计算机工程与应用 ›› 2022, Vol. 58 ›› Issue (24): 97-106.DOI: 10.3778/j.issn.1002-8331.2110-0026

• 网络、通信与安全 • 上一篇    下一篇

针对深度伪造的对抗攻击算法动态APGD设计

裘昊轩,杜彦辉,芦天亮   

  1. 中国人民公安大学 信息网络安全学院,北京 100038
  • 出版日期:2022-12-15 发布日期:2022-12-15

Design of DAPGD of Adversarial Attack Algorithm Against Deepfake

QIU Haoxuan, DU Yanhui, LU Tianliang   

  1. College of Information and Cyber Security, People’s Public Security University of China, Beijing 100038, China
  • Online:2022-12-15 Published:2022-12-15

摘要: 为了防范利用深度伪造模型伪造图片,提出了一种改进的对抗样本生成算法即动态APGD(dynamic APGD,DAPGD),通过制作对抗样本替代原始图片,使深伪模型的输出产生明显失真,从而无法有效地生成伪造图片。DAPGD使用自适应衰减学习率的思路,能加快算法收敛速度,提升收敛时对抗样本的质量;同时针对APGD容易错过最佳衰减学习率时机的问题,动态地设置用于衰减学习率的检查点,能更彻底地发挥学习率衰减的作用。由于深伪模型使用随机参数导致损失函数不稳定,取消了APGD的局部早停机制,提升算法的效果与速度。针对三个主流深度伪造模型进行DAPGD攻击实验,并与原算法及其他算法进行对比,结果表明,DAPGD生成的对抗样本在输出失真大小、攻击成功比例两个指标上均能取得更好的效果,能更有效地干扰深伪模型伪造图片。

关键词: 深度伪造, 对抗样本, 学习率衰减, 动态检查点, 早停

Abstract: An improved adversarial example generation algorithm, dynamic APGD(DAPGD) is proposed to protect the images from the tampering of deepfake models. Adversarial examples generated by DAPGD make the output of the deepfake models significantly distorted so that the forged images cannot be generated effectively. DAPGD uses the idea of the adaptive decay learning rate, which can accelerate the algorithm convergence and improve the quality of adversarial examples. Meanwhile, the checkpoint for decaying the learning rate is dynamically set to address the problem that APGD tends to miss the best time to decay the learning rate. It can play the role of decaying the learning rate more thoroughly. Finally, as the loss function is unstable due to the use of random parameters in deepfake models, the local early stopping mechanism of APGD is eliminated to improve the effectiveness and speed of the algorithm. DAPGD adversarial attack experiments are conducted for three mainstream deepfake models and compared with the original algorithm and other algorithms. The results show that the adversarial examples generated by DAPGD can achieve better results in both output distortion size and attack success rate, and can interfere with deepfake models forgery images more effectively.

Key words: deepfake, adversarial example, learning rate decay, dynamic checkpoint, early stopping