Individualized Deepfake Detection Exploiting Traces Due to Double Neural-Network Operations

A deepfake refers to a seemingly authentic image or video generated by a deep neural network. When it comes to human faces, a manipulation method may comprise reenactment, replacement, editing, and synthesis [41]. While deepfakes can facilitate numerous appealing and advantageous applications, the act of replacing the face in a staged image or video with the face of a public figure can pose a serious threat to the society. Given the continuous influx of deepfake videos on public platforms, journalists need to pay special attention to those that relate to significant public interest, such as those featuring celebrities or politicians [41, 26]. The deepfake generation methods evolved with autoencoder-based approaches [1], GANs [6], and diffusion models [47]. The latest diffusion-based models such as [47, 49] can surpass GAN-based models in producing photorealistic images. Nevertheless, even in the present day, autoencoder-based models remain threatening in terms of malicious use. This is due to the availability of several free, downloadable, and user-friendly applications built on autoencoder, such as FaceSwap [5], Faceswap-GAN [6], DeepFaceLab [4], and df [2]. In this work, we focus on Faceswap-GAN.

Most deepfake detectors were built to detect the whole population of deepfake videos, i.e., deepfake videos of whatever identities are targeted. However, victims of deepfakes are most often public figures and their deepfake videos are more detrimental due to their widespread public exposure. In this work, we propose a deepfake image detection system customized for individual subjects. Our theory-driven simulations suggest that identity conditioning on deepfake detection tends to exhibit advantages in more challenging detection tasks. As our experimental results will show, the existing tools for deepfake face detection that encompass the whole population may work suboptimally for a specific public figure. The proposed detector for specific individuals is especially useful for journalism. For example, before reporting news based on an image of a public figure of unknown authenticity, a journalist can apply the proposed detection tool to determine its authenticity.

Our approach to deepfake detection draws inspiration from a series of studies leveraging the near-idempotence property of an operation. This method has been particularly effective in various image forensics tasks, including double JPEG compression detection, unknown video codec identification, and source camera identification  [32, 53, 9, 23, 40]. In these studies, researchers leverage the near-idempotence of a respective operation, such as certain type of JPEG compression, video compression, or color demosaicing algorithm. The strict idempotence property asserts that an idempotent operation, $f(\cdot)$, results in no change to $f(x)$ when it is applied iteratively, i.e., $f(f(x))=f(x)$. Using slightly different terminology, if $f(f(x))$ approximately equals $f(x)$, the operation is nearly idempotent. In many detection problems of multimedia forensics, the nearly idempotent nature of a forgery method allows an analyst to apply the forgery operation multiple times and observe the changes to determine whether the input was forged for the first time, i.e., input forged for more than once will exhibit minimal changes.

In this work, we demonstrate that near-idempotence is also applicable to the neural network-based Faceswap-GAN [6]. To explore this, we emulate the potential deepfake operation that an attacker might employ, utilizing publicly available data of a public figure and making assumptions about the neural network architecture. Fig. 1 illustrates the inference pipeline of the proposed detector. We feed a test image into the emulated deepfake generator. The expected change in the image due to this operation is dependent on whether the image has undergone a similar operation before. If the image is a deepfake, the near-idempotence property ensures that the change will be minimal. From the standpoint of the deepfake feature extractor, a deepfake image will exhibit processing traces both before and after the operation, leading to subtle observed changes. Conversely, an authentic image without the deepfake operation lacks any processing traces of the neural network, resulting in a significant observable change. The contributions of this paper are threefold.

• •

  We propose to use the near-idempotence property of neural networks for deepfake face detection, introducing a distinct direction of improvement compared to the state of the art. The idempotence-driven approach can potentially complement existing methods.

• •

  We demonstrate that identity conditioning can significantly improve the deepfake detection performance over the state-of-the-art end-to-end CNN classifiers.

• •

  Our detector can focus on specific individuals. Individualized detectors are better suited for journalism.

