FakeSpotter: A Simple yet Robust Baseline for Spotting AI-Synthesized Fake Faces

Run Wang
Run Wang
Yihao Huang
Yihao Huang
Jian Wang
Jian Wang

IJCAI, pp. 3444-3451, 2020.

Cited by: 3|Bibtex|Views116|Links
EI
Keywords:
adversarial attackadversarial networksynthesiscommon perturbationfacial imageMore(12+)
Weibo:
We find that FakeSpotter achieves a better balance between precision and recall on four types of fake faces from Figure 3

Abstract:

In recent years, generative adversarial networks (GANs) and its variants have achieved unprecedented success in image synthesis. They are widely adopted in synthesizing facial images which brings potential security concerns to humans as the fakes spread and fuel the misinformation. However, robust detectors of these AI-synthesized fake fa...More

Code:

Data:

0
Introduction
  • With the remarkable development of AI, GANs, seeing is no longer believing nowadays.
  • Humans can be fooled by these synthesized fake images1.
  • Figure 1 presents four typical fake faces synthesized with various GANs, which are really hard for humans to distinguish at the first glance.
  • The AI-synthesized fake faces bring fun to users and raise security and privacy concerns and even panics to everyone including celebrities, politicians, etc.
  • Some apps (e.g., FaceApp, Reflect, and ZAO) employ face-synthesis
Highlights
  • With the remarkable development of AI, generative adversarial networks, seeing is no longer believing nowadays
  • A high detection rate and low false alarm rate in spotting the four typical fake faces synthesized by generative adversarial networks
  • We find that FakeSpotter achieves a better balance between precision and recall on four types of fake faces from Figure 3
  • Fake faces synthesized with advanced generative adversarial networks are difficult to be spotted by FakeSpotter
  • The average AUC score of all the four types of fake faces decreased less than 3.77% on the four perturbation attacks under five different intensities
  • We proposed the FakeSpotter, the first neuron coverage based approach for fake face detection, and performed an extensive evaluation of the FakeSpotter on fake detection challenges with four typical SOTA fake faces
Methods
  • The authors first give the basic insight and present an overview of FakeSpotter in spotting fake faces by monitoring neuron behaviors.
  • A neuron coverage criteria mean neuron coverage (MNC) is proposed for capturing the layerby-layer neuron activation behaviors.
  • Some work exploits the critical activated neurons in layers to detect adversarial examples for securing DNNs [Ma et al, 2019b; Ma et al, 2019a; Ma et al, 2018b; Zhang et al, 2019a]
Results
  • Experimental results demonstrate that FakeSpotter outperforms

    AutoGAN and achieves competitive performance with AUC

    20 40 60 80 100 Compression Quality (a) Compression

    0.0 0.1 0.2 0.3 0.4 0.5 Kernel Standard Deviation (b) Blur

    0.0 0.2 0.4 0.6 0.8 1.0 Scale Factor (c) Resizing

    0.0 0.1 0.2 0.3 0.4 0.5 Variance (d) Noise a high detection rate and low false alarm rate in spotting the four typical fake faces synthesized by GANs.
  • The average AUC score of all the four types of fake faces decreased less than 3.77% on the four perturbation attacks under five different intensities.
  • Celeb-DF [Li et al, 2019] is another large-scale DeepFake video dataset with many different subjects and contains more than 5,639 high-quality fake videos.
  • In their project website, they provide some comparison results of existing video detection methods on several DeepFake videos including Celeb-DF.
  • There are two versions of Celeb-DF dataset, Celeb-DF(v1) and Celeb-DF(v2) dataset, a superset of Celeb-DF(v1)
Conclusion
  • The authors' approach achieves impressive results in detecting various types of fake faces and is robust against several common perturbation attacks.
  • The authors' approach only focuses on facial images without any consideration of the voice
  • This suggests that producing fake multimedia by incorporating various seen and unseen techniques may be a trend in the future.
  • The authors proposed the FakeSpotter, the first neuron coverage based approach for fake face detection, and performed an extensive evaluation of the FakeSpotter on fake detection challenges with four typical SOTA fake faces.
  • Beyond DeepFake detection, the authors conjecture that the FakeSpotter can work well in tandem with nonadditive noise adversarial attacks e.g., [Wang et al, 2019; Guo et al, 2020] where the attacked images do not reveal the noise pattern and are much harder to accurately detect
Summary
  • Introduction:

    With the remarkable development of AI, GANs, seeing is no longer believing nowadays.
  • Humans can be fooled by these synthesized fake images1.
  • Figure 1 presents four typical fake faces synthesized with various GANs, which are really hard for humans to distinguish at the first glance.
  • The AI-synthesized fake faces bring fun to users and raise security and privacy concerns and even panics to everyone including celebrities, politicians, etc.
  • Some apps (e.g., FaceApp, Reflect, and ZAO) employ face-synthesis
  • Methods:

    The authors first give the basic insight and present an overview of FakeSpotter in spotting fake faces by monitoring neuron behaviors.
  • A neuron coverage criteria mean neuron coverage (MNC) is proposed for capturing the layerby-layer neuron activation behaviors.
  • Some work exploits the critical activated neurons in layers to detect adversarial examples for securing DNNs [Ma et al, 2019b; Ma et al, 2019a; Ma et al, 2018b; Zhang et al, 2019a]
  • Results:

    Experimental results demonstrate that FakeSpotter outperforms

    AutoGAN and achieves competitive performance with AUC

    20 40 60 80 100 Compression Quality (a) Compression

    0.0 0.1 0.2 0.3 0.4 0.5 Kernel Standard Deviation (b) Blur

    0.0 0.2 0.4 0.6 0.8 1.0 Scale Factor (c) Resizing

    0.0 0.1 0.2 0.3 0.4 0.5 Variance (d) Noise a high detection rate and low false alarm rate in spotting the four typical fake faces synthesized by GANs.
  • The average AUC score of all the four types of fake faces decreased less than 3.77% on the four perturbation attacks under five different intensities.
  • Celeb-DF [Li et al, 2019] is another large-scale DeepFake video dataset with many different subjects and contains more than 5,639 high-quality fake videos.
  • In their project website, they provide some comparison results of existing video detection methods on several DeepFake videos including Celeb-DF.
  • There are two versions of Celeb-DF dataset, Celeb-DF(v1) and Celeb-DF(v2) dataset, a superset of Celeb-DF(v1)
  • Conclusion:

    The authors' approach achieves impressive results in detecting various types of fake faces and is robust against several common perturbation attacks.
  • The authors' approach only focuses on facial images without any consideration of the voice
  • This suggests that producing fake multimedia by incorporating various seen and unseen techniques may be a trend in the future.
  • The authors proposed the FakeSpotter, the first neuron coverage based approach for fake face detection, and performed an extensive evaluation of the FakeSpotter on fake detection challenges with four typical SOTA fake faces.
  • Beyond DeepFake detection, the authors conjecture that the FakeSpotter can work well in tandem with nonadditive noise adversarial attacks e.g., [Wang et al, 2019; Guo et al, 2020] where the attacked images do not reveal the noise pattern and are much harder to accurately detect
Tables
  • Table1: Statistics of collected fake faces dataset. Column Manipulation indicates the manipulated region in face. Column Real Source denotes the source of real face for producing fake faces. Last column Collection means the way of producing fake faces, synthesized by ourselves or collected from public dataset. F.F. ++ denotes FaceForensics++ dataset
  • Table2: Performance of FakeSpotter (F. S.) and AutoGAN (A. G.) in spotting the four types of fake faces. PGGAN and StyleGAN2 produce entire synthesized facial images. In attribute editing, StarGAN manipulates the color of the hair with brown, STGAN manipulates face by wearing eyeglasses. In Expression manipulation, StyleGAN and STGAN manipulate the expression of faces with the smile while StyleGAN can control the intensity of the smile. Average performance is an average results over the fake faces. Here, we provide two kinds of average performance, average performance on still images (including the first three types of fake faces) and all the four types of fake faces
Download tables as Excel
Related work
  • 2.1 Image Synthesis

