人脸深度伪造主动防御技术综述

瞿左珉; 殷琪林; 盛紫琦; 吴俊彦; 张博林; 余尚戎; 卢伟

doi:10.11834/jig.230128

数字媒体深度伪造与对抗 | 浏览量 : 0 下载量: 9 CSCD: 0

PDF
导出
分享
收藏
专辑

人脸深度伪造主动防御技术综述
Overview of Deepfake proactive defense techniques
2024年29卷第2期页码：318-342
纸质出版日期： 2024-02-16 ，
DOI： 10.11834/jig.230128
稿件说明：

移动端阅览

瞿左珉，殷琪林，盛紫琦，吴俊彦，张博林，余尚戎，卢伟. 2024. 人脸深度伪造主动防御技术综述. 中国图象图形学报， 29(02):0318-0342

Qu Zuomin， Yin Qilin， Sheng Ziqi， Wu Junyan， Zhang Bolin， Yu Shangrong， Lu Wei. 2024. Overview of Deepfake proactive defense techniques. Journal of Image and Graphics， 29(02):0318-0342
瞿左珉，殷琪林，盛紫琦，吴俊彦，张博林，余尚戎，卢伟. 2024. 人脸深度伪造主动防御技术综述. 中国图象图形学报， 29(02):0318-0342 DOI： 10.11834/jig.230128.

Qu Zuomin， Yin Qilin， Sheng Ziqi， Wu Junyan， Zhang Bolin， Yu Shangrong， Lu Wei. 2024. Overview of Deepfake proactive defense techniques. Journal of Image and Graphics， 29(02):0318-0342 DOI： 10.11834/jig.230128.

摘要

深度生成模型的飞速发展推动了人脸深度伪造技术的进步，以Deepfake为代表的深度伪造模型也得到了十分广泛的应用。深度伪造技术可以对人脸图像或视频进行有目的的操纵，一方面，这种技术广泛应用于电影特效、娱乐场景中，丰富了人们的娱乐生活，促进了互联网多媒体的传播；另一方面，深度伪造也应用于一些可能造成不良影响的场景，给公民的名誉权、肖像权造成了危害，同时也给国家安全和社会稳定带来了极大的威胁，因此对深度伪造防御技术的研究日益迫切。现有的防御技术主要分为被动检测和主动防御，而被动检测的方式无法消除伪造人脸在广泛传播中造成的影响，难以做到“事前防御”，因此主动防御的思想得到了研究人员的广泛关注。然而，目前学术界有关深度伪造防御的综述主要关注基于检测的被动式防御方法，几乎没有以深度伪造主动防御技术为重点的综述。基于此，本文对当前学术界提出的人脸深度伪造主动防御技术进行梳理、总结和讨论。首先阐述了深度伪造主动防御的提出背景和主要思想，并对现有的人脸深度伪造主动防御算法进行汇总和归类，然后对各类主动防御算法的技术原理、性能、优缺点等进行了系统性的总结，同时介绍了研究常用的数据集和评估方法，最后对深度伪造主动防御所面临的技术挑战进行了分析，对其未来的发展方向展开了思考和讨论。

