基于可逆神经网络的黑盒GAN生成人脸反取证方法  

作　　者：陈北京 冯逸凡[1] 李玉茹 Chen Beijing;Feng Yifan;and Li Yuru(Engineering Research Center of Digital Forensics Ministry of Education(Nanjing University of Information Science and Technology),Nanjing 210044;Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology(Nanjing University of Information Science and Technology),Nanjing 210044)

机构地区：[1]数字取证教育部工程研究中心(南京信息工程大学),南京210044 [2]江苏省大气环境与装备技术协同创新中心(南京信息工程大学),南京210044

出　　处：《信息安全研究》2025年第5期394-401,共8页Journal of Information Security Research

基　　金：国家自然科学基金项目(62072251)。

摘　　要：生成对抗网络(generative adversarial network, GAN)生成的人脸取证模型用于区分真实人脸和GAN生成人脸.但由于其易受对抗攻击影响,GAN生成人脸反取证技术应运而生.然而,现有反取证方法依赖白盒代理模型,迁移性不足.因此,提出了一种基于可逆神经网络(invertible neural network, INN)的黑盒GAN生成人脸反取证方法.该方法通过INN将真实人脸特征嵌入GAN生成人脸中,使生成的反取证人脸能够误导取证模型.同时,在训练中引入特征损失,通过最大化反取证人脸特征与真实人脸特征间的余弦相似度,进一步提升反取证性能.实验结果表明,在不依赖任何白盒模型的场景下,该方法对8种取证模型都有良好的攻击性能,优于对比的7种方法,且可以生成高视觉质量的反取证人脸.Generative adversarial network GAN-generated faces forensics models are used to distinguish real faces and GAN-generated faces.But due to the fact that forensics models are susceptible to adversarial attacks,the anti-forensics techniques for GAN-generated faces have emerged.However,existing anti-forensic methods rely on white-box surrogate models,which have limited transferability.Therefore,a black-box method based on invertible neural network(INN)is proposed for GAN-generated faces anti-forensics in this paper.This method embeds the features of real faces into GAN-generated faces through the INN,which enables the generated anti-forensics faces to disturb forensics models.Meanwhile,the proposed method introduces a feature loss during training to maximize the cosine similarity between the features of the anti-forensics faces and the real faces,further improving the attack performance of anti-forensics faces.Experimental results demonstrate that,under the scenarios where no white-box models are involved,the proposed method has good attack performance against eight GAN-generated faces forensics models with better performance than seven comparative methods,and can generate high-quality anti-forensics faces.

关 键 词：对抗攻击 可逆神经网络 GAN生成人脸 反取证 黑盒 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]