In this work, we consider an attacker who is smart enough to find and use open-source face-swapping software such as [6, 5, 1] on the facial images from the publicly available videos of a public figure. More specifically, we consider Faceswap-GAN [6] as a potential method that the attacker can use. The attacker is free to use any public or private videos of a second person to depict a story and they want to convince the public of the involvement of a targeted public figure. For example, the attacker can record prearranged videos at a professional studio and later replace the actor’s face with that of the public figure. The attacker can harvest videos of the public figure from multiple sources, including social media, news channels, movies, and YouTube. Different sources of videos offer varied image quality, compression levels, and processing histories. For example, public interview videos of a public figure available on YouTube are expected to be less edited than video clips from movies. In our proposed detection method, we assume that we, as forensic analysts, have access to the various sources of public figure videos, but we do not know exactly from what source the attacker took videos for deepfake generation. For example, the attacker can use videos from social media, where we will only use public interview recordings of that public figure to train the neural network based detector.

In the challenge of identifying deepfake faces for public figures, we confront an image of unknown authenticity, claimed to be a specific public figure. Our approach to addressing this problem makes use of the extensive collection of authentic images or videos of the said public figure from YouTube. The training process of our proposed deepfake detector is depicted in Fig. 2 and the inference pipeline is shown in Fig. 1.

Our proposed detector has four distinct components. First, the reconstruction operator is a neural network operation that stimulates the deepfake generation operation for a public figure. We found this operation nearly idempotent. Second, the feature extractor is finetuned with a teacher network and is able to capture the identity information while extracting the features. Third, the identity decoder takes as input the explicit identity, i.e., the index of the public figure, and learns as a constant identity vector that arguments the feature space. It contains the necessary person-specific information of that public figure, and when combined with the identity-aware feature can effectively compute the deepfake features conditioned on identity. Fourth, the Siamese network serves as the ultimate binary classification block in the proposed architecture. It learns to extract the features linked to the idempotency of the deepfake operation. It produces a larger distance before and after reconstruction for a test authentic image and a smaller distance for a test deepfake image.

In the current work, the reconstruction model is the deepfake generation tool, i.e., Faceswap-GAN, one of the most popular and effective off-the-shelf tools for deepfake generation. When the reconstruction model does not match the tool used for deepfake generation, the processing traces caused by deepfake and reconstruction may be different, but both traces are generated by neural networks. For example, the reconstruction model is a Faceswap-GAN model whereas the deepfake video is generated by a Faceswap model. A more sophisticated classifier may be needed to exploit the processing traces left by different network structures. Under the proposed double operations framework, a more general Siamese neural network for processing-trace manifold learning may work, but we leave this exploration to future work.

Compared to end-to-end CNN-based classifiers, our proposed method targets deepfake detection for individuals, with main applications on public figures. Although our method needs training the reconstruction models, the training can be done in advance for each public figure. For example, a journalist can train the reconstruction models for various candidates before they need to verify videos for reporting tasks. Journalists may also share or collaboratively train detectors within their professional networks. To let the detection system support a new individual, the journalist will need to train a reconstruction operator for that individual and then finetune the Siamese network.

In this work, we have proposed to use the method of double neural network operations and individual conditioning for the deepfake detection. The proposed detector can achieve better detection performance than end-to-end CNN-based detectors on our curated dataset of public figures with identity labels. We have found that utilizing identity information can make the deepfake detector more reliable. In future work, we plan to extend the double-operations detection to scenarios with mismatched neural network architectures.

High-quality face-swapped videos may be generated by tools based on convolutional autoencoder models. An autoencoder consists of two neural networks, an encoder and a decoder. The encoder $f_{\mathrm{enc}}$ will map the original input $x\in\mathbb{R}^{d_{1}}$ to a lower-dimensional representation $f_{\mathrm{enc}}(x)\in\mathbb{R}^{d_{2}}$, where $d_{1}$ and $d_{2}$ are dimensions of the input and the embedding space, respectively, and $d_{1}>d_{2}$. The decoder $f_{\mathrm{dec}}$ will reconstruct input $x$ from the lower dimensional representation, i.e., $x^{\prime}=f_{\mathrm{dec}}(f_{\mathrm{enc}}(x))$. Denote loss function $L:\mathbb{R}^{d_{1}}\times\mathbb{R}^{d_{1}}\rightarrow\mathbb{R}$. With training data $\{x_{i}\}_{i=1}^{N}$, an autoencoder can be trained by minimizing a loss, $\frac{1}{N}\sum_{i=1}^{N}L(x_{i},x_{i}^{\prime})$. The autoencoder-based deepfake generation tool consists of a shared encoder and two decoders, as shown in Fig. 6. Faceswap-GAN \citeSfsgS is one of the most popular and effective publicly available tools based on autoencoder and can generate high-quality deepfake videos \citeSdolhansky2020deepfakeS. In this work, we train Faceswap-GAN models to reconstruct videos and generate deepfake videos. The output videos of Faceswap-GAN will contain processing traces left by the neural network.

