TraceEvader: Making DeepFakes More Untraceable via Evading the Forgery Model Attribution

Abstract

In recent few years, DeepFakes are posing serve threats an concerns to both individuals and celebrities, as realistic Deep Fakes facilitate the spread of disinformation. Model attribu tion techniques aim at attributing the adopted forgery mod els of DeepFakes for provenance purposes and providing ex plainable results to DeepFake forensics. However, the exist ing model attribution techniques rely on the trace left in th DeepFake creation, which can become futile if such trace were disrupted. Motivated by our observation that certai traces served for model attribution appeared in both the high frequency and low-frequency domains and play a divergen role in model attribution. In this work, for the first time, w propose a novel training-free evasion attack, TraceEvader in the most practical non-box setting. Specifically, TraceE vader injects a universal imitated traces learned from wil DeepFakes into the high-frequency component and intro duces adversarial blur into the domain of the low-frequenc component, where the added distortion confuses the extrac tion of certain traces for model attribution. The comprehen sive evaluation on 4 state-of-the-art (SOTA) model attributio techniques and fake images generated by 8 generative model including generative adversarial networks (GANs) and dif fusion models (DMs) demonstrates the effectiveness of ou method. Overall, our TraceEvader achieves the highest av erage attack success rate of 79% and is robust against imag transformations and dedicated denoising techniques as wel where the average attack success rate is still around 75% Our TraceEvader confirms the limitations of current mode attribution techniques and calls the attention of DeepFake re searchers and practitioners for more robust-purpose model at tribution techniques.