Abstract

With the development of the generative adversarial network （GAN） technology in recent years， facial manipulation technology has advanced significantly in both academia and industry. In particular， the deep face forgery model， represented by Deepfake has been widely used on the internet. The term “Deepfake” is a portmanteau of “deep learning” and “fake”. It refers to a face modification technology based on deep learning that can modify faces in videos and images， including face swapping， face expression editing， and face attribute editing. Deepfake can be roughly divided into two categories： identity-agnostic and identity-related manipulations. Face swapping is classified under identity-related manipulation； it aims to replace the target face area with the original face. Meanwhile， face expression and face attribute editing are classified under identity-agnostic manipulation. They attempt to modify the attributes of a face， such as its expression， hair color， age， and gender， without transforming identity. On the one hand， Deepfake technology has been widely used in film special effects， advertising， and entertainment apps. For example， some films have achieved more realistic and low-cost special effects by using such technology. For customers， the model on screen can be personalized in accordance with their body dimensions， color， and hair type before purchasing products. Simultaneously， Deepfake has inspired an increasing number of entertainment applications， such as ZAO， MeituXiuxiu， and FaceApp， which have considerably lowered the threshold of using this technology. Through these applications， users can easily replace the faces of actors in movies or television dramas with their own faces or change their hair color or makeup at will. On the other hand， Deepfake forgery is currently being applied to some scenarios that may cause adverse effects. For example， one of the most notorious Deepfake applications， DeepNude， attempts to replace the face of a porn actor with one of a star， causing serious damage to the individual privacy and even the personal reputation of citizens. In addition， Deepfake with target attributes may pass the verification of commercial applications， threatening application security and harming the property of the person who has been impersonated. To date， the fake news in which a politician speaks a speech that does not belong to him/her also poses a serious threat to social stability and national security. On this basis， some defense methods of Deepfake forgery have been proposed. Existing defense technologies can be roughly divided into two categories： passive defense and proactive defense. Passive defense is primarily based on detection. Despite their considerable accuracy， these detectors are simply passive measures against Deepfake attacks because they cannot eliminate the negative effects of the fake content that has been generated and widely disseminated. In summary， achieving prior defense is difficult and cannot intervene in the generation of Deepfake faces. Therefore， current mainstream belief assumes that proactive defense techniques are more defensive and practical. In contrast with passive defense， proactive defense disrupts Deepfake proactively by adding special adversarial perturbations or watermarks to the source images or videos before they are shared online. When a malicious user attempts to use them for Deepfake forgery， the output of the Deepfake forgery model will be seriously damaged in terms of visual quality and cannot be successfully forged. Moreover， even if indistinguishable fake images are obtained， we can trace the source through the forged images to find the malicious user. The present study principally reviews currently available Deepfake proactive defense techniques. Our overview is focused on the following perspectives： 1） a brief introduction of Deepfake forgery technologies and their effects； 2） a systematic summary of current proactive defense algorithms for Deepfake forgery， including technical principles， classification， performance， datasets， and evaluation methods； and 3） a description of the challenges faced by Deepfake proactive defense and a discussion of its future directions. From the perspective of the defense target， Deepfake forgery proactive defense can be divided into proactive disruption and proactive forensics defense technologies. Proactive disruption defense technology can be subdivided from the point of view of technical implementation into data poisoning， adversarial attack， and latent space defense methods. The data poisoning defense method destroys Deepfake forgery during the training stage， requiring the faker to use the poisoned images as training data to train the Deepfake forgery model. Meanwhile， forgery destruction of the adversarial attack defense method works in the test stage. When the faker uses the well-trained Deepfake forgery model to manipulate face images with adversarial perturbations， the output image will be destroyed. This idea of defense based on adversarial attack is the most widely used in existing studies. When implementing latent space defense methods， perturbations are not added directly to an image. By contrast， an image is first mapped into latent space， and this mapping is implemented with an elaborate transformation， such that the image is protected from the threat of Deepfake forgery. Notably， this method relies heavily on the effect of GAN inversion technology. We then provide a brief introduction of the evaluation methods and datasets used in proactive defense. The evaluation of a defense technology is typically performed from two aspects： the effect of disrupting the output of the Deepfake forgery model and the effect of maintaining the visual quality of disturbed images. These technologies are generally evaluated in terms of pixel distance， feature distance， and attack success rate. Simultaneously， some commonly used facial indicators， such as structural similarity index measure， Frechet inception distance， and normalization mean error， are considered during evaluation. Finally， we expound the challenges faced by Deepfake proactive defense， including the circumvention of proactive defense， the improvement of performance in black box scenarios， and practicality issues. In addition， we look forward to the future directions of proactive defense. More robust performance and better visual quality are identified as two major concerns. In conclusion， our survey summarizes the principal concept and classification of Deepfake proactive defense and provides detailed explanations of various methods， evaluation metrics， commonly used datasets， major challenges， and prospects. We hope that it will serve as an introduction and guide for Deepfake proactive defense research.

关键词

人脸深度伪造人脸深度伪造防御主动防御对抗攻击生成对抗网络（GAN）深度学习

Keywords

Deepfake forgeryDeepfake defenseproactive defenseadversarial attackgenerative adversarial network（GAN）deep learning

references

Abdal R， Qin Y P and Wonka P. 2019. Image2StyleGAN： how to embed images into the StyleGAN latent space?//Proceedings of 2019 IEEE/CVF International Conference on Computer Vision. Seoul， Korea （South）： IEEE： 4431-4440 ［DOI： 10.1109/ICCV.2019.00453http://dx.doi.org/10.1109/ICCV.2019.00453］

Ahmed S R， Sonuç E， Ahmed M R and Duru A D. 2022. Analysis survey on deepfake detection and recognition with convolutional neural networks//Proceedings of 2022 International Congress on Human-Computer Interaction， Optimization and Robotic Applications. Ankara， Turkey： IEEE： 1-7 ［DOI： 10.1109/HORA55278.2022.9799858http://dx.doi.org/10.1109/HORA55278.2022.9799858］

Bashkirova D， Usman B and Saenko K. 2019. Adversarial self-defense for cycle-consistent GANs//Proceedings of the 33rd International Conference on Neural Information Processing Systems. Vancouver， Canada： Curran Associates Inc.： 637-647

Cao S H， Liu X H， Mao X Q and Zou Q. 2022. A review of human face forgery and forgery-detection technologies. Journal of Image and Graphics， 27（4）： 1023-1038

