Protective Filter Defends Images and Video against Deepfake Manipulation
BU researchers develop algorithm that corrupts attempts to alter multimedia
Consumers of media content today face a number of challenges in determining the trustworthiness of the information they find online. With a dizzying variety of media sources, from global news networks down to individuals posting on Facebook or YouTube, consumers can struggle to separate fact from fiction. A relatively new phenomenon is making that struggle even harder: deepfakes. Using deep neural networks (a machine learning technique), in recent years it’s become increasingly easy to convincingly manipulate images and videos of people by doctoring their speech, movements, and appearance.
In response, a team of Boston University computer scientists has created an algorithm that generates an adversarial attack against facial manipulation systems in order to corrupt and render useless attempted deepfakes. The BU team’s algorithm allows users to protect media before uploading it to the internet by overlaying an image or video with an imperceptible filter.
When a manipulator uses a deep neural network to try to alter an image or video protected by the BU-developed algorithm, the media is either left unchanged or completely distorted, the pixels rendering in such a way that the media becomes unrecognizable and unusable as a deepfake.
The development of the protective filter—guided by Stan Sclaroff, dean of BU’s College and Graduate School of Arts & Sciences and a professor of computer science—was spearheaded by Nataniel Ruiz, a doctoral candidate in computer science, and Sarah Adel Bargal, a research assistant professor of computer science. To share their algorithm, they’ve published their findings online, released a video demo of their work, and made open-source code publicly available.
Ruiz says that the idea for the project came to him after he had become interested in the rapidly advancing techniques for creating deepfakes. He hit on the idea of disrupting deepfakes after talking with Sclaroff, his doctoral advisor, about the possible malicious uses of deepfake technology.
Deepfakes first rose to prominence with applications that realistically transpose an individual’s face onto another’s body, yet necessitate large amounts of images of the individual. Recent advances in the field now allow for the creation of fake images and video of people using only a few images. It has also become easier for ordinary citizens to create deepfakes. Last year, for instance, the iPhone app FaceApp entered the zeitgeist. Created by a Russian company, the app allows everyday users to transform images of individuals into older versions of themselves, change their expression into a smile, or other tricks.
The relative ease with which internet users can create deepfakes could further muddy the waters of what is real and fake online, particularly in arenas like politics. Detecting deepfake images, audio, or video could be one approach to solving this trust problem, although it may prove to be harder than expected. Facebook is currently holding a competition, searching for a team of researchers that can effectively detect deepfakes.
Now, the BU team is pursuing even more sophisticated techniques for disrupting deepfakes.
“We covered what we call ‘white-box’ attacks in our work, where the network and its parameters are known to the disruptor,” says Bargal. “A very important next step is to develop methods for ‘black-box’ attacks that can disrupt deepfake networks [in ways] inaccessible to the disruptor…[and] we are currently working on making this a reality.”