarity ensures a clear separation between the two categories. Seow et al. (2023) believes that existing deepfake detection methods based on deep learning mainly rely on complex convolutional neural networks. However, these methods have high computational costs and are vulnerable to adversarial attacks. This study proposes a shallower and more cost-effective deep neural networks. Uddin et al. (2023) proposed a robust multi-instance learning method by introducing additional GAN-based operations, exposing GAN-based AF to manipulated images, and then using multiple additional generators to generate multiple real-world AFs from real images. instances, and finally trained collaboratively with multiple real adversarial attack instances in an open-set manner.

Research on deepfake based on generative adversarial network

In recent years, deepfake research based on generative adversarial networks is focusing on improving the authenticity of generated images or videos, improving generation efficiency, and developing effective detection and defense mechanisms. Abbas & Taeihagh (2024) explores automated key detection and generation methods, frameworks, algorithms, and tools for identifying deepfakes (audio, image, and video), and how these methods can be used in different situations to combat the spread of deepfakes and the generation of false information. Popular research results include improved GAN architectures, such as conditional generative adversarial networks (Wang et al., 2024) that introduce conditional variables, recurrent generative adversarial networks (Li & Wang, 2021) that allow conversion between different domains, and StyleGAN that can finely control styles and attributes (Sauer, Schwarz & Geiger, 2022). These advances not only improve the visual fidelity of generated content, but also increase the model’s ability to control specific styles or attributes. Guarnera, Giudice & Battiato (2024) proposed a hierarchical multi-level approach. The first layer classifies real images versus AI-generated images. The second layer distinguishes the images generated by GAN and DM. The third layer implements specific GAN and DM architectures for generating synthetic data. Kalpokas & Kalpokiene (2022) used a generative adversarial network to further shrink the network composed of thousands of units, so that these simple functions can be combined to perform complex deepfake functions such as object recognition. Aduwala et al. (2021) explored GAN discriminator-based solutions as a means of detecting deepfake videos, using MesoNet as a baseline to train GAN and extracting the discriminator as a dedicated module for detecting deepfake. Li et al. (2023b) mainly researched the methods used to implement deepfake, discussed the main deepfake manipulation and detection techniques, and used deep convolution-based GAN models to implement and detect deepfake. Yang et al. (2021) used novel transformation-aware adversarial perturbed faces to defend against GAN-based deepfake attacks. The attack exploits differentiable random image transformations during the generation process. This research also proposes an ensemble-based approach to enhance defense against deepfake variants. To summarize, an overview of existing mainstream research is shown in the Table 1.

Strategies for adversarial samples generation and fine-tuning

This algorithm innovatively designs an adversarial samples generation module and an adversarial samples fine-tuning module. In the generation module, a generator Gen is designed, and in the fine-tuning module, two recognizers Ide_x and Ide_y are designed. In addition, n deepfake models mod_i are set, which i ≤ n. If any face image is set as image_i, the feature space of the face image is set as fea_imagei, and the number of all features is set as sum_fea. Next, the generator Gen extracts the high-dimensional feature Gen_imagei of the face image image_i, and superimposes the feature value to the original face image to obtain the adversarial sample iamge_iadv of the face image, which is composed of a set of feature vectors, that is, iamge_iadv = image_i + Gen_imagei. Based on the projected gradient descent algorithm, a basic adversarial perturbation adv_i is generated for the deepfake model mod_i. This adversarial perturbation is added to the original face image to obtain the fine-tuned adversarial sample ${image}_{i_{adv}}^{{}^{\prime }}$ of the face image. The adversarial sample is input into the image output by the deepfake model. Produces obvious distortion, that is, ${image}_{i_{adv}}^{{}^{\prime }}={image}_i+{adv}_i$.

In order to obtain adversarial samples that are transferable and universal across models, this paper innovatively uses the projected gradient descent algorithm to implement adversarial attacks based on gradients. The distortion area and distortion effect caused by the basic adversarial perturbation adv_i on the face image is only the same as the corresponding deepfake models are related, that is to say, this basic adversarial perturbation is robust to multiple deepfake models. In summary, the high-dimensional feature Gen_imagei has learned adversarial attack capabilities similar to the basic adversarial perturbation adv_i, and the adversarial samples have characteristics that are common across models.

