DF-RAP: A Robust Adversarial Perturbation for Defending Against Deepfakes in Real-World Social Network Scenarios
Abstract: The misuse of Deepfakes to create unauthorized fake facial images and videos poses a growing threat to personal privacy and social stability. Proactive defense algorithms have been proposed to prevent this fraud by injecting adversarial perturbations into facial images. However, these perturbations are sensitive to the lossy compression on online social networks (OSNs). Recent studies have attempted to produce compression resistance by modeling compression at the pixel level. However, accurate modeling is challenging due to the customization of proprietary compression mechanisms by different OSNs. In this paper, we propose a Robust Adversarial Perturbation (DF-RAP) that provides persistent protection for facial images under OSN compression. Specifically, a novel Compression Approximation GAN (ComGAN) is designed to explicitly model OSN compression. The well-trained ComGAN is then incorporated as a sub-module of the target Deepfake model to derive DF-RAP. Furthermore, we reveal a commonality among various OSNs, i.e., that the lossy compression employed tends to destroy perturbations. Based on this, a novel objective-level destruction-aware constraint (DAC) is introduced during ComGAN training. The extensive experimental results show that DF-RAP can effectively protect facial images from Deepfakes under complex OSN compression, especially for OSNs employing more stringent compression. We also investigate the lossy operation mechanisms employed by widely used OSN platforms and build an OSN-transmission dataset based on the CelebA to facilitate future research.
Loading