For each target video, we generated a deepfake video by feeding a Faceswap-GAN model with the target video and a video of a public figure with a known identity. The video of the public figure was collected from YouTube and has the same gender as in the template video. For deepfake generation, we swap the face of the public figure onto the face of the person in the target video since public figures are usually the victims of deepfakes.

For deepfake detection using double operations, a journalist does not know which videos were used to generate the potentially fake video and knows only the identity of the video in question. Therefore, the reconstruction model was trained using videos of the known public figure from scenes other than the videos used for deepfake generation. The reconstructing unit $R$ is chosen to share the same neural network structure as the deepfake generating unit, i.e., a Faceswap-GAN. For a specific public figure, we trained a Faceswap-GAN using five videos, with $40,\!000$ iterations to ensure a good reconstruction quality.

Let us consider a set of images $S$ containing authentic and deepfake images. Each images is associated with an identity $k\in\{1,\dots,K\}$. $S$ may be decomposed into disjoint sets as follows:

$$S=\bigcup_{k=1}^{K}S^{(k)}=S_{\text{auth}}\cup S_{\text{df }}=S_{0}\cup S_{1},$$

(5)

where $S^{(k)}$ is the set of all images belonging to individual $k$, $S_{\text{auth}}$ and $S_{\text{df}}$ are the sets of all authentic and deepfake images, respectively, and $S_{0}$ and $S_{1}$ are the acceptance region and rejection region partitioned by a decision rule \citeSvan2004detection.

Let us define $g:S\to\mathbb{R}$ as a powerful manifold-learning feature extractor for deepfake traces extraction so that the extracted 1-D feature $x=g(\text{f})$ for real images $\text{f}\in S_{\text{auth}}$ and fake images $\text{f}\in S_{\text{df}}$ exhibit different distributions. To facilitate our theoretical analysis and simulation, we consider the following hypotheses concerning an observation $x$ for individual $k$:

	$\displaystyle H_{0}:\ x=g\big{(}\text{f}\big{)}$	$\displaystyle\sim\mathcal{N}\big{(}\mu_{0}^{(k)},\sigma^{2}\big{)},\quad\text{f}\in S^{(k)}\cap S_{\text{auth}},$		(6a)
	$\displaystyle H_{1}:\ x=g\big{(}\text{f}\big{)}$	$\displaystyle\sim\mathcal{N}\big{(}\mu_{1}^{(k)},\sigma^{2}\big{)},\quad\text{f}\in S^{(k)}\cap S_{\text{df}},$		(6b)

where $\mu_{0}^{(k)}$ and $\mu_{1}^{(k)}$ have Gaussian priors, namely,

	$\displaystyle\mu_{0}^{(k)}$	$\displaystyle\sim\mathcal{N}\left(u_{0},\sigma_{\mu}^{2}\right),$		(7a)
	$\displaystyle\mu_{1}^{(k)}$	$\displaystyle\sim\mathcal{N}\left(u_{1},\sigma_{\mu}^{2}\right),$		(7b)

where we set $0=u_{0}<u_{1}\in\mathbb{R}$ without loss of generality, and $\sigma_{\mu}^{2}$ is the variance of the priors. Fig. 7(a) illustrates the probability density functions (PDFs) of $x=g(\text{f})$ under $H_{0}$ and $H_{1}$ for five individuals. When identity information is unknown, the PDFs under each hypothesis merges into one as shown in Fig. 7(b).