This algorithm sets mod_i(x) as the face editing operation of the selected deepfake model, sets the deepfake image generated by the adversarial sample image_iadv of the face image as fake_imagei = mod_i(image_iadv), and sets the deepfake image generated by the adversarial sample ${image}_{i_{adv}}^{{}^{\prime }}$ based on fine-tuning of the face image as $fak{e}_{imag{e}_i}^{{}^{\prime }}=mo{d}_i\left(imag{e}_{i_{adv}}^{{}^{\prime }}\right)$, input y_i^fake = fake_imagei and ${y_i}^{real}=fak{e}_{imag{e}_i}^{{}^{\prime }}$ into the recognizer Ide_y, respectively, and improve the attack capability of the adversarial sample image_iadv through adversarial training. In addition, two types of adversarial samples are input into n different deepfake models, and based on the output results, a distorted deepfake face images set $\left[\left(fak{e}_{imag{e}_1},fak{e}_{imag{e}_1}^{{}^{\prime }}\right),\left(fak{e}_{imag{e}_2},fak{e}_{imag{e}_2}^{{}^{\prime }}\right),\dots ,\left(fak{e}_{imag{e}_n},fak{e}_{imag{e}_n}^{{}^{\prime }}\right)\right]$ is constructed. Joint training through discriminators can improve the transferability of adversarial examples. Based on the above strategy, inputting the original face images into the trained generative model can obtain adversarial samples. Compared with the original images, the adversarial samples are basically indistinguishable to the human eye. However, these samples can completely make several different deepfake models output face images with different degrees of distortion, as shown in Fig. 2.

Algorithm for generating adversarial examples

When generating adversarial examples, traditional adversarial example attack algorithms need to repeatedly access the deepfake model. In order to solve this problem and improve the efficiency of adversarial sample generation, this paper innovatively uses a generative adversarial network to design an adversarial sample generation module and an adversarial sample identification module. The generation module designs the generator, and the identification module designs the recognizer. In this network architecture, the input is the original face image, and the output is the generated adversarial sample.

The generator Gen is used to generate a slight perturbation that can make the adversarial sample image similar to the original face image, and then obtain the mapping function from the original face image to the slight perturbation as shown in Eq. (1) (1)${\displaystyle Gen:imag{e}_i⟶Ge{n}_{imag{e}_i}.}$ Among them, Gen represents the generator, image_i represents any face image input to the generator, and Gem_imagei represents the slight adversarial perturbation output by the generator. The adversarial sample image_iadv can be obtained by superimposing the perturbation onto the original image, as shown in Eq. (2): (2)${\displaystyle imag{e}_{i_{adv}}=imag{e}_i+Ge{n}_{imag{e}_i}.}$ After obtaining the adversarial samples, this algorithm uses the recognizer Ide_x to distinguish them in order to reduce the visual gap between the adversarial samples and the original face images. This algorithm innovatively proposes adversarial training to reduce the visual impact caused by slight perturbations, making the adversarial samples almost visually consistent with the original face images. The generator defined by the algorithm adopts an autoencoding structure. The encoder uses three layers of convolution, and instance normalization is performed after each layer of convolution. The decoder uses three upsampling layers, and instance normalization is performed after each layer of convolution. In addition, four residual blocks are added between the encoder and the decoder. Each residual block consists of two 3*3 convolutional layers. At the same time, instance normalization is performed after each convolutional layer. The first of the residual blocks is the output of the convolutional layer is activated.

The recognizer Ide_x is used to distinguish whether the generated adversarial samples are real or fake compared to the original face images, and iterate during adversarial training so that the generator finally generates a perturbation with minimal visual impact on the original images. The algorithm sets the adversarial loss of the generator Gen and the discriminator Ide_x to be Loss_Idex, as shown in Eq. (3): (3)${\displaystyle Los{s}_{Id{e}_x}=E\left[logId{e}_x\left(imag{e}_i\right)\right]+E\left[log\left(1-Id{e}_x\left(imag{e}_i+Ge{n}_{imag{e}_i}\right)\right)\right]}$ where E represents the mathematical expectation value. At the same time, in order to improve the perception of adversarial samples and minimize the visual impact of slight adversarial perturbations on the original face images, the algorithm innovatively designs a hinge loss function Loss_gemel to constrain the scale of the perturbation, as shown in Eq. (4) (4)${\displaystyle Los{s}_{gemel}=E_{imag{e}_i}max\left(0,{∥Ge{n}_{imag{e}_i}∥}_{\infty }-lim\right).}$ Among them, lim represents the specified infinite norm limit against perturbation. If ${∥Ge{n}_{imag{e}_i}∥}_{\infty }$ exceeds lim, this function will constrain the perturbation.

