Unveiling Bad-Deepfake: Backdoor Attacks on Deepfake Detection

The authors introduce a novel approach, Bad-Deepfake, targeting deepfake detectors with backdoor attacks. Leveraging inherent weaknesses in detection systems, they construct triggers and select influential samples for poisoned datasets.

The study introduces Bad-Deepfake, a pioneering strategy targeting deepfake detectors with backdoor attacks. By exploiting vulnerabilities in detection systems, the authors achieve remarkable success rates against deepfake detectors. The research highlights the importance of trigger construction and sample selection for effective backdoor attacks. Recent advancements in deep generative models have led to the creation of high-quality deepfakes that challenge the integrity of digital media. Despite efforts to develop robust detection mechanisms, vulnerabilities persist, especially against adversarial example attacks during testing phases. The study introduces "Bad-Deepfake," a novel approach using backdoor attacks to manipulate training data and achieve a 100% attack success rate against popular deepfake detectors. The proliferation of deepfakes has raised concerns about disinformation and trustworthiness in digital content. Current research focuses on enhancing technologies to combat deceptive alterations through advanced methodologies centered around deep neural networks (DNNs). However, these methods are susceptible to adversarial attacks targeting neural networks directly, allowing forged images to evade detection mechanisms. The study explores an innovative paradigm by integrating backdoor attacks into deepfake detection strategies. By clandestinely embedding hidden Trojans within DNNs during training phases, attackers can manipulate model predictions with specific triggers. This approach aims to address vulnerabilities in current detection systems and enhance defenses against sophisticated attacks.

Our approach achieves a 100% attack success rate (ASR) against extensively employed deepfake detectors. The mixing ratio r indicates the proportion of poisoned sample volume to clean sample volume. The filtration ratio α is set at 0.3 for the Filtering-and-Updating Strategy (FUS). The step size α determines the magnitude of noise update at each iteration. The benign accuracy (BA) remains high across different attack scenarios.

"Our innovation, Bad-Deepfake, represents a groundbreaking strategy tailored specifically to infiltrate deepfake detection systems through backdoor attacks." "To evaluate the potency of our proposed Bad-Deepfake approach, we rigorously subject it to assessment against the latest deepfake detection models."