The Bayes risk \citeSvan2004detection for an arbitrary rejection region $S_{1}$ is defined as

$\displaystyle r(S_{1})=C_{10}\!\operatorname{\mathbb{P}}(S_{1}|H_{0})\!\operatorname{\mathbb{P}}(H_{0})\!+\!C_{01}\!\operatorname{\mathbb{P}}(S_{0}|H_{1})\!\operatorname{\mathbb{P}}(H_{1}),$

(8)

where $\mathbb{P}(\cdot)$ is the probability measure, $C_{ij}$ is the cost incurred by choosing $H_{i}$ when $H_{j}$ is true, and $\operatorname{\mathbb{P}}(H_{i})$ is the prior. To focus on the effect of identity conditioning, we assume that the dataset $S$ is balanced, i.e., $\operatorname{\mathbb{P}}(H_{0})=\operatorname{\mathbb{P}}(H_{1})=0.5$ and the incurred costs are the same, i.e., $C_{01}=C_{10}=1$. With these assumptions, the Bayes risk is reduced to the overall error probability $P_{\text{e}}$.

We define $S_{i}^{(k)}=S_{i}\cap S^{(k)}$ to further segment the acceptance region $S_{0}$ and the rejection region $S_{1}$ by individuals:

	$\displaystyle P_{\text{e}}$	$\displaystyle=\frac{1}{2}\big{[}\operatorname{\mathbb{P}}(S_{1}|H_{0})+\operatorname{\mathbb{P}}(S_{0}|H_{1})\big{]}$		(9a)
		$\displaystyle=\frac{1}{2}\Big{[}\operatorname{\mathbb{P}}\big{(}\cup_{k=1}^{K}S_{1}^{(k)}|H_{0}\big{)}+\operatorname{\mathbb{P}}\big{(}\cup_{k=1}^{K}S_{0}^{(k)}|H_{1}\big{)}\Big{]}$		(9b)
		$\displaystyle=\frac{1}{2}\left[\sum_{k=1}^{K}\operatorname{\mathbb{P}}(S_{1}^{(k)}|H_{0})+\sum_{k=1}^{K}\operatorname{\mathbb{P}}(S_{0}^{(k)}|H_{1})\right]$		(9c)
		$\displaystyle=\frac{1}{2}\bigg{\{}1+\sum_{k=1}^{K}\left[\operatorname{\mathbb{P}}(S_{1}^{(k)}|H_{0})-\operatorname{\mathbb{P}}(S_{1}^{(k)}|H_{1})\right]\bigg{\}}.$		(9d)

Standard hypothesis testing technique \citeSvan2004detection allows us to derive from (9d) the optimal decision rule that minimizes the Bayes risk or error probability. One can proceed with the derivation and the decision rule turns out to be separable for each individual $k$ and in the form of the likelihood ratio test, namely,

$$S_{1}^{(k)}=\left\{x>\frac{\mu_{0}^{(k)}+\mu_{1}^{(k)}}{2}=T^{(k)}\right\},$$

(10)

where $T^{(k)}$ is the optimal decision threshold.

Using the optimal decision rule, one can calculate the minimal error probability following  (9c):

	$\displaystyle P_{\text{e}}^{\text{ind}}=\frac{1}{2}\sum_{k=1}^{K}\Big{[}$	$\displaystyle\operatorname{\mathbb{P}}(S_{1}^{(k)}|H_{0})+\operatorname{\mathbb{P}}(S_{0}^{(k)}|H_{1})\Big{]}$		(11a)
	$\displaystyle=\frac{1}{2}\sum_{k=1}^{K}\Big{[}$	$\displaystyle\operatorname{\mathbb{P}}(S_{1}^{(k)}|S^{(k)},H_{0})\operatorname{\mathbb{P}}(S^{(k)}|H_{0})$
	$\displaystyle+$	$\displaystyle\operatorname{\mathbb{P}}(S_{0}^{(k)}|S^{(k)},H_{1})\operatorname{\mathbb{P}}(S^{(k)}|H_{1})\Big{]}$		(11b)
	$\displaystyle=\frac{1}{2K}\!\sum_{k=1}^{K}\!\Big{[}\!$	$\displaystyle\operatorname{\mathbb{P}}(S_{1}^{(k)}\!|S^{(k)}\!,\!H_{0})\!+\!\operatorname{\mathbb{P}}(S_{0}^{(k)}\!|S^{(k)}\!,\!H_{1})\!\Big{]}$		(11c)
	$\displaystyle=\frac{1}{2K}\sum_{k=1}^{K}\Big{[}$	$\displaystyle 1\!-\!\Phi\Big{(}\tfrac{T^{(k)}-\mu_{0}^{(k)}}{\sigma}\Big{)}\!+\!\Phi\Big{(}\tfrac{T^{(k)}-\mu_{1}^{(k)}}{\sigma}\Big{)}\Big{]}$		(11d)
	$\displaystyle=\frac{1}{K}\sum_{k=1}^{K}\,\,$	$\displaystyle\Phi\left(-d_{k}\right).\quad\blacksquare$		(11e)

