Untraceable DeepFakes via Traceable Fingerprint Elimination

Recent advancements in DeepFakes attribution technologies have significantly enhanced forensic capabilities, enabling the extraction of traces left by generative models (GMs) in images, making DeepFakes traceable back to their source GMs. Meanwhile, several attacks have attempted to evade attribution models (AMs) for exploring their limitations, calling for more robust AMs. However, existing attacks fail to eliminate GMs' traces, thus can be mitigated by defensive measures. In this paper, we identify that untraceable DeepFakes can be achieved through a multiplicative attack, which can fundamentally eliminate GMs' traces, thereby evading AMs even enhanced with defensive measures. We design a universal and black-box attack method that trains an adversarial model solely using real data, applicable for various GMs and agnostic to AMs. Experimental results demonstrate the outstanding attack capability and universal applicability of our method, achieving an average attack success rate (ASR) of 97.08\% against 6 advanced AMs on DeepFakes generated by 9 GMs. Even in the presence of defensive mechanisms, our method maintains an ASR exceeding 72.39\%. Our work underscores the potential challenges posed by multiplicative attacks and highlights the need for more robust AMs.

Key Contributions

• Theoretical identification that multiplicative attacks fundamentally eliminate generative model fingerprints, unlike additive attacks which merely perturb without removing traces
• Universal black-box adversarial model trained exclusively on real data, applicable to DeepFakes from any generative model without access to the attribution model
• Demonstration of 97.08% average ASR against 6 advanced attribution models across 9 generative models, maintaining 72.39%+ ASR against defensive mechanisms

🛡️ Threat Analysis

Details

Similar Papers