    GANs have made impressive progress in image synthesis [Zhu et al, 2017; Yi et al, 2017] which is the most widely studied area of the applications of GANs since it is first proposed in 2014 [Goodfellow et al, 2014]. The generator in GANs learns to produce synthesized samples that are almost identical to real samples, while the discriminator learns to differentiate between them. Recently, various GANs are proposed for facial image synthesis and manipulation.

    In entire face synthesis, PGGAN [Karras et al, 2018] and StyleGAN, created by NVIDIA, produce faces in high resolution with unprecedented quality and synthesize non-existent faces in the world. STGAN and StarGAN focus on face editing which manipulates the attributes and expressions of humans’ faces, e.g., changing the color of hair, wearing eyeglasses, and laughing with a smile or showing feared expression, etc. FaceApp and FaceSwap employ GANs to generate DeepFake which involves identity swap.
Funding
  • This research was supported in part by Singapore National Cybersecurity R&D Program No NRF2018NCRNCR005-0001, National Satellite of Excellence in Trustworthy Software System No NRF2018NCR-NSOE0030001, NRF Investigatorship No NRFI06-2020-0022
  • It was also supported by JSPS KAKENHI Grant No 20H04168, 19K24348, 19H04086, and JST-Mirai Program Grant No JPMJMI18BB, Japan
  • We gratefully acknowledge the support of NVIDIA AI Tech Center (NVAITC) to our research
Reference
  • [Agarwal et al., 2019] Shruti Agarwal, Hany Farid, Yuming Gu, Mingming He, Koki Nagano, and Hao Li. Protecting world leaders against deep fakes. In CVPR Workshops, pages 38–45, 2019.
    Google ScholarLocate open access versionFindings
  • [Bohme and Kirchner, 2013] Rainer Bohme and Matthias Kirchner. Counter-forensics: Attacking image forensics. In Digital Image Forensics, pages 327–366.
    Google ScholarLocate open access versionFindings
  • [Buchana et al., 2016] P. Buchana, I. Cazan, M. Diaz-Granados, F. Juefei-Xu, and M.Savvides. Simultaneous Forgery Identification and Localization in Paintings Using Advanced Correlation Filters. In ICIP, 2016.
    Google ScholarLocate open access versionFindings
  • [Choi et al., 2018] Yunjey Choi, Minje Choi, Munyoung Kim, Jung-Woo Ha, Sunghun Kim, and Jaegul Choo. StarGAN: Unified generative adversarial networks for multi-domain image-toimage translation. In CVPR, pages 8789–8797, 2018.
    Google ScholarLocate open access versionFindings
  • [Cole, 2018] Samantha Cole. We Are Truly F—ed: Everyone Is Making AI-Generated Fake Porn Now. https://www.vice.com/en us/article/bjye8a/reddit-fake-porn-app-daisy-ridley/, 2018. (Jan 25 2018).
    Findings
  • [Goodfellow et al., 2014] Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial nets. In NeurIPS, pages 2672–2680, 2014.
    Google ScholarLocate open access versionFindings
  • [Goodfellow et al., 2015] Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In ICLR, 2015.
    Google ScholarLocate open access versionFindings
  • [Guo et al., 2020] Qing Guo, Felix Juefei-Xu, Xiaofei Xie, Lei Ma, Jian Wang, Wei Feng, and Yang Liu. ABBA: SaliencyRegularized Motion-Based Adversarial Blur Attack. arXiv preprint arXiv:2002.03500, 2020.
    Findings
