A Blackbox Antiforensics Method of GANgenerated Faces Based on #br#
Invertible Neural Network#br#

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (5): 394-.

A Blackbox Antiforensics Method of GANgenerated Faces Based on #br# Invertible Neural Network#br#

Chen Beijing1,2, Feng Yifan1, and Li Yuru1

1(Engineering Research Center of Digital Forensics Ministry of Education(Nanjing University of Information Science and Technology), Nanjing 210044)
2(Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology(Nanjing University of Information Science and Technology), Nanjing 210044)

Online:2025-06-03 Published:2025-06-03

基于可逆神经网络的黑盒GAN生成人脸反取证方法

陈北京1,2冯逸凡1李玉茹1

1(数字取证教育部工程研究中心(南京信息工程大学)南京210044)
2(江苏省大气环境与装备技术协同创新中心(南京信息工程大学)南京210044)

通讯作者: 陈北京博士,教授,博士生导师.主要研究方向为多媒体内容安全、彩色图像处理以及模式识别. nbutimage@126.com
作者简介:陈北京博士,教授,博士生导师.主要研究方向为多媒体内容安全、彩色图像处理以及模式识别. nbutimage@126.com 冯逸凡硕士研究生.主要研究方向为人脸深度伪造防御. fyf200613@qq.com 李玉茹硕士.主要研究方向为人脸深度伪造反取证. 3246863022@qq.com

Abstract

Abstract: Generative adversarial network GANgenerated faces forensics models are used to distinguish real faces and GANgenerated faces. But due to the fact that forensics models are susceptible to adversarial attacks, the antiforensics techniques for GANgenerated faces have emerged. However, existing antiforensic methods rely on whitebox surrogate models, which have limited transferability. Therefore, a blackbox method based on invertible neural network (INN) is proposed for GANgenerated faces antiforensics in this paper. This method embeds the features of real faces into GANgenerated faces through the INN, which enables the generated antiforensics faces to disturb forensics models. Meanwhile, the proposed method introduces a feature loss during training to maximize the cosine similarity between the features of the antiforensics faces and the real faces, further improving the attack performance of antiforensics faces. Experimental results demonstrate that, under the scenarios where no whitebox models are involved, the proposed method has good attack performance against eight GANgenerated faces forensics models with better performance than seven comparative methods, and can generate highquality antiforensics faces.

Key words: adversarial attack, invertible neural network, GANgenerated faces, antiforensics, blackbox

摘要： 生成对抗网络(generative adversarial network, GAN)生成的人脸取证模型用于区分真实人脸和GAN生成人脸.但由于其易受对抗攻击影响，GAN生成人脸反取证技术应运而生.然而，现有反取证方法依赖白盒代理模型，迁移性不足.因此，提出了一种基于可逆神经网络(invertible neural network, INN)的黑盒GAN生成人脸反取证方法.该方法通过INN将真实人脸特征嵌入GAN生成人脸中，使生成的反取证人脸能够误导取证模型.同时，在训练中引入特征损失，通过最大化反取证人脸特征与真实人脸特征间的余弦相似度，进一步提升反取证性能.实验结果表明，在不依赖任何白盒模型的场景下，该方法对8种取证模型都有良好的攻击性能，优于对比的7种方法，且可以生成高视觉质量的反取证人脸.

关键词: 对抗攻击, 可逆神经网络, GAN生成人脸, 反取证, 黑盒

CLC Number:

TP309

陈北京, 冯逸凡, 李玉茹, . 基于可逆神经网络的黑盒GAN生成人脸反取证方法[J]. 信息安全研究, 2025, 11(5): 394-.

References

［1］Karras T, Laine S, Aila T. Astylebased generator architecture for generative adversarial networks［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2019: 44014410［2］张煜之, 王锐芳, 朱亮, 等. 深度伪造生成和检测技术综述［J］. 信息安全研究, 2022, 8(3): 258269［3］Wang Shengyu, Wang O, Zhang R, et al. CNNgenerated images are surprisingly easy to spot... for now［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 86958704［4］Chollet F. Xception: Deep learning with depthwise separable convolutions［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2017: 18001807［5］Tan Mingxing, Le Q. EfficientNet: Rethinking model scaling for convolutional neural networks［C］ Proc of the 36th Int Conf on Machine Learning. New York, ICML, 2019: 61056114［6］Huang Gao, Liu Zhuang, Van L, et al. Denselyconnected convolutional networks［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2017: 22612269［7］Afchar D, Nozick V, Yamagishi J, et al.Mesonet: A compact facial video forgery detection network［C］ Proc of the IEEE Int Workshop on Information Forensics and Security. Piscataway, NJ: IEEE, 2018: 17［8］Radford A, Metz L, Chintala S. Unsupervised representation learning with deep convolutional generative adversarial networks［J］. arXiv preprint, arXiv:1511.06434, 2016［9］Liu Zhengzhe, Qi Xiaojuan, Torr P H S. Global texture enhancement for fake face detection in the wild［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 80608069［10］Wang Chengrui, Deng Weihong. Representative forgery mining for fake face detection［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2021: 1492314932［11］黄灵, 何希平, 贺丹, 等. 融合卷积神经网络和Transformer的人脸欺骗检测模型［J］. 信息安全研究, 2024, 10(1): 2533［12］Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks［J］. arXiv preprint, arXiv:1312.6199, 2013［13］Huang Yihao, Xu Juefei, Wang Run, et al. Fakepolisher: Making deepfakes more detectionevasive by shallow reconstruction［C］ Proc of the ACM Int Conf on Multimedia. New York: ACM, 2020: 12171226［14］Liu Chi, Chen Huajie, Zhu Tianqing, et al. Making deepfakes more spurious: Evading deep face forgery detection via trace removal attack［J］. IEEE Trans on Dependable and Secure Computing, 2023, 20(6): 51825196［15］Wang Yongwei, Ding Xin, Ding Li, et al. Perception matters: Exploring imperceptible and transferable antiforensics for gangenerated fake face imagery detection［J］. Pattern Recognition Letters, 2021, 146: 1522［16］Xie Hao, Ni Jiangqun, Zhang Jian, et al. Evading generatedimage detectors: A deep dithering approach［J］. Signal Processing, 2022 (197): 111［17］Zhao Xinwei, Stamm M C. Making generated images hard to spot: A transferable attack on synthetic image detectors［C］ Proc of the Int Conf on Pattern Recognition. Piscataway, NJ: IEEE, 2022: 7084［18］Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples［J］. arXiv preprint, arXiv:1412.6572, 2014［19］Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant adversarial attacks［J］. arXiv preprint, arXiv: 1706.06083, 2019［20］Hu Xinjue, Fu Zhangjie, Zhang Xiang, et al. Invisible and steganalysisresistant deep image hiding based on oneway adversarial invertible networks［J］. IEEE Trans on Circuits and System for Video Technology, 2023, 34(7): 61286143［21］Jing Junpeng, Xin Deng, Xu Mai, et al. HiNet: Deep image hiding by invertible network［C］ Proc of the IEEECVF Int Conf on Computer Vision. Piscataway, NJ: IEEE, 2021: 47134722［22］Liu Ziwei, Luo Ping, Wang Xiaogang, et al. Deep learning face attributes in the wild［C］ Proc of the IEEECVF Int Conf on Computer Vision. Piscataway, NJ: IEEE, 2015: 37303738［23］Yang Bo, Zhang Hengwei, Li Zheming, et al. Adversarial example generation with adabelief optimizer and crop invariance［J］. Applied Intelligence, 2023, 53(2): 23322347［24］Baluja S. Hidingimages in plain sight: Deep steganography［C］ Proc of the Int Conf on Neural Information Processing Systems. San Diego: NIPS, 2017: 20662076

[1]	. A Review of Adversarial Attack on Autonomous Driving Perception System [J]. Journal of Information Security Reserach, 2024, 10(9): 786-.
[2]	. Adversarial Attack Algorithm Based on Multimodel Scheduling Optimization#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(5): 403-.
[3]	. Research on Adversarial Examples Generation Technology Based on Text Keywords [J]. Journal of Information Security Reserach, 2023, 9(4): 338-.
[4]	. Research and Prospect of Adversarial Attack in the Field of Natural Laguage Processing [J]. Journal of Information Security Reserach, 2022, 8(3): 202-.
[5]	. Physical Adversarial Attacks Against Deep Reinforcement Learning Based Navigation [J]. Journal of Information Security Reserach, 2022, 8(3): 212-.
[6]	. Summary of The Security Of Image Adversarial Samples [J]. Journal of Information Security Reserach, 2021, 7(4): 294-309.