Algorithm for fine-tuning against adversarial examples

The adversarial samples fine-tuning algorithm consists of the deepfake model mod_i and the recognizer Ide_y, where the network structure of the recognizer Ide_y is consistent with that of the recognizer Ide_x. The input of this algorithm consists of two types of adversarial samples, one is the adversarial samples image_iadv generated by the generator, and the other is the adversarial sample image_iadv′ added with the basic adversarial perturbation. Among them, the addition of basic adversarial perturbation adv_i can significantly distort the face image output by the deepfake model, as shown in Eqs. (5) and (6): (5)${\displaystyle ad{v}_{imag{e}_0}=imag{e}_{ori}+ad{v}_i.}$ Among them, adv_image0 represents the first slight perturbation to the original face image, image_ori represents the original face image, and adv_i represents slight perturbation. (6)${\displaystyle ad{v}_{imag{e}_{i+1}}=sl{i}_{imag{e}_{ori}}\left\{ad{v}_{imag{e}_i}+\partial \left({\nabla }_{imag{e}_{ori}}L\left(mo{d}_i\left(ad{v}_{imag{e}_i}\right),mo{d}_i\left(imag{e}_{ori}\right)\right)\right)\right\}.}$ Among them, adv_imagei+1 represents the next iteration of the i-th slight perturbation adv_imagei of the original face image. The slight perturbation obtained by iterative training of the above algorithm is universal for the deepfake model. That is to say, not only the few face images, but also all the face images in the training data set can be made to have slight perturbations. The fake model outputs distorted face images. This algorithm implements adversarial attacks based on gradients through the projected gradient descent algorithm in advance, and generates slight perturbations for multiple deepfake models. The perturbed adversarial samples can be used as label-assisted optimization of adversarial samples image_iadv.

