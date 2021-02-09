The deepfake detector, which detects any changes in the original video, was first tricked by programmers from California.

The programmers have shown that the detector can be fooled by inserting the input data, also called race examples, into each video frame. Adversarial examples are slightly modified inputs that cause AI systems to be wrong. In addition, the team has shown that the method works even after compressing the video.

Recall that in deepfakes, the face of any subject can be changed to someone else’s so that it looks believable. This can create realistic footage of events that never actually happened.

Typical deepfake detectors focus on the faces in the video: they first track them and then send a separate piece of the face to a neural network that determines if the video is real or fake. For example, eye blinking is poorly reproduced in deepfakes, so detectors focus on eye movements. Modern Deepfake detectors rely on machine learning models to identify fake videos.

The authors of the work tested their video processing in two scenarios: the first, where the attackers have full access to the detector model, the face extraction method and the architecture and parameters of the classification model; and another, where attackers can only query a machine learning model to figure out the likelihood that a frame will be classified as real or fake.

In the first case, the probability of deceiving the detector was 99% for uncompressed videos, and 84.96% for compressed videos. In the second case, the detector was able to cheat at 86.43% for uncompressed and 78.33% for compressed video. This is the first work to demonstrate successful attacks on modern deepfake detectors.

The California programmers refused to release their open source code so that it would not be used for misinformation.