THE JPEG BLIND SPOT: EXPOSING A CRITICAL VULNERABILITY IN DOCUMENT TAMPERING DETECTION

Download PDF

ICLR 2026 Conference Submission25466 Authors

20 Sept 2025 (modified: 23 Dec 2025)ICLR 2026 Conference SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: Document Tampering, Document Forgery, Adversarial attacks, JPEG artifacts
TL;DR: Current document forgery detectors rely on superficial JPEG artifacts and can be completely fooled by a simple attack that preserves those same artifacts,
Abstract: Deep models for document tampering detection increasingly rely on multimodal RGB+DCT architectures, implicitly assuming that JPEG block artifact grids (BAG) provide stable cross forgery cues. In this paper, we show that this assumption embeds a strong inductive bias that fails under minimal, adversarially constructed perturbations. Unlike natural images, where JPEG alignment is largely stochastic, document images contain sharply bounded glyph structures, making grid-aligned manipulations trivial for an adversary. We formalize this phenomenon through two complementary attacks. Grid-Aligned Forgery (GAF) preserves local JPEG block statistics by aligning copy move, splicing, or generative manipulations to the underlying 8×8 grid, removing the inconsistencies current models depend on. Pad–Recompress–Crop (PRC) globally shifts the JPEG grid while leaving RGB content unchanged, probing whether detectors meaningfully fuse RGB and DCT features or merely memorize position dependent frequency cues. To quantify these effects, we use two evaluation metrics, Attack Success Rate (ASR) for missing forged regions and False Positive Area (FPA) for unintended detections, which capture failure modes not measured by prior work. Evaluations on the DocTamper benchmark show that both attacks substantially degrade performance across a range of state-of-the-art and robustness-oriented (including adversarially robust) detectors, such as CAT-Net, DTD, FFDN, DocForgeNet, and ADCD-Net. Our findings indicate that many existing models exhibit a strong bias toward JPEG-grid statistics and highlight this as an opportunity for developing more robust multimodal architectures for real world, security critical document forensics.
Supplementary Material: pdf
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 25466