Adversarial examples fine-tuning uses an adversarial loss function to improve the aggressiveness of adversarial examples. The generation process of slight perturbation is related to the model gradient. That is to say, after different face images are subjected to the same slight perturbation, the deepfake models are input, and the output deepfake images are similar in terms of distortion range and degree of distortion. For this reason, input the fine-tuned adversarial sample image_iadv′ into the image obtained by the deepfake model mod_i, that is, the fake image fake_imagei′ generated based on the fine-tuned adversarial sample image_iadv^‘ of the face image is generated; and input the adversarial sample image_iadv generated by the generator. The image obtained by the deepfake model mod_i is obtained, that is, the deepfake image fake_imagei generated by the adversarial sample image_iadv of the face image is obtained. At this time, the algorithm identifies the authenticity of the image through the recognizer Ide_y, and adds adversarial training to make fake_imagei infinitely close to fake_imagei′, and finally the adversarial resistance of the adversarial sample image_iadv is improved. The adversarial loss Loss_Idey of the recognizer Ide_y is shown in Eq. (7) (7)${\displaystyle Los{s}_{Id{e}_y}=E\left[logId{e}_y\left(mo{d}_i\left({image}_{i_{adv}}^{{}^{\prime }}\right)\right)\right]+E\left[log\left(1-Id{e}_y\left(mo{d}_i\left({image}_{i_{adv}}\right)\right)\right)\right].}$ Adversarial examples fine-tuning integrates multiple deepfake models to improve the transferability of adversarial examples. During the training process, this algorithm uses adversarial samples to attack multiple deepfake models, which not only improves transferability, but also improves the cross-model attack capability of adversarial samples. First, this algorithm generates basic adversarial perturbations adv_i(i ∈ [1, n]) for n deepfake models. Then, the adversarial samples image_iadv and adversarial samples ${image}_{i_{adv}}^{{}^{\prime }}$ are input into multiple different deepfake models respectively, where the adversarial samples image_iadv obtains the deepfake images fake_imagei through the deepfake model, and the adversarial samples ${image}_{i_{adv}}^{{}^{\prime }}$ obtain the deepfake images $fak{e}_{imag{e}_i}^{{}^{\prime }}$ through the deepfake model, and then collect these images as ass, as shown in Eq. (8): (8)${\displaystyle ass=\left[\left(fak{e}_{imag{e}_1}^{{}^{\prime }},fak{e}_{imag{e}_1}\right),\left(fak{e}_{imag{e}_2}^{{}^{\prime }},fak{e}_{imag{e}_2}\right),\dots ,\left(fak{e}_{imag{e}_n}^{{}^{\prime }},fak{e}_{imag{e}_n}\right)\right].}$ This algorithm makes fake_imagei visually closer to $fak{e}_{imag{e}_i}^{{}^{\prime }}$ through adversarial training, and can further improve the loss function, as shown in Eq. (9): (9)${\displaystyle Los{s}_{Id{e}_y}=E\left[\sum _{i=1}^{n}logId{e}_y\left(mo{d}_i\left({image}_{i_{adv}}^{{}^{\prime }}\right)\right)\right]+E\left[\sum _{i=1}^{n}log\left(1-Id{e}_y\left(mo{d}_i\left({image}_{i_{adv}}\right)\right)\right)\right].}$ After the above improvement process, the objective function Loss of this algorithm is composed of the adversarial loss Loss_Idex of the recognizer Ide_x, the adversarial loss Loss_Idey of the recognizer Ide_y and the hinge loss Loss_gemel, as shown in Eq. (10): (10)${\displaystyle Loss=Los{s}_{Id{e}_x}+Los{s}_{Id{e}_y}+Los{s}_{gemel}}$ where µrepresents the weight of the hinge loss. During the training of this algorithm, the adversarial loss Loss_Idex constrains the adversarial samples and the original face images to be highly consistent visually, and the hinge loss Loss_gemel constrains the boundaries of slight disturbances. The purpose of both losses is to ensure the generation of high quality. , adversarial samples with visual effects close to the original face images. Deepfake is generally based on a black box scenario. The party whose image is deeply faked does not know the network structure and parameters of the deepfake model. Therefore, the best way to proactively defend is to perform black box attacks on several deepfake models at the same time. This algorithm attacks based on queries, and estimates the gradient of the model by querying the difference in the output results of the deepfake model to improve the model’s generalization ability. Adversarial loss Loss_Idey simulates adversarial samples to attack multiple deepfake models in a black box scenario, thereby improving the aggressiveness and transferability of adversarial samples.

Strategies to improve the offensiveness of adversarial examples

In traditional research on increasing the aggressiveness of adversarial samples, most studies use fine-tuning strategies. The algorithm proposed in this paper innovatively uses two strategies to increase or maintain the aggressiveness of samples. These two strategies are using a stronger perturbation strategy and dynamically adjusting the perturbation intensity.

Models, datasets and parameters

The deepfake models selected for the experiments of this paper are StarGAN, StarGAN − v2 and STGAN − SAC. All three models can achieve deepfake of face images. Among them, StarGAN and StarGAN − v2 are used for deepfake of hair and age in face images, while STGAN − SAC is used for deepfake of accessories in face images.

In addition, the datasets selected for the experiment are the public datasets CASIA − FaceV5 and CelebA. Among them, the CASIA − FaceV5 dataset contains a large number of high-definition, diverse and real face images, covering different ages, genders and expressions, providing a comprehensive foundation for face recognition and analysis tasks. The CelebA dataset is another large-scale face attribute dataset, containing more than 200,000 celebrity images, each of which is annotated with 40 attribute labels. The images in this dataset have a wide range of variations in pose, background and lighting conditions. The algorithm proposed in this paper novelly adds the generative adversarial network to the experiment. In the experiment, images of size 300∗300 extracted from the dataset are used as input face images. The weight µrepresenting the hinge loss is set to 0.5. The training cycle and batch processing are set to 100 and 50, respectively.