  • [Huang et al., 2020] Yihao Huang, Felix Juefei-Xu, Run Wang, Xiaofei Xie, Lei Ma, Jianwen Li, Weikai Miao, Yang Liu, and Geguang Pu. FakeLocator: Robust Localization of GAN-Based Face Manipulations via Semantic Segmentation Networks with Bells and Whistles. arXiv preprint arXiv:2001.09598, 2020.
    Findings
  • [Karras et al., 2018] Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. Progressive growing of GANs for improved quality, stability, and variation. ICLR, 2018.
    Google ScholarLocate open access versionFindings
  • [Karras et al., 2019a] Tero Karras, Samuli Laine, and Timo Aila. A style-based generator architecture for generative adversarial networks. In CVPR, pages 4401–4410, 2019.
    Google ScholarLocate open access versionFindings
  • [Karras et al., 2019b] Tero Karras, Samuli Laine, Miika Aittala, Janne Hellsten, Jaakko Lehtinen, and Timo Aila. Analyzing and improving the image quality of stylegan. arXiv preprint arXiv:1912.04958, 2019.
    Findings
  • [Korshunov and Marcel, 2018] Pavel Korshunov and Sebastien Marcel. Deepfakes: a new threat to face recognition? assessment and detection. arXiv preprint arXiv:1812.08685, 2018.
    Findings
  • [Li and Lyu, 2019] Yuezun Li and Siwei Lyu. Exposing deepfake videos by detecting face warping artifacts. CVPRW, 2, 2019.
    Google ScholarLocate open access versionFindings
  • [Li et al., 2019] Yuezun Li, Xin Yang, Pu Sun, Honggang Qi, and Siwei Lyu. Celeb-DF: A new dataset for deepfake forensics. arXiv preprint arXiv:1909.12962, 2019.
    Findings
  • [Liu et al., 2015] Ziwei Liu, Ping Luo, Xiaogang W., and X. Tang. Deep learning face attributes in the wild. In ICCV, 2015.
    Google ScholarLocate open access versionFindings
  • [Liu et al., 2019] Ming Liu, Yukang Ding, Min Xia, Xiao Liu, Errui Ding, Wangmeng Zuo, and Shilei Wen. STGAN: A unified selective transfer network for arbitrary image attribute editing. In CVPR, pages 3673–3682, 2019.
    Google ScholarLocate open access versionFindings
  • [Ma et al., 2018a] Lei Ma, Felix Juefei-Xu, Fuyuan Zhang, Jiyuan Sun, Minhui Xue, Bo Li, Chunyang Chen, Ting Su, Li Li, Yang Liu, et al. DeepGauge: Multi-granularity testing criteria for deep learning systems. In ASE, pages 120–131, 2018.
    Google ScholarLocate open access versionFindings
  • [Ma et al., 2018b] Lei Ma, Fuyuan Zhang, Jiyuan Sun, Minhui Xue, Bo Li, Felix Juefei-Xu, Chao Xie, Li Li, Yang Liu, Jianjun Zhao, et al. Deepmutation: Mutation testing of deep learning systems. In ISSRE, 2018.
    Google ScholarLocate open access versionFindings
  • [Ma et al., 2019a] Lei Ma, Felix Juefei-Xu, Minhui Xue, Bo Li, Li Li, Yang Liu, and Jianjun Zhao. Deepct: Tomographic combinatorial testing for deep learning systems. In SANER, 2019.
    Google ScholarLocate open access versionFindings
  • [Ma et al., 2019b] Shiqing Ma, Yingqi Liu, Guanhong Tao, WenChuan Lee, and Xiangyu Zhang. NIC: Detecting adversarial samples with neural network invariant checking. In NDSS, 2019.
    Google ScholarLocate open access versionFindings
  • [Mahendran and Vedaldi, 2015] Aravindh Mahendran and Andrea Vedaldi. Understanding deep image representations by inverting them. In CVPR, June 2015.
    Google ScholarLocate open access versionFindings
