CN-122024296-A - Deep counterfeiting active defense and resistance attack method

Abstract

The invention discloses a deep forgery active defense countermeasure attack method which comprises the following steps of S1, obtaining an original face image, generating a target attribute label, loading a pre-trained deep forgery generation network and a face key point extractor, S2, defining a A, B channel of a Lab color space and a disturbance variable of an RGB space, initializing the disturbance variable, S3, constructing a multi-mode loss function comprising network output difference loss, perception consistency loss, vision concealing constraint loss and face key point damage loss, and S4, optimizing the initialized disturbance variable based on the constructed multi-mode loss function to obtain optimized disturbance in stages. According to the invention, the Lab and RGB double-space disturbance variables are defined, and the multi-mode loss function is constructed to perform phased optimization, so that high visual concealment of the generated countermeasure sample is ensured, and meanwhile, efficient and robust interference on the depth counterfeiting model is realized.

Inventors

• HUANG JINGXIN
• PAN JING
• LU MUCHEN
• CHEN PEIXUAN
• HUANG FANGJUN

Assignees

• 中山大学

Dates

Publication Date

20260512

Application Date

20260123

Claims (10)

1. 1. A method for deep forgery active defense against a sexual attack, comprising the steps of: S1, acquiring an original face image, generating a target attribute label, and loading a pre-trained deep forgery generation network and a face key point extractor; S2, defining a A, B channel of a Lab color space and disturbance variables of an RGB space, and initializing the disturbance variables; S3, constructing a multi-mode loss function comprising a network output difference loss, a perception consistency loss, a vision concealment constraint loss and a face key point destruction loss based on the original face image, an antagonism sample candidate formed by the original face image and the initialized disturbance variable, the target attribute label, the generation network and the face key point extractor; S4, optimizing the initialized disturbance variable in stages based on the constructed multi-mode loss function to obtain optimized disturbance, wherein the optimizing in stages comprises optimizing the disturbance variable in a Lab color space in a first stage, and performing face key point directional optimization in an RGB space based on an optimizing result in the first stage in a second stage; S5, adding the optimized disturbance to the original face image, and generating an countermeasure sample for defending deep counterfeiting.
2. 2. The method of claim 1, wherein in step S3, the multi-modal loss function adopts a dynamic weight adjustment strategy in the optimization process, and the dynamic weight is adaptively adjusted according to the ratio of the current loss to the previous loss.
3. 3. The method for actively defending against resistance attack by deep forgery according to claim 1, wherein in step S4, the first stage Lab color space optimization adopts Adam optimizer to iteratively optimize A, B channel disturbance of Lab space, and the second stage RGB space optimization adopts momentum gradient descent method to iteratively optimize disturbance of RGB space and strengthen damage loss of key points of face.
4. 4. The method of active defense against resistive attack against deep forgery according to claim 1, wherein in step S2, the disturbance budget epsilon of the disturbance variables of the A, B channels of Lab color space and RGB space is set to 0.05, and the disturbance is clipped to the [ -epsilon, epsilon ] range after each iteration in the optimization process.
5. 5. The method of deep forgery active defense against attack according to claim 1, wherein the method is configured to generate a challenge sample with an L2 error from the original image below 0.00013, a structural similarity SSIM above 0.98 and a peak signal to noise ratio PSNR above 45dB to meet visual concealment requirements.
6. 6. The method of claim 1, wherein in step S3, the perceived consistency loss is obtained by extracting high-level features of the original image and the challenge sample candidate through the VGG network, and calculating a mean square error between the two.
7. 7. The method of deep forgery active defense against sexual attacks according to claim 1, wherein in step S3, the facial key point destruction loss is obtained by extracting key point thermodynamic diagrams against sample candidates by a facial key point extractor and calculating the difference between the thermodynamic diagrams and zero thermodynamic diagrams.
8. 8. The method of claim 1, wherein in step S2, the Lab color space is replaced by YCrCb color space, and the disturbance initialization and optimization is performed on Cb and Cr channels.
9. 9. The method of claim 1, wherein in step S1, the facial key point extractor uses a HRNet model pre-trained based on a 300W dataset or a key point detection model in a face_alignment library.
10. 10. A method of deep forgery active defense against resistance attacks according to claim 3, characterized in that the Adam optimizer is replaced with a RMSprop optimizer and the momentum gradient descent method is replaced with a Nesterov acceleration gradient method.

