Detecting Deepfakes Without Seeing Any

Thank you for the dedicated review and for recognizing the novelty of our approach and that it is “simple and effective”. We address the remaining comments below:

“in the deepfake detection from text-to-image, the use of diffusion models to generate data may not fully capture the complexities present in real-world scenarios of deep deception”. Thank you for highlighting this unclear point. The objective of exploring text-to-image scenarios was to highlight interesting issues with overfitting rather than to simulate a realistic scenario. It showcases the potential challenges associated with overfitting, where fake images exhibit a stronger agreement with false facts compared to true images aligned with true facts when measured using CLIP.

“The authors have separately validated the deep deception in three distinct aspects. However, there are occasions where these aspects may not be entirely independent. In such cases, it raises questions about whether FACTOR can still exert a positive influence”. Indeed, in scenarios such as face-swapping videos, we anticipate that both facial identity information and audio-visual agreement would jointly contribute to the overall effectiveness of FACTOR. Unfortunately, we did not have access to a suitable dataset that would allow us to explicitly demonstrate the combined advantage of these aspects, as public datasets either have known facial identities or audio, but not both. We completely agree with the reviewer's sentiment, and hope that future datasets will allow evaluating multiple facts simultaneously.

״Can supervised methods leverage the concept of FACTOR in any way to mitigate the challenges posed by zero-day attacks?”,”How does the proposed approach in this paper contribute to changing this situation?”״. Prompted by the reviewers suggestion, we have an idea of a system that uses FACTOR to detect new zero-day attacks for the