Here, (11c) is due to the assumption that the identities are uniformly distributed over the dataset, i.e., $\operatorname{\mathbb{P}}(S^{(k)}|H_{0})=\mathbb{P}(S^{(k)}|H_{1})=1/K$, $\Phi$ is the cumulative density function (CDF) of standard Gaussian, and $d_{k}=\big{(}\mu_{1}^{(k)}-\mu_{0}^{(k)}\big{)}\big{/}2\sigma$.

In contrast, when there is no information about the identity, the hypothesis testing problem is reduced to the basic form as shown in Fig. 7(b). One can prove the following identity-agnostic optimal decision rule:

$$S_{1}^{(k)}=\left\{x>\frac{u_{0}+u_{1}}{2}=T\right\},\ \forall k.$$

(12)

The minimal error probability $P_{\text{e}}^{\text{com}}$ with all identities mixed is then given by:

	$\displaystyle P_{\text{e}}^{\text{com}}$	$\displaystyle=\frac{1}{2}\sum_{k=1}^{K}\Big{[}\operatorname{\mathbb{P}}(S_{1}^{(k)}|H_{0})+\operatorname{\mathbb{P}}(S_{0}^{(k)}|H_{1})\Big{]}$		(13a)
		$\displaystyle=\frac{1}{2K}\sum_{k=1}^{K}\Big{[}1-\Phi\big{(}\tfrac{T-\mu_{0}^{(k)}}{\sigma}\big{)}+\Phi\big{(}\tfrac{T-\mu_{1}^{(k)}}{\sigma}\big{)}\Big{]}.$		(13b)

Plugging in $T$ and using the second-order Taylor expansion on $\Phi(\cdot)$ around $d_{k}$, we obtain,

$\displaystyle P_{\text{e}}^{\text{com}}\approx P_{\text{e}}^{\text{ind}}+\frac{1}{2K}\sum_{k=1}^{K}\left[-\Phi^{\prime\prime}\left(d_{k}\right)\right]\alpha_{k}^{2}.\quad\blacksquare$

(14)

Here, $\alpha_{k}=\big{[}(u_{0}-\mu_{0}^{(k)})+(u_{1}-\mu_{1}^{(k)})\big{]}\big{/}2\sigma$, $\Phi^{\prime\prime}(\cdot)$ is the second-order derivative of $\Phi$, and $-\Phi^{\prime\prime}(d_{k})>0$. This reveals that $P_{\text{e}}^{\text{com}}$ is larger (worse) than $P_{\text{e}}^{\text{ind}}$, highlighting the significance of identity conditioning for detection.

Fig. 7(c) demonstrates the result of $P_{\text{e}}^{\text{ind}}$ and $P_{\text{e}}^{\text{com}}$ generated by a large number of iterations for $u_{1}-u_{0}\in\{0.5\sigma,\,1.0\sigma,\,1.5\sigma\}$. It is observed that the performance is improved when the individual distributions are used by the detector and such effect is amplified with a larger $\sigma_{\mu}$ [i.e., more unique individualized deepfake traces; larger $|\alpha_{k}|$ as in (14)] and with a smaller $|u_{1}-u_{0}|$ [i.e., more intrinsically difficult detection problems; smaller $d_{k}$ in (14) for $\Phi^{\prime\prime}(\cdot)$’s monotonically increasing interval on the positive half of the axis]. We used $K=5$ identities for this simulation and verified via simulation that the performance is not sensitive to the choice of $K$.

The detection performance for an overall population of unknown composition may not be the most interesting metric from the perspective of a journalist when they target a specific celebrity or politician. Individualized deepfake detection proposed in this work allows more tailored optimization on an individual basis. The performance of the proposed individualized deepfake detector and two baseline methods for every public figure is shown in Fig. 8. The figure reveals that the performance of baseline methods is less consistent across the identity. For some identities, the performance of the baseline methods is significantly worse than their own average performance. This underscores the greater reliability and consistency of the proposed method in deepfake detection of public figures.

ieeenat_fullname \bibliographySsupp