  • [McCloskey and Albright, 2018] Scott McCloskey and Michael Albright. Detecting GAN-generated imagery using color cues. arXiv preprint arXiv:1812.08247, 2018.
    Findings
  • [Nataraj et al., 2019] Lakshmanan Nataraj, Tajuddin Manhar Mohammed, BS Manjunath, Shivkumar Chandrasekaran, Arjuna Flenner, Jawadul H Bappy, and Amit K Roy-Chowdhury. Detecting GAN generated fake images using co-occurrence matrices. arXiv preprint arXiv:1903.06836, 2019.
    Findings
  • [Pei et al., 2017] Kexin Pei, Yinzhi Cao, Junfeng Yang, and Suman Jana. DeepXplore: Automated whitebox testing of deep learning systems. In SOSP, 2017.
    Google ScholarLocate open access versionFindings
  • [Rossler et al., 2019] Andreas Rossler, Davide Cozzolino, Luisa Verdoliva, Christian Riess, Justus Thies, and Matthias Nießner. FaceForensics++: Learning to detect manipulated facial images. In ICCV, 2019.
    Google ScholarLocate open access versionFindings
  • [Stehouwer et al., 2020] Joel Stehouwer, Hao Dang, Feng Liu, Xiaoming Liu, and Anil Jain. On the detection of digital face manipulation. CVPR, 2020.
    Google ScholarLocate open access versionFindings
  • [Wang et al., 2019] Run Wang, Felix Juefei-Xu, Xiaofei Xie, Lei Ma, Yihao Huang, and Yang Liu. Amora: Black-box Adversarial Morphing Attack. arXiv preprint arXiv:1912.03829, 2019.
    Findings
  • [Wang et al., 2020] Sheng-Yu Wang, Oliver Wang, Richard Zhang, Andrew Owens, and Alexei A Efros. CNN-generated images are surprisingly easy to spot... for now. CVPR, 2020.
    Google ScholarLocate open access versionFindings
  • [Xie et al., 2019] Xiaofei Xie, Lei Ma, Felix Juefei-Xu, Minhui Xue, Hongxu Chen, Yang Liu, Jianjun Zhao, Bo Li, Jianxiong Yin, and Simon See. DeepHunter: a coverage-guided fuzz testing framework for deep neural networks. In ISSTA, 2019.
    Google ScholarLocate open access versionFindings
  • [Yang et al., 2019] Xin Yang, Yuezun Li, and Siwei Lyu. Exposing deep fakes using inconsistent head poses. In ICASSP, 2019.
    Google ScholarLocate open access versionFindings
  • [Yi et al., 2017] Zili Yi, Hao Zhang, Ping Tan, and Minglun Gong. Dualgan: Unsupervised dual learning for image-to-image translation. In ICCV, pages 2849–2857, 2017.
    Google ScholarLocate open access versionFindings
  • [Yu et al., 2019] Ning Yu, Larry S Davis, and Mario Fritz. Attributing fake images to gans: Learning and analyzing gan fingerprints. In ICCV, pages 7556–7566, 2019.
    Google ScholarLocate open access versionFindings
  • [Zakharov et al., 2019] Egor Zakharov, Aliaksandra Shysheya, Egor Burkov, and Victor Lempitsky. Few-shot adversarial learning of realistic neural talking head models. arXiv preprint arXiv:1905.08233, 2019.
    Findings
  • [Zhang et al., 2019a] Jie M Zhang, Mark Harman, Lei Ma, and Yang Liu. Machine learning testing: Survey, landscapes and horizons. arXiv preprint arXiv:1906.10742, 2019.
    Findings
  • [Zhang et al., 2019b] Xu Zhang, Svebor Karaman, and Shih-Fu Chang. Detecting and simulating artifacts in gan fake images. arXiv preprint arXiv:1907.06515, 2019.
    Findings
  • [Zhu et al., 2017] Jun-Yan Zhu, Taesung Park, Phillip Isola, and Alexei A Efros. Unpaired image-to-image translation using cycle-consistent adversarial networks. In ICCV, 2017.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments