ML Security PapersUncovering and Mitigating Destructive Multi-Embedding Attacks in Deepfake Proactive Forensics
Lixin Jia 1, Haiyang Sun 1, Zhiqing Guo 1,2, Yunfeng Diao 3, Dan Ma 1, Gaobo Yang 3
Published on arXiv
2508.17247
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
AIS plug-and-play fine-tuning significantly improves the MEA robustness of multiple state-of-the-art proactive forensics methods, enabling correct extraction of the original watermark even after a second embedding.
Adversarial Interference Simulation (AIS)
Novel technique introduced
With the rapid evolution of deepfake technologies and the wide dissemination of digital media, personal privacy is facing increasingly serious security threats. Deepfake proactive forensics, which involves embedding imperceptible watermarks to enable reliable source tracking, serves as a crucial defense against these threats. Although existing methods show strong forensic ability, they rely on an idealized assumption of single watermark embedding, which proves impractical in real-world scenarios. In this paper, we formally define and demonstrate the existence of Multi-Embedding Attacks (MEA) for the first time. When a previously protected image undergoes additional rounds of watermark embedding, the original forensic watermark can be destroyed or removed, rendering the entire proactive forensic mechanism ineffective. To address this vulnerability, we propose a general training paradigm named Adversarial Interference Simulation (AIS). Rather than modifying the network architecture, AIS explicitly simulates MEA scenarios during fine-tuning and introduces a resilience-driven loss function to enforce the learning of sparse and stable watermark representations. Our method enables the model to maintain the ability to extract the original watermark correctly even after a second embedding. Extensive experiments demonstrate that our plug-and-play AIS training paradigm significantly enhances the robustness of various existing methods against MEA.
Key Contributions
- First formal definition and empirical validation of Multi-Embedding Attacks (MEA), showing they render existing proactive forensics methods completely ineffective by overwriting the original forensic watermark
- Adversarial Interference Simulation (AIS): a model-agnostic fine-tuning paradigm that explicitly simulates MEA and uses a resilience loss to enforce sparse, stable watermark representations
- Plug-and-play integration with state-of-the-art deepfake proactive forensics methods, significantly improving their robustness against MEA without architectural changes
🛡️ Threat Analysis
The paper attacks and defends content watermarks embedded in images for deepfake proactive forensics — MEA is a watermark removal/defeat attack, and AIS defends the watermark's integrity. Both the attack and defense target output/content integrity via the watermarking scheme.