Research On Active Attack And Defense Of Forged Face Images Based On Adversarial Perturbatio

With the maturation of deep generation technology,the face images generated by the face forgery models appear to mix the spurious with the genuine.To alleviate the risk of malicious use of face forgery techniques,researchers have proposed passive image forensic methods to detect the authenticity of face images.Although the current passive forensic detectors based on deep neural network have achieved considerable performance,there are still two issues.On the one hand,the unknown vulnerabilities of the forensic detectors may be exploited to generate more threatening fake face images.On the other hand,forensic methods are too passive to eliminate the losses already caused by maliciously forged faces.For the unknown vulnerabilities of detectors,digital forensic researchers try to actively attack existing detectors,discover and expose them through anti-forensic technology.In order to avoid losses caused by fake faces,forensic researchers attempt to actively defend against existing forgery models,disrupt face forgery through initiative defense methods.At present,adversarial attack is a common method for anti-forensics initiative attack and disrupt forgery initiative defense.By adding carefully designed adversarial perturbations to face images,forensic detectors or forgery models can be invalidated.To address the problems inherent in the existing research on anti-forensic attack and initiative defense,this topic has carried out research in the following two aspects:(1)Aiming at the problem that the transferability of the anti-forensic faces obtained by the existing face forgery initiative attack methods is insufficient,this thesis proposes a local perturbation attack algorithm.The main idea is to explore the face areas that different forensic detectors pay attention to when making decisions,mine the areas that multiple models focus on and add adversarial perturbations to these areas to enhance the visual effect and transferability of anti-forensic faces.Moreover,in order to improve the anti-forensic effect,this thesis designs a double-mask guided strategy and a three-part loss for training the perturbation generators.Experimental results show that the proposed method achieves an average anti-forensic success rate of 0.8882 on three white-box and six black-box detection models,and the anti-forensic faces maintain high visual quality,effectively exposing the vulnerability of advanced forensic detectors.(2)Aiming at the insufficient transferability and robustness of the existing two-stage alternate training face forgery initiative defense framework,this thesis proposes a three-stage adversarial perturbation initiative defense framework by optimizing the two-stage training architecture and its loss function and introducing an auxiliary classifier.This thesis first modifies the substitute target model in the two-stage training architecture and designs the attribute editing loss for the training of perturbation generator to improve the reconstruction performance and attribute constraint ability of the substitute model,thus reducing the overfitting issue of the substitute model;Secondly,the auxiliary classifier is introduced in the training phase to classify the source attributes of the encoded features extracted by the substitute model and the corresponding auxiliary classifier loss is designed for the training of perturbation generator.Then,the original two-stage alternate training is changed to the three-stage alternate training of substitute target model,auxiliary classifier and perturbation generator,so that it is expected to promote initiative defense against tampering model by countering auxiliary classifier;Finally,an attack layer is introduced in the training of the perturbation generator to enhance the robustness of the adversarial perturbation against filtering and JPEG compression.Experimental results show that the proposed framework can better migrate initiative defense from the white-box substitute model to the black-box attribute editing model than the existing frameworks,which can effectively prevent face attribute editing behavior,and the generated adversarial perturbation has strong robustness against JPEG compression and filtering.