曹申豪，刘晓辉，毛秀青，邹勤. 2022. 人脸伪造及检测技术综述. 中国图象图形学报， 27（4）： 1023-1038 ［DOI： 10.11834/jig.200466http://dx.doi.org/10.11834/jig.200466］

Chakraborty A， Alam M， Dey V， Chattopadhyay A and Mukhopadhyay D. 2018. Adversarial attacks and defences： a survey ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1810.00069.pdfhttps://arxiv.org/pdf/1810.00069.pdf

Chen J Y， Zou J F， Su M M and Zhang L Y. 2020. Poisoning attack and defense on deep learning model： a survey. Journal of Cyber Security， 5（4）： 14-29

陈晋音，邹健飞，苏蒙蒙，张龙源. 2020. 深度学习模型的中毒攻击与防御综述. 信息安全学报， 5（4）： 14-29 ［DOI： 10.19363/J.cnki.cn10-1380/tn.2020.07.02http://dx.doi.org/10.19363/J.cnki.cn10-1380/tn.2020.07.02］

Chen R W， Chen X H， Ni B B and Ge Y H. 2020. SimSwap： an efficient framework for high fidelity face swapping//Proceedings of the 28th ACM International Conference on Multimedia. Seattle， USA： ACM： 2003-2011 ［DOI： 10.1145/3394171.3413630http://dx.doi.org/10.1145/3394171.3413630］

Chen Z K， Xie L X， Pang S M， He Y and Zhang B. 2021. MagDR： mask-guided detection and reconstruction for defending deepfakes//Proceedings of 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Nashville， USA： IEEE： 9010-9019 ［DOI： 10.1109/CVPR46437.2021.00890http://dx.doi.org/10.1109/CVPR46437.2021.00890］

Choi Y， Choi M， Kim M， Ha J W， Kim S and Choo J. 2018. StarGAN： unified generative adversarial networks for multi-domain image-to-image translation//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 8789-8797 ［DOI： 10.1109/CVPR.2018.00916http://dx.doi.org/10.1109/CVPR.2018.00916］

Deng J K， Guo J， Yang J， Xue N N， Kotsia I and Zafeiriou S. 2022. ArcFace： additive angular margin loss for deep face recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence， 44（10）： 5962-5979 ［DOI： 10.1109/TPAMI.2021.3087709http://dx.doi.org/10.1109/TPAMI.2021.3087709］

Dong J H， Wang Y， Lai J H and Xie X H. 2022. Restricted black-box adversarial attack against DeepFake face swapping ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/2204.12347.pdfhttps://arxiv.org/pdf/2204.12347.pdf

Fu S P， He F X， Liu Y， Shen L and Tao D C. 2022. Robust unlearnable examples： protecting data against adversarial learning ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2203.14533.pdfhttps://arxiv.org/pdf/2203.14533.pdf

Gandhi A and Jain S. 2020. Adversarial perturbations fool deepfake detectors ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2003.10596.pdfhttps://arxiv.org/pdf/2003.10596.pdf

Gaur L. 2022. DeepFakes： Creation， Detection， and Impact. Boca Raton： CRC Press ［DOI：10.1201/9781003231493http://dx.doi.org/10.1201/9781003231493］

Goodfellow I J， Shlens J and Szegedy C. 2015. Explaining and harnessing adversarial examples ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1412.6572.pdfhttps://arxiv.org/pdf/1412.6572.pdf

Guan W N， He Z W， Wang W， Dong J and Peng B. 2022. Defending against Deepfakes with ensemble adversarial perturbation//Proceedings of the 26th International Conference on Pattern Recognition. Montreal， Canada： IEEE： 1952-1958 ［DOI： 10.1109/ICPR56361.2022.9956501http://dx.doi.org/10.1109/ICPR56361.2022.9956501］

Gulrajani I， Ahmed F， Arjovsky M， Dumoulin V and Courville A. 2017. Improved training of Wasserstein GANs ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1704.00028.pdfhttps://arxiv.org/pdf/1704.00028.pdf

He K K， Wang Z X， Fu Y W， Feng R， Jiang Y G and Xue X Y. 2017. Adaptively weighted multi-task deep network for person attribute classification//Proceedings of the 25th ACM International Conference on Multimedia. Mountain View， USA： ACM： 1636-1644 ［DOI： 10.1145/3123266.3123424http://dx.doi.org/10.1145/3123266.3123424］

He Z L， Zuo W M， Kan M N， Shan S G and Chen X L. 2019. AttGAN： facial attribute editing by only changing what you want. IEEE Transactions on Image Processing， 28（11）： 5464-5478 ［DOI： 10.1109/TIP.2019.2916751http://dx.doi.org/10.1109/TIP.2019.2916751］

He Z W， Wang W， Dong J and Tan T N. 2022a. Transferable sparse adversarial attack ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2105.14727.pdfhttps://arxiv.org/pdf/2105.14727.pdf

He Z W， Wang W， Guan W N， Dong J and Tan T N. 2022b. Defeating DeepFakes via adversarial visual reconstruction//Proceedings of the 30th ACM International Conference on Multimedia. Lisboa， Portugal： ACM： 2464-2472 ［DOI： 10.1145/3503161.3547923http://dx.doi.org/10.1145/3503161.3547923］

Heusel M， Ramsauer H， Unterthiner T， Nessler B and Hochreiter S. 2018. GANs trained by a two time-scale update rule converge to a local Nash equilibrium ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1706.08500.pdfhttps://arxiv.org/pdf/1706.08500.pdf

Hu S， Li Y Z and Lyu S W. 2020. Exposing GAN-generated faces using inconsistent corneal specular highlights ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2009.11924.pdfhttps://arxiv.org/pdf/2009.11924.pdf

Huang G B， Ramesh M， Berg T， and Learned-Miller E. 2007. Labeled Faces in the wild： a Database for Studying Face Recognition in Unstrained Environments. Rep-07-49. University of Massachusetts， Amherst， Tech.

Huang H， Wang Y T， Chen Z Y， Zhang Y Z， Li Y H， Tang Z， Chu W， Chen J D， Lin W S and Ma K K. 2022. CMUA-watermark： a cross-model universal adversarial watermark for combating deepfakes. Proceedings of the AAAI Conference on Artificial Intelligence， 36（1）： 989-997 ［DOI： 10.1609/aaai.v36i1.19982http://dx.doi.org/10.1609/aaai.v36i1.19982］

Huang Q D， Zhang J， Zhou W B， Zhang W M and Yu N H. 2021. Initiative defense against facial manipulation. Proceedings of the AAAI Conference on Artificial Intelligence， 35（2）： 1619-1627 ［DOI： 10.1609/aaai.v35i2.16254http://dx.doi.org/10.1609/aaai.v35i2.16254］

Hussain S， Neekhara P， Dolhansky B， Bitton J， Ferrer C C， McAuley J and Koushanfar F. 2022. Exposing vulnerabilities of deepfake detection systems with robust attacks. Digital Threats： Research and Practice， 3（3）： #3464307 ［DOI： 10.1145/3464307http://dx.doi.org/10.1145/3464307］

Isola P， Zhu J Y， Zhou T H and Efros A A. 2017. Image-to-image translation with conditional adversarial networks//Proceedings of 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Honolulu， USA： IEEE： 5967-5976 ［DOI： 10.1109/CVPR.2017.632http://dx.doi.org/10.1109/CVPR.2017.632］

Jourabloo A and Liu X M. 2015. Pose-invariant 3D face alignment//Proceedings of 2015 IEEE International Conference on Computer Vision. Santiago， Chile： IEEE： 3694-3702 ［DOI： 10.1109/ICCV.2015.421http://dx.doi.org/10.1109/ICCV.2015.421］

Karras T， Aila T， Laine S and Lehtinen J. 2018. Progressive growing of GANs for improved quality， stability， and variation ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1710.10196.pdfhttps://arxiv.org/pdf/1710.10196.pdf

Karras T， Laine S and Aila T. 2019. A style-based generator architecture for generative adversarial networks//Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Long Beach， USA： IEEE： 4396-4405 ［DOI： 10.1109/CVPR.2019.00453http://dx.doi.org/10.1109/CVPR.2019.00453］

Karras T， Laine S， Aittala M， Hellsten J， Lehtinen J and Aila T. 2020. Analyzing and improving the image quality of StyleGAN ［EB/OL］. ［2023-07-25］. https://arxiv.org/pdf/1912.04958.pdfhttps://arxiv.org/pdf/1912.04958.pdf

Kingma D P and Welling M. 2022. Auto-encoding variational Bayes ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1312.6114.pdfhttps://arxiv.org/pdf/1312.6114.pdf

Kos J， Fischer I and Song D. 2018. Adversarial examples for generative models//Proceedings of 2018 IEEE Security and Privacy Workshops. San Francisco， USA： IEEE： 36-42 ［DOI： 10.1109/SPW.2018.00014http://dx.doi.org/10.1109/SPW.2018.00014］

Kurakin A， Goodfellow I J and Bengio S. 2017. Adversarial machine learning at scale ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1611.01236.pdfhttps://arxiv.org/pdf/1611.01236.pdf

Lee C H， Liu Z W， Wu L Y and Luo P. 2020. MaskGAN： towards diverse and interactive facial image manipulation//Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Seattle， USA： IEEE： 5548-5557 ［DOI： 10.1109/CVPR42600.2020.00559http://dx.doi.org/10.1109/CVPR42600.2020.00559］

Lee K， Lee K， Lee H and Shin J. 2018. A simple unified framework for detecting out-of-distribution samples and adversarial attacks ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1807.03888.pdfhttps://arxiv.org/pdf/1807.03888.pdf

Li L Z， Bao J M， Yang H， Chen D and Wen F. 2020a. Faceshifter： towards high fidelity and occlusion aware face swapping ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1912.13457.pdfhttps://arxiv.org/pdf/1912.13457.pdf

Li S S， Zhu S T， Paul S， Roy-Chowdhury A， Song C Y， Krishnamurthy S， Swami A and Chan K S. 2020b. Connecting the dots： detecting adversarial perturbations using context inconsistency//Proceedings of the 16th European Conference on Computer Vision. Glasgow， UK： Springer： 396-413 ［DOI： 10.1007/978-3-030-58592-1_24http://dx.doi.org/10.1007/978-3-030-58592-1_24］

Li X Y， Zhang S C， Hu J， Cao L J， Hong X P， Mao X D， Huang F Y， Wu Y J and Ji R R. 2021. Image-to-image translation via hierarchical style disentanglement//Proceedings of 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Nashville， USA： IEEE： 8635-8644 ［DOI： 10.1109/CVPR46437.2021.00853http://dx.doi.org/10.1109/CVPR46437.2021.00853］

Li Y， Bian S， Wang C T and Lu W. 2023. CNN and Transformer-coordinated deepfake detection. Journal of Image and Graphics， 28（3）： 804-819

李颖，边山，王春桃，卢伟. 2023. CNN结合Transformer的深度伪造高效检测. 中国图象图形学报， 28（3）： 804-819 ［DOI： 10.11834/jig.220519http://dx.doi.org/10.11834/jig.220519］

Li Y Z， Yang X， Sun P， Qi H G and Lyu S W. 2020c. Celeb-DF： a large-scale challenging dataset for DeepFake forensics//Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Seattle， USA： IEEE： 3204-3213 ［DOI： 10.1109/CVPR42600.2020.00327http://dx.doi.org/10.1109/CVPR42600.2020.00327］

Li Y Z， Yang X， Wu B Y and Lyu S W. 2019. Hiding faces in plain sight： disrupting AI face synthesis with adversarial perturbations ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1906.09288.pdfhttps://arxiv.org/pdf/1906.09288.pdf

Li Z， Yu N， Salem A， Backes M， Fritz M and Zhang Y. 2023. UnGANable： defending against GAN-based face manipulation ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2210.00957.pdfhttps://arxiv.org/pdf/2210.00957.pdf

Lin Y Z， Chen H， Maiorana E， Campisi P and Li B. 2022. Source-ID-Tracker： source face identity protection in face swapping//Proceedings of 2022 IEEE International Conference on Multimedia and Expo. Taipei， China： IEEE： 1-6 ［DOI： 10.1109/ICME52920.2022.9859600http://dx.doi.org/10.1109/ICME52920.2022.9859600］

Liu M， Ding Y K， Xia M， Liu X， Ding E R， Zuo W M and Wen S L. 2019. STGAN： a unified selective transfer network for arbitrary image attribute editing//Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Long Beach， USA： IEEE： 3668-3677 ［DOI： 10.1109/CVPR.2019.00379http://dx.doi.org/10.1109/CVPR.2019.00379］

Liu Z W， Luo P， Wang X G and Tang X O. 2015. Deep learning face attributes in the wild//Proceedings of 2015 IEEE International Conference on Computer Vision. Santiago， Chile： IEEE： 3730-3738 ［DOI： 10.1109/ICCV.2015.425http://dx.doi.org/10.1109/ICCV.2015.425］

Ma X J， Li B， Wang Y S， Erfani S M， Wijewickrema S， Schoenebeck G， Song D， Houle M E and Bailey J. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1801.02613.pdfhttps://arxiv.org/pdf/1801.02613.pdf

Madry A， Makelov A， Schmidt L， Tsipras D and Vladu A. 2019. Towards deep learning models resistant to adversarial attacks ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1706.06083.pdfhttps://arxiv.org/pdf/1706.06083.pdf

Metzen J H， Genewein T， Fischer V and Bischoff B. 2017. On detecting adversarial perturbations ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1702.04267.pdfhttps://arxiv.org/pdf/1702.04267.pdf

Mirsky Y and Lee W. 2020. The creation and detection of deepfakes： a survey ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2004.11138.pdfhttps://arxiv.org/pdf/2004.11138.pdf

Mirza M and Osindero S. 2014. Conditional generative adversarial nets ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/1411.1784.pdfhttps://arxiv.org/pdf/1411.1784.pdf

Mittal A， Moorthy A K and Bovik A C. 2012. No-reference image quality assessment in the spatial domain. IEEE Transactions on Image Processing， 21（12）： 4695-4708 ［DOI： 10.1109/TIP.2012.2214050http://dx.doi.org/10.1109/TIP.2012.2214050］

Mustafa A， Khan S H， Hayat M， Shen J B and Shao L. 2020. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing， 29： 1711-1724 ［DOI： 10.1109/TIP.2019.2940533http://dx.doi.org/10.1109/TIP.2019.2940533］

Nguyen T T， Nguyen Q V H， Nguyen D T， Nguyen D T， Huynh-The T， Nahavandi S， Nguyen T T， Pham Q V and Nguyen C M. 2022. Deep learning for deepfakes creation and detection： a survey ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1909.11573.pdfhttps://arxiv.org/pdf/1909.11573.pdf

Nirkin Y， Keller Y and Hassner T. 2019. FSGAN： subject agnostic face swapping and reenactment//Proceedings of 2019 IEEE/CVF International Conference on Computer Vision. Seoul， Korea （South）： IEEE： 7183-7192 ［DOI： 10.1109/ICCV.2019.00728http://dx.doi.org/10.1109/ICCV.2019.00728］

Papernot N and McDaniel P. 2018. Deep k-nearest neighbors： towards confident， interpretable and robust deep learning ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1803.04765.pdfhttps://arxiv.org/pdf/1803.04765.pdf

Perov I， Gao D H， Chervoniy N， Liu K L， Marangonda S， Umé C， Jiang J， Luis R P， Zhang S， Wu P Y and Zhang W M. 2021. DeepFaceLab： integrated， flexible and extensible face-swapping framework ［EB/OL］. ［2023-07-25］. https://arxiv.org/pdf/2005.05535.pdfhttps://arxiv.org/pdf/2005.05535.pdf

Pumarola A， Agudo A， Martinez A M， Sanfeliu A and Moreno-Noguer F. 2018. GANimation： anatomically-aware facial animation from a single image//Proceedings of the 15th European Conference on Computer Vision. Munich， Germany： Springer： 835-851 ［DOI： 10.1007/978-3-030-01249-6_50http://dx.doi.org/10.1007/978-3-030-01249-6_50］

Radford A， Metz L and Chintala S. 2016. Unsupervised representation learning with deep convolutional generative adversarial networks ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1511.06434.pdfhttps://arxiv.org/pdf/1511.06434.pdf

Rössler A， Cozzolino D， Verdoliva L， Riess C， Thies J and Niessner M. 2019. FaceForensics ++： learning to detect manipulated facial images//Proceedings of 2019 IEEE/CVF International Conference on Computer Vision. Seoul， Korea （South）： IEEE： 1-11 ［DOI： 10.1109/ICCV.2019.00009http://dx.doi.org/10.1109/ICCV.2019.00009］

Ruiz N， Bargal S A and Sclaroff S. 2020. Disrupting Deepfakes： adversarial attacks against conditional image translation networks and facial manipulation systems//Proceedings of the 16th European Conference on Computer Vision. Glasgow， UK： Springer： 236-251 ［DOI： 10.1007/978-3-030-66823-5_14http://dx.doi.org/10.1007/978-3-030-66823-5_14］

Samangouei P， Kabkab M and Chellappa R. 2018. Defense-GAN： protecting classifiers against adversarial attacks using generative models ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1805.06605.pdfhttps://arxiv.org/pdf/1805.06605.pdf

Segalis E and Galili E. 2020. OGAN： disrupting deepfakes with an adversarial attack that survives training ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/2006.12247.pdfhttps://arxiv.org/pdf/2006.12247.pdf

Sun P， Li Y Z， Qi H G and Lyu S W， 2020. Landmark breaker： obstructing DeepFake by disturbing Landmark extraction//Proceedings of 2020 IEEE International Workshop on Information Forensics and Security. New York， USA： IEEE： 1-6 ［DOI： 10.1109/WIFS49906.2020.9360910http://dx.doi.org/10.1109/WIFS49906.2020.9360910］

Sun P， Li Y Z， Qi H G and Lyu S W. 2022a. Faketracer： exposing deepfakes with training data contamination//Proceedings of 2022 IEEE International Conference on Image Processing. Bordeaux， France： IEEE： 1161-1165 ［DOI： 10.1109/ICIP46576.2022.9897756http://dx.doi.org/10.1109/ICIP46576.2022.9897756］

Sun W， Jin J and Lin W S. 2022b. Minimum noticeable difference based adversarial privacy preserving image generation ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2206.08638.pdfhttps://arxiv.org/pdf/2206.08638.pdf

Szegedy C， Vanhoucke V， Ioffe S， Shlens J and Wojna Z. 2016. Rethinking the inception architecture for computer vision//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas， USA： IEEE： 2818-2826 ［DOI： 10.1109/CVPR.2016.308http://dx.doi.org/10.1109/CVPR.2016.308］

Tabacof P， Tavares J and Valle E. 2016. Adversarial images for variational autoencoders ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1612.00155v1.pdfhttps://arxiv.org/pdf/1612.00155v1.pdf

Talebi H and Milanfar P. 2018. NIMA： neural image assessment. IEEE Transactions on Image Processing， 27（8）： 3998-4011 ［DOI： 10.1109/TIP.2018.2831899http://dx.doi.org/10.1109/TIP.2018.2831899］

