attack arXiv Oct 14, 2025 · Oct 2025
Dion J. X. Ho, Gabriel Lee Jun Rong, Niharika Shrivastava et al. · Columbia University · Singapore Institute of Technology +1 more
Dual-stream PGD attack crafts transferable, imperceptible adversarial examples that evade black-box deepfake detectors by 27% over SOTA
Input Manipulation Attack vision
We present MS-GAGA (Metric-Selective Guided Adversarial Generation Attack), a two-stage framework for crafting transferable and visually imperceptible adversarial examples against deepfake detectors in black-box settings. In Stage 1, a dual-stream attack module generates adversarial candidates: MNTD-PGD applies enhanced gradient calculations optimized for small perturbation budgets, while SG-PGD focuses perturbations on visually salient regions. This complementary design expands the adversarial search space and improves transferability across unseen models. In Stage 2, a metric-aware selection module evaluates candidates based on both their success against black-box models and their structural similarity (SSIM) to the original image. By jointly optimizing transferability and imperceptibility, MS-GAGA achieves up to 27% higher misclassification rates on unseen detectors compared to state-of-the-art attacks.
cnn transformer Columbia University · Singapore Institute of Technology · Duke Kunshan University
ML Security Papers