Finally, the algorithm innovatively designed a model optimizer for the experiments. The learning rate of each parameter is dynamically adjusted by calculating the first and second moment estimates of the gradient, thereby improving training efficiency and accuracy. The specific steps are:

1. Compute gradient gra_para for each parameter para.

2. Calculate the first-order moment estimate mean $\overline{es{t}_1}$ of the gradient, as shown in Eq. (15): (15)${\displaystyle \overline{es{t}_1}={\alpha }_1\overline{es{t}_1}+\left(1-{\alpha }_1\right)gr{a}_{para}.}$ Among them, α₁ is used to control the exponential decay rate of the first-order moment estimate, which is set to 0.9 in the experiments.

3. Calculate the second-order moment estimation variance σ of the gradient, as shown in Eq. (16): (16)${\displaystyle \sigma ={\alpha }_2\sigma +\left(1-\sigma \right)gr{a}_{para}^2.}$ Among them, alpha₂ is used to control the exponential decay rate of the second-order moment estimation, which is set to 0.99 in the experiments.

4. Perform bias correction on the first-order moment estimate and the second-order moment estimate, as shown in Eq. (17): (17)${\displaystyle co{r}_{\overline{es{t}_1}}=\frac{es{t}_1}{1-{\alpha }_1^i},co{r}_{\sigma }=\frac{\sigma }{1-{\alpha }_2^i}.}$ Among them, i represents the current iteration number.

5. Update parameters based on first-order moment estimation and second-order moment estimation, as shown in Eq. (18): (18)${\displaystyle para=para-\gamma \frac{co{r}_{\overline{es{t}_1}}}{\sqrt{co{r}_{\sigma }}+\tau }.}$ Among them, γ represents the learning rate, and τ is used to stabilize the value. In the experiments, it is set to 1e − 6.

Based on the above, the model optimizer designed in the experiments have a good convergence speed.

Measurement methods for experimental results

First, the experiments innovatively designed the pixel distance d_pix. When evaluating the quality of the face images generated by the deepfake model, the quality of the generated images can be measured by calculating d_pix between the original face images and the deepfake face images, as shown in Eq. (19): (19)${\displaystyle d_{pix}=\sqrt{\sum _{i=1}^n{\left(I_{input}\left[i\right]-I_{output}\left[i\right]\right)}^2}.}$ Among them, I_input[i] represents the value of the i − th pixel of the input original face images, and I_output[i] represents the value of the i − th pixel of the output deepfake face images. It is not difficult to realize that the larger the value of d_pix, the greater the visual difference between the output deepfake face images and the original face images, that is, the better the attack effect of the adversarial samples.

Then, the value of d_pix can more accurately evaluate the quality of the face images generated by the deepfake model from a global level. However, if the visual difference between the output deepfake images and the original face images is mainly local, it should also be evaluated. It is evaluated that the attack effect is good, but the d_pix value at this time may be very small. At this time, the experiments innovatively adds a mask matrix to calculate the mask distance. The experiments use an attention priority mechanism to focus attention on the modified parts of the face images, because the mask matrix can specify which part of the pixels should be used to calculate distance, and which part of the pixels should be ignored. If the difference in this part of the area exceeds a certain threshold, it is also considered to be a good attack effect. Calculate the mask distance d_{Md_pix} as shown in Eq. (20): (20)${\displaystyle d_{M_{d\text{\_}pix}}=\sqrt{\sum _{i=1}^{n}M\left[i\right]{\left(I_{input}\left[i\right]-I_{output}\left[i\right]\right)}^2}.}$ Among them, M is the mask matrix defined in this experiment. The shape of the matrix and the original face image are both 300∗300, in which the value of each pixel is 0 or 1.0 means that the pixel at the position should be ignored, and 1 means that the pixel at the position should be used to calculate the distance. M[i] is the value of the i − th pixel in the mask matrix.