Tang H， Xu D， Sebe N and Yan Y. 2019. Attention-guided generative adversarial networks for unsupervised image-to-image translation//Proceedings of 2019 International Joint Conference on Neural Networks. Budapest， Hungary： IEEE： 1-8 ［DOI： 10.1109/IJCNN.2019.8851881http://dx.doi.org/10.1109/IJCNN.2019.8851881］

Thies J， Zollhöfer M and Nießner M. 2019. Deferred neural rendering： image synthesis using neural textures. ACM Transactions on Graphics， 38（4）： #66 ［DOI： 10.1145/3306346.3323035http://dx.doi.org/10.1145/3306346.3323035］

Thies J， Zollhöfer M， Stamminger M， Theobalt C and Nießner M. 2020. Face2Face： real-time face capture and reenactment of RGB videos ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2007.14808.pdfhttps://arxiv.org/pdf/2007.14808.pdf

Tripathy S， Kannala J and Rahtu E. 2020. ICface： interpretable and controllable face reenactment using GANs//Proceedings of 2020 IEEE Winter Conference on Applications of Computer Vision. Snowmass， USA： IEEE： 3374-3383 ［DOI： 10.1109/WACV45572.2020.9093474http://dx.doi.org/10.1109/WACV45572.2020.9093474］

Wang L， Cho W and Yoon K J. 2020. Deceiving image-to-image translation networks for autonomous driving with adversarial perturbations. IEEE Robotics and Automation Letters， 5（2）： 1421-1428 ［DOI： 10.1109/LRA.2020.2967289http://dx.doi.org/10.1109/LRA.2020.2967289］

Wang R， Huang Z H， Chen Z K， Liu L， Chen J and Wang L N. 2022. Anti-Forgery： towards a stealthy and robust DeepFake disruption attack via adversarial perceptual-aware perturbations ［EB/OL］. ［2023-02-23］. https://arxiv.org/pdf/2206.00477.pdfhttps://arxiv.org/pdf/2206.00477.pdf

Wang R， Juefei-Xu F， Luo M， Liu Y and Wang L N. 2021a. FakeTagger： robust safeguards against DeepFake dissemination via provenance tracking//Proceedings of the 29th ACM International Conference on Multimedia. Virtual Event， China： ACM： 3546-3555 ［DOI： 10.1145/3474085.3475518http://dx.doi.org/10.1145/3474085.3475518］

Wang R Y， Chu B L， Yang Z and Zhou L N. 2022. An overview of visual DeepFake detection techniques. Journal of Image and Graphics， 27（1）： 43-62

王任颖，储贝林，杨震，周琳娜. 2022. 视觉深度伪造检测技术综述. 中国图象图形学报， 27（1）： 43-62 ［DOI： 10.11834/jig.210410http://dx.doi.org/10.11834/jig.210410］

Wang T C， Liu M Y， Zhu J Y， Tao A， Kautz J and Catanzaro B. 2018. High-resolution image synthesis and semantic manipulation with conditional GANs//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 8798-8807 ［DOI： 10.1109/CVPR.2018.00917http://dx.doi.org/10.1109/CVPR.2018.00917］

Wang Y， Cao T Y， Yang J B， Zheng Y F， Fang Z and Deng X T. 2022. A perturbation constraint related weak perceptual adversarial example generation method. Journal of Image and Graphics， 27（7）： 2287-2299

王杨，曹铁勇，杨吉斌，郑云飞，方正，邓小桐. 2022. 结合扰动约束的低感知性对抗样本生成方法. 中国图象图形学报， 27（7）： 2287-2299 ［DOI： 10.11834/jig.200681http://dx.doi.org/10.11834/jig.200681］

Wang Z， Bovik A C， Sheikh H R and Simoncelli E P. 2004. Image quality assessment： from error visibility to structural similarity. IEEE Transactions on Image Processing， 13（4）： 600-612 ［DOI： 10.1109/TIP.2003.819861http://dx.doi.org/10.1109/TIP.2003.819861］

Wang Z B， Guo H C， Zhang Z F， Liu W X， Qin Z and Ren K. 2021b. Feature importance-aware transferable adversarial attacks//Proceedings of 2021 IEEE/CVF International Conference on Computer Vision. Montreal， Canada： IEEE： 7619-7628 ［DOI： 10.1109/ICCV48922.2021.00754http://dx.doi.org/10.1109/ICCV48922.2021.00754］

Xia W H， Zhang Y L， Yang Y J， Xue J H， Zhou B L and Yang M H. 2023. GAN Inversion： a survey. IEEE Transactions on Pattern Analysis and Machine Intelligence， 45（3）： 3121-3138 ［DOI： 10.1109/TPAMI.2022.3181070http://dx.doi.org/10.1109/TPAMI.2022.3181070］

