ML Security PapersRealism to Deception: Investigating Deepfake Detectors Against Face Enhancement
Muhammad Saad Saeed 1, Ijaz Ul Haq 2, Khalid Malik 1
Published on arXiv
2509.07178
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
GAN-based face enhancement achieves up to 75.12% attack success rate against state-of-the-art deepfake detectors while also improving the perceptual realism of fake videos.
Face enhancement techniques are widely used to enhance facial appearance. However, they can inadvertently distort biometric features, leading to significant decrease in the accuracy of deepfake detectors. This study hypothesizes that these techniques, while improving perceptual quality, can degrade the performance of deepfake detectors. To investigate this, we systematically evaluate whether commonly used face enhancement methods can serve an anti-forensic role by reducing detection accuracy. We use both traditional image processing methods and advanced GAN-based enhancements to evaluate the robustness of deepfake detectors. We provide a comprehensive analysis of the effectiveness of these enhancement techniques, focusing on their impact on Naïve, Spatial, and Frequency-based detection methods. Furthermore, we conduct adversarial training experiments to assess whether exposure to face enhancement transformations improves model robustness. Experiments conducted on the FaceForensics++, DeepFakeDetection, and CelebDF-v2 datasets indicate that even basic enhancement filters can significantly reduce detection accuracy achieving ASR up to 64.63\%. In contrast, GAN-based techniques further exploit these vulnerabilities, achieving ASR up to 75.12\%. Our results demonstrate that face enhancement methods can effectively function as anti-forensic tools, emphasizing the need for more resilient and adaptive forensic methods.
Key Contributions
- Demonstrates that traditional face enhancement filters (e.g., skin smoothing) can reduce deepfake detector accuracy with ASR up to 64.63%, functioning as practical anti-forensic attacks without requiring knowledge of detector internals.
- Shows GAN-based face enhancement further exploits detector vulnerabilities, achieving ASR up to 75.12% across Naïve, Spatial, and Frequency-based detection methods.
- Evaluates adversarial training as a potential mitigation, finding partial but incomplete resilience against face-enhancement-based evasion.
🛡️ Threat Analysis
The paper attacks deepfake detection systems — which are content authenticity/output integrity mechanisms — by using face enhancement to conceal synthetic artifacts and cause detectors to misclassify fake media as real. This is an attack on content integrity verification (anti-forensics against deepfake detection). The paper also evaluates adversarial training as a defense to improve detector robustness against these attacks.