Finally, in order to further evaluate the effect of attacking the deepfake model, the experiments will be conducted by calculating the Frechet distance d_Frechet using the mean vector and covariance matrix of the real images and the generated images (Cheng & Huang, 2023), as shown in Eq. (21): (21)${\displaystyle d_{Frechet}={∥{\mu }_{input}-{\mu }_{output}∥}_2^2+Tr\left(\sum input+\sum output-2\sqrt{\sum input\sum output}\right).}$ The lower the distance d_Frechet value, the closer the distribution of the generated images and the real images in the feature space are, and the higher the quality of the generated images are. Among them, μ_input and μ_output represent the mean vector of the real images and the generated images in the feature space respectively, ∑input and ∑output represent the covariance matrix of the real images and the generated images in the feature space respectively, and ${∥{\mu }_{input}-{\mu }_{output}∥}_2^2$ calculates the covariance matrix of the real images and the generated images in the feature space. The square of the Euclidean distance of the mean vector is used to measure the difference in mean between the two. $Tr\left(\sum input+\sum output-2\sqrt{\sum input\sum output}\right)$ calculates the Frechet distance between the covariance matrix of the real images and the generated images in the feature space to measure the difference in covariance between the two. Finally, the distances between these two parts are added to obtain the Frechet distance value, which is used to evaluate the quality of the generated images.

Results

Validity verification

Based on the results of the experiments, this paper designed an objective method to evaluate whether the attack deepfake model was successful. The experiments randomly selected 200 face images from the public datasets CASIA − FaceV5 and CelebA as the training set, and randomly selected 2000 face images from other images in the dataset for all experiments. By calculating the pixel distance d_pix, mask distance d_{Md_pix} and Frechet distance d_Frechet, we observe the active defense effect against the deepfake models StarGAN, StarGAN − v2 and STGAN − SAC, as shown in Fig. 3.

First, this experiment randomly selected 200 face images from the dataset CASIA − FaceV5 for testing, and modified these original face images based on the face deepfake characteristics of the deepfake models StarGAN, StarGAN − v2 and STGAN − SAC. The results show that the pixel distance d_pix of the three models attacked by the DADFI algorithm proposed in this paper is greater than 0.06. The algorithm believes that when the d_pix of the original face images and the deepfake images are greater than 0.6, people can easily distinguish the two images visually. In other words, when the d_pix of the two images is greater than 0.6, the active defense effect is good. In addition, the mask distance d_{Md_pix} of the three models attacked by the DADFI algorithm is greater than 0.85. The closer the mask distance d_{Md_pix} is to 1, the better the active defense effect. At the same time, the distorted Frechet distance d_Frechet values of all output images are above 30, indicating that the difference between distorted images and normal deepfake images are large, and also prove the effectiveness of active defense. The same experiment was also conducted on the CelebA dataset and achieved similar results.

Then, during the training process of the data set, the DADFI algorithm constrains the infinite norm limit lim representing the specified adversarial perturbation to less than 0.05, so there is basically no difference between the original face images and its adversarial samples for normal vision. At the same time, there are large visual differences between the output results of the deepfake models StarGAN, StarGAN − v2 and STGAN − SAC on the original face images and its adversarial samples, human vision can easily detect tampered images. Experimental results show that StarGAN is most vulnerable to adversarial attacks, and the output results after being attacked have the most obvious distortion. Although StarGAN − v2 and STGAN − SAC have a certain degree of robustness to attacks, the output images after the attack are still significantly different from the normal deepfake images, and the models cannot achieve the purpose of tampering with face images.

Finally, by horizontally comparing and modifying different facial feature attributes of the same models, it was found that the tampered area of the deepfake model will not have a major impact on the generated distortion area, that is, the adversarial attack is robust to deepfake methods. The above experimental results show that the adversarial samples generated by DADFI have the ability to attack deepfake models across models and can protect face images from tampering by deepfake models.

Comparative experiments

First, based on the datasets CASIA − FaceV5 and CelebA, the algorithm selected three common adversarial attack algorithms for comparison. They are MOMA proposed by Sun et al. (2023a), ATS − O2A proposed by Li et al. (2023a) and Adv − Bot proposed by Debicha et al. (2023). Based on the above three algorithms, the experiments innovatively use mask distance d_{Md_pix} and Frechet distance d_Frechet to observe the active defense effects of several different algorithms against deepfake models StarGAN, StarGAN − v2 and STGAN − SAC. The experimental results are as follows as shown in Figs. 4, 5 and 6.