Yang C F， Ding L， Chen Y R and Li H. 2021. Defending against GAN-based DeepFake attacks via transformation-aware adversarial faces//Proceedings of 2021 International Joint Conference on Neural Networks. Shenzhen， China： IEEE： 1-8 ［DOI： 10.1109/IJCNN52387.2021.9533868http://dx.doi.org/10.1109/IJCNN52387.2021.9533868］

Yang S C， Wang J， Sun Y L and Tang J H. 2022. Multi-level features global consistency for human facial deepfake detection. Journal of Image and Graphics， 27（9）： 2708-2720

杨少聪，王健，孙运莲，唐金辉. 2022. 多级特征全局一致性的伪造人脸检测. 中国图象图形学报， 27（9）： 2708-2720 ［DOI： 10.11834/jig.211254http://dx.doi.org/10.11834/jig.211254］

Yang Y Z， Zhang G， Katabi D and Xu Z. 2019. Me-net： towards effective adversarial robustness with matrix estimation ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/1905.11971.pdfhttps://arxiv.org/pdf/1905.11971.pdf

Yeh C Y， Chen H W， Tsai S L and Wang S D. 2020. Disrupting image-translation-based DeepFake algorithms with adversarial attacks//Proceedings of 2020 IEEE Winter Applications of Computer Vision Workshops. Snowmass， USA： IEEE： 53-62 ［DOI： 10.1109/WACVW50321.2020.9096939http://dx.doi.org/10.1109/WACVW50321.2020.9096939］

Yu N， Skripniuk V， Abdelnabi S and Fritz M. 2020. Artificial GAN fingerprints： rooting deepfake attribution in training data ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2007.08457v3.pdfhttps://arxiv.org/pdf/2007.08457v3.pdf

Zhang C N， Benz P， Lin C G， Karjauv A， Wu J and Kweon I S. 2022. A survey on universal adversarial attack ［EB/OL］. ［2023-03-23］. https://arxiv.org/pdf/2103.01498.pdfhttps://arxiv.org/pdf/2103.01498.pdf

Zhang R， Isola P， Efros A A， Shechtman E and Wang O. 2018. The unreasonable effectiveness of deep features as a perceptual metric//Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City， USA： IEEE： 586-595 ［DOI： 10.1109/CVPR.2018.00068http://dx.doi.org/10.1109/CVPR.2018.00068］

Zhang T. 2022. Deepfake generation and detection， a survey. Multimedia Tools and Applications， 81（5）： 6259-6276 ［DOI： 10.1007/s11042-021-11733-yhttp://dx.doi.org/10.1007/s11042-021-11733-y］

Zhang W X， Ma K D， Yan J， Deng D X and Wang Z. 2020. Blind image quality assessment using a deep bilinear convolutional neural network. IEEE Transactions on Circuits and Systems for Video Technology， 30（1）： 36-47 ［DOI： 10.1109/TCSVT.2018.2886771http://dx.doi.org/10.1109/TCSVT.2018.2886771］

Zhao J J， Wang J W and Wu J F. 2023. Adversarial attack method identification model based on multi-factor compression error. Journal of Image and Graphics， 28（3）： 850-863

赵俊杰，王金伟，吴俊凤. 2023. 基于多质量因子压缩误差的对抗样本攻击方法识别. 中国图象图形学报， 28（3）： 850-863 ［DOI： 10.11834/jig.220516http://dx.doi.org/10.11834/jig.220516］

Zhao Y， Liu B， Ding M， Liu B P， Zhu T Q and Yu X. 2023. Proactive deepfake defence via identity watermarking//Proceedings of 2023 IEEE/CVF Winter Conference on Applications of Computer Visio. Waikoloa， USA： IEEE： 4591-4600 ［DOI： 10.1109/WACV56688.2023.00458http://dx.doi.org/10.1109/WACV56688.2023.00458］

Zhou W B， Zhang W M， Yu N H， Zhao H Q， Liu H G and Wei T Y. 2021. An overview of deepfake forgery and defense techniques. Journal of Signal Processing， 37（12）： 2338-2355

周文柏，张卫明，俞能海，赵汉卿，刘泓谷，韦天一. 2021. 人脸视频深度伪造与防御技术综述. 信号处理， 37（12）： 2338-2355 ［DOI： 10.16798/j.issn.1003-0530.2021.12.007http://dx.doi.org/10.16798/j.issn.1003-0530.2021.12.007］

Zhu J Y， Park T， Isola P and Efros A A. 2017. Unpaired image-to-image translation using cycle-consistent adversarial networks//Proceedings of 2017 IEEE International Conference on Computer Vision. Venice， Italy： IEEE： 2242-2251 ［DOI： 10.1109/ICCV.2017.244http://dx.doi.org/10.1109/ICCV.2017.244］

文章被引用时，请邮件提醒。

提交