Current Issue Cover
人脸深度伪造主动防御技术综述

瞿左珉1,2,3, 殷琪林1,2,3, 盛紫琦1,2,3, 吴俊彦1,2,3, 张博林1,2,3, 余尚戎1,2,3, 卢伟1,2,3(1.中山大学计算机学院, 广州 510006;2.广东省信息安全技术重点实验室, 广州 510006;3.教育部机器智能与先进计算重点实验室, 广州 510006)

摘 要
深度生成模型的飞速发展推动了人脸深度伪造技术的进步,以Deepfake为代表的深度伪造模型也得到了十分广泛的应用。深度伪造技术可以对人脸图像或视频进行有目的的操纵,一方面,这种技术广泛应用于电影特效、娱乐场景中,丰富了人们的娱乐生活,促进了互联网多媒体的传播;另一方面,深度伪造也应用于一些可能造成不良影响的场景,给公民的名誉权、肖像权造成了危害,同时也给国家安全和社会稳定带来了极大的威胁,因此对深度伪造防御技术的研究日益迫切。现有的防御技术主要分为被动检测和主动防御,而被动检测的方式无法消除伪造人脸在广泛传播中造成的影响,难以做到“事前防御”,因此主动防御的思想得到了研究人员的广泛关注。然而,目前学术界有关深度伪造防御的综述主要关注基于检测的被动式防御方法,几乎没有以深度伪造主动防御技术为重点的综述。基于此,本文对当前学术界提出的人脸深度伪造主动防御技术进行梳理、总结和讨论。首先阐述了深度伪造主动防御的提出背景和主要思想,并对现有的人脸深度伪造主动防御算法进行汇总和归类,然后对各类主动防御算法的技术原理、性能、优缺点等进行了系统性的总结,同时介绍了研究常用的数据集和评估方法,最后对深度伪造主动防御所面临的技术挑战进行了分析,对其未来的发展方向展开了思考和讨论。
关键词
Overview of Deepfake proactive defense techniques

Qu Zuomin1,2,3, Yin Qilin1,2,3, Sheng Ziqi1,2,3, Wu Junyan1,2,3, Zhang Bolin1,2,3, Yu Shangrong1,2,3, Lu Wei1,2,3(1.School of Computer Science and Engineering, Sun Yat-sen University, Guangzhou 510006, China;2.Guangdong Province Key Laboratory of Information Security Technology, Guangzhou 510006, China;3.Ministry of Education Key Laboratory of Machine Intelligence and Advanced Computing, Guangzhou 510006, China)

Abstract
With the development of the generative adversarial network(GAN) technology in recent years,facial manipulation technology has advanced significantly in both academia and industry.In particular,the deep face forgery model,represented by Deepfake has been widely used on the internet.The term “Deepfake” is a portmanteau of “deep learning” and “fake”.It refers to a face modification technology based on deep learning that can modify faces in videos and images,including face swapping,face expression editing,and face attribute editing.Deepfake can be roughly divided into two categories:identity-agnostic and identity-related manipulations.Face swapping is classified under identity-related manipulation;it aims to replace the target face area with the original face.Meanwhile,face expression and face attribute editing are classified under identity-agnostic manipulation.They attempt to modify the attributes of a face,such as its expression,hair color,age,and gender,without transforming identity.On the one hand,Deepfake technology has been widely used in film special effects,advertising,and entertainment apps.For example,some films have achieved more realistic and low-cost special effects by using such technology.For customers,the model on screen can be personalized in accordance with their body dimensions,color,and hair type before purchasing products.Simultaneously,Deepfake has inspired an increasing number of entertainment applications,such as ZAO,MeituXiuxiu,and FaceApp,which have considerably lowered the threshold of using this technology.Through these applications,users can easily replace the faces of actors in movies or television dramas with their own faces or change their hair color or makeup at will.On the other hand,Deepfake forgery is currently being applied to some scenarios that may cause adverse effects.For example,one of the most notorious Deepfake applications,DeepNude,attempts to replace the face of a porn actor with one of a star,causing serious damage to the individual privacy and even the personal reputation of citizens.In addition,Deepfake with target attributes may pass the verification of commercial applications,threatening application security and harming the property of the person who has been impersonated.To date,the fake news in which a politician speaks a speech that does not belong to him/her also poses a serious threat to social stability and national security. On this basis, some defense methods of Deepfake forgery have been proposed. Existing defense technologies can be roughly divided into two categories: passive defense and proactive defense. Passive defense is primarily based on detection. Despite their considerable accuracy, these detectors are simply passive measures against Deepfake attacks because they cannot eliminate the negative effects of the fake content that has been generated and widely disseminated. In summary, achieving prior defense is difficult and cannot intervene in the generation of Deepfake faces. Therefore, current mainstream belief assumes that proactive defense techniques are more defensive and practical. In contrast with passive defense, proactive defense disrupts Deepfake proactively by adding special adversarial perturbations or watermarks to the source images or videos before they are shared online. When a malicious user attempts to use them for Deepfake forgery, the output of the Deepfake forgery model will be seriously damaged in terms of visual quality and cannot be successfully forged. Moreover, even if indistinguishable fake images are obtained, we can trace the source through the forged images to find the malicious user. The present study principally reviews currently available Deepfake proactive defense techniques. Our overview is focused on the following perspectives:1) a brief introduction of Deepfake forgery technologies and their effects;2) a systematic summary of current proactive defense algorithms for Deepfake forgery, including technical principles, classification, performance, datasets, and evaluation methods; and 3) a description of the challenges faced by Deepfake proactive defense and a discussion of its future directions. From the perspective of the defense target, Deepfake forgery proactive defense can be divided into proactive disruption and proactive forensics defense technologies. Proactive disruption defense technology can be subdivided from the point of view of technical implementation into data poisoning, adversarial attack, and latent space defense methods. The data poisoning defense method destroys Deepfake forgery during the training stage, requiring the faker to use the poisoned images as training data to train the Deepfake forgery model. Meanwhile, forgery destruction of the adversarial attack defense method works in the test stage. When the faker uses the well-trained Deepfake forgery model to manipulate face images with adversarial perturbations, the output image will be destroyed. This idea of defense based on adversarial attack is the most widely used in existing studies. When implementing latent space defense methods, perturbations are not added directly to an image. By contrast, an image is first mapped into latent space, and this mapping is implemented with an elaborate transformation, such that the image is pro? tected from the threat of Deepfake forgery. Notably, this method relies heavily on the effect of GAN inversion technology. We then provide a brief introduction of the evaluation methods and datasets used in proactive defense. The evaluation of a defense technology is typically performed from two aspects: the effect of disrupting the output of the Deepfake forgery model and the effect of maintaining the visual quality of disturbed images. These technologies are generally evaluated in terms of pixel distance, feature distance, and attack success rate. Simultaneously, some commonly used facial indicators, such as structural similarity index measure, Frechet inception distance, and normalization mean error, are considered during evaluation. Finally, we expound the challenges faced by Deepfake proactive defense, including the circumvention of proactive defense, the improvement of performance in black box scenarios, and practicality issues. In addition, we look forward to the future directions of proactive defense. More robust performance and better visual quality are identified as two major concerns. In conclusion, our survey summarizes the principal concept and classification of Deepfake proactive defense and provides detailed explanations of various methods, evaluation metrics, commonly used datasets, major challenges, and prospects. We hope that it will serve as an introduction and guide for Deepfake proactive defense research.
Keywords

订阅号|日报