Description

Deep counterfeiting active defense and resistance attack method Technical Field The invention relates to the field of deep counterfeiting defense, in particular to a method for actively defending against resistance attack by deep counterfeiting. Background With the rapid development of deep learning techniques, deep forgery techniques, represented by the Generation of Antagonistic Networks (GAN), have enabled highly realistic face images or video sequences to be generated with high efficiency. The technology has positive application potential in the fields of entertainment industry, film and television production and the like. However, its technical capabilities are also exploited for making and propagating false information, for performing illegal activities such as identity fraud, and for constituting a serious threat to social public security, judicial fairness and personal privacy. In order to cope with the challenges of deep counterfeiting technology, the existing defense technology system mainly follows two paths, namely passive detection and active defense. Passive detection techniques typically function after the counterfeit content is generated and propagated. The core principle is to identify microscopic traces left by model limitation or imperfect generation process, such as statistical inconsistency among pixels, illumination and texture abnormality, biological signal (such as heartbeat) missing, etc., by analyzing the generated forged contents. However, such methods have inherent limitations in that their detection capabilities are severely dependent on inherent imperfections of a particular counterfeit model or the generation of "fingerprints". When the fake model is upgraded and iterated, or the generated content is subjected to simple post-processing (such as compression and filtering), the traces are extremely easy to be eliminated or changed, so that the generalization capability of the detection method is greatly reduced, and the continuously-evolving fake technology is difficult to cope with. Active defense techniques take a more prospective strategy aimed at creating a protective barrier before forgery occurs. The core idea is to embed specific and imperceptible defensive signals in advance before the original real content (such as images and videos) is released or uploaded. When an attacker attempts to process such protected content using a deep-forgery model, the embedded signal may interfere with the normal generation logic of the model, causing it to output severely distorted, unusable results, thereby preventing the generation of high quality forgery content from the source. Currently, in the field of active defense, resistance disturbance is a major research hotspot. Such methods mislead the disturbed image (the challenge sample) to the deep forgery model by adding a small disturbance to the original image that is not noticeable to the human eye. Existing methods of resistive perturbation are mostly based on pixel level modification or global feature optimization, such as pixel value fine tuning in RGB or LAB color space, or design perturbation in potential space, perceptual feature space of the model to find a balance between concealment and interference effects. Despite advanced active defense concepts, the prior art, especially the approach based on resistance perturbation, still suffers from the following significant drawbacks: 1. the defensive dimension is single and is easily circumvented by most methods launching attacks from only a single dimension, e.g. only for color space (e.g. LAB attacks) or only for facial geometry (e.g. key point attacks). Such single-dimensional perturbations are easily identified and counteracted by targeted defense means (e.g., color correction, histogram equalization) or post-processing techniques (e.g., keypoint detection and repair), resulting in defense failures. 2. The attack efficiency is low, the calculation cost is high, the process of generating effective disturbance resistance often depends on a large amount of iterative optimization, the calculation time is long, and high calculation force support is needed. This makes it difficult for existing methods to meet the demanding requirements of real-time or online application scenarios (e.g., live broadcast, real-time communication) on processing speed. 3. Poor disturbance concealment and impaired visual quality, when the disturbance is optimized, if strong constraint on the visual quality of the generated image is lacking, the added disturbance is easily caused to be too obvious, and the disturbance is expressed as visible noise, artifact or color distortion. This not only affects the look and feel and usability of the protected image itself, but also makes the challenge sample easier to detect by the naked eye or by a simple filter. 4. Insufficient robustness and weak post-processing resistance, the resulting anti-disturbance is typically very sensitive to common image processing operatio