Abstract: Although the face attribute editing forgery active defense method based on generative adversarial network (GAN) generates adversarial perturbations faster than the gradient attackbased methods, existing methods still fail in balancing the proactive defense effect with the imperceptibility of generated perturbations. Therefore, this paper proposed a highly imperceptible proactive defense method against face attribute editing based on GAN. To enhance the imperceptibility of the perturbations, the method designed a highfrequency information compensation mechanism to enable the generator to generate more highfrequency perturbations that are less sensitive to the human eye. To improve the proactive defense performance of generated perturbations, the proposed method also designed a multilevel dense connection mechanism for reducing semantic loss during the encoding process. Meanwhile, the method introduced face saliency adversarial loss in training stage to enable perturbations to disrupt face forgery areas better. The experiments were conducted in both singlemodel and crossmodel defense scenarios. The results indicate that compared to existing methods, the proposed method generates more imperceptible adversarial perturbations and obtains high success rates for defending against target models.

Key words: deepfake, adversarial example, proactive defense, generative adversarial network, imperceptibility

摘要： 尽管基于生成对抗网络(generative adversarial network, GAN)的人脸属性编辑伪造主动防御方法比基于梯度攻击的方法生成对抗扰动速度更快，但现有这类方法仍未很好平衡生成扰动的主动防御性能与不可感知性.因此，基于GAN提出了一种不可感知的人脸属性编辑伪造主动防御方法.该方法设计了一种高频信息补偿机制，使生成器生成更多人眼更不敏感的高频扰动，以提升扰动的不可感知性，并设计了一种多级密集连接机制，减少编码的语义损失以增强主动防御性能.同时，该方法在训练中引入了人脸显著性对抗损失，使扰动更好地破坏人脸伪造区域.在单模型和跨模型防御场景下分别进行了实验.结果表明，该方法相比现有主动防御方法能生成不可感知性更强的对抗扰动，且对目标模型取得较高的防御成功率.

关键词: 深度伪造, 对抗样本, 主动防御, 生成对抗网络, 不可感知性