Then, the experimental results conducted on three different deepfake models show that the above three common adversarial attack algorithms have certain active defense effects. Compared with the comparative algorithms, the DADFI proposed in this paper can generate adversarial samples that can more effectively attack the two deepfake models of StarGAN and STGAN–SAC, achieving the goal of cross-model defense against deepfake. In addition, the maximum value of the mask distance d_{Md_pix} of the DADFI for attacking these three models is 1.00 for StarGAN, and the minimum value is 0.79 for STGAN–SAC, but it is far ahead of the values of other algorithms. Because the closer the mask distance d_{Md_pix} is to 1, the better the active defense effect is, so the active defense effect of DADFI is better than the comparison algorithms on these three models. At the same time, the distorted Frechet distance d_Frechet value of all output images of the DADFI is above 30, with the maximum value being 131.50 for StarGAN and the minimum value being 39.62 for StarGAN − v2, indicating that the difference between the distorted images and the normal deepfake images are large, and also prove effectiveness of active defense.

Finally, the DADFI proposed in this paper is based on an end-to-end generative adversarial network. After training, adversarial samples can be obtained without accessing the deepfake model again. Therefore, this paper compares the efficiency of adversarial samples generation with different algorithms. The experimental results are as shown as Fig. 7.

Experimental results show that compared with the comparative algorithms MOMA, ATS − O2A and Adv–Bot, the experimental results of the DADFI are better in terms of adversarial samples generation efficiency.

Verification experiments

In order to verify the aggressiveness and migration of the DADFI proposed in this paper, the paper designed the following two sets of experiments.

Verification experiment 1: Adjust the number of deepfake models in the adversarial samples fine-tuning algorithm, and adjust the three deepfake models trained for adversarial samples attack in DADFI to attack a single deepfake model, in order to verify the effectiveness of the DADFI and the advantages in mobility.

Adjust the number of deepfake models to 1, and when only one of the deepfake models StarGAN, StarGAN–v2, and STGAN–SAC is retained, the attack and transferability of the adversarial samples are evaluated through pixel distance d_pix. If the pixel distance d_pix produced when attacking the selected deepfake model is high, and the pixel distance d_pix produced when attacking the remaining deepfake models is significantly lower than 0.05, in other words, in the case of a single-model attack, the pertinence is high, but the transferability is insufficient. Experimental results prove that the DADFI proposed in this paper uses three deepfake models for training, and uses pixel distance d_pix loss to evaluate the distortion effect. The values are all higher than 0.05, and the mask distance d_{Md_pix} scores are high, both close to 1, which is obviously improved transferability of adversarial examples. The pixel distance comparison of any one of the three deepfake models is retained as shown in Fig. 8.

Experimental results show that the DADFI proposed in this paper adjusts the number of deepfake models to 1. When only one of the deepfake models StarGAN, StarGAN–v2 and STGAN–SAC is retained, the pixel distance values corresponding to this model are higher than compare models to prove that the transferability of adversarial examples is better.

Verification experiment 2: Remove the adversarial samples fine-tuning algorithm, and determine whether the adversarial samples generated by the generator can make the deepfake model output distorted face images to verify whether the fine-tuning algorithm can improve the aggressiveness of the adversarial samples.

When the adversarial samples fine-tuning algorithm is removed from training and only the adversarial samples generation algorithm is used for training, the pixel distance d_pix of the generated adversarial samples to the deepfake model StarGAN is only 0.0382, and the pixel distance d_pix of the other two deepfake models is even lower. Moreover, the mask distance d_{Md_pix} values of the above three models are all small, and the adversarial samples are almost not aggressive. By comparing with the DADFI proposed in this paper, DADFI can effectively improve the aggressiveness of adversarial samples and retain the mask distance comparison of any one of the three deepfake models as shown in Fig. 9.

Experimental results show that when the adversarial samples fine-tuning algorithm is removed from the DADFI training proposed in this paper and only the adversarial samples generation algorithm is retained, the mask distance d_{Md_pix} values corresponding to the model are higher than those of the comparison models, thus proving the attack performance comparison of adversarial samples good.

The results of the above-mentioned verification experiment one and verification experiment two show that the DADFI proposed in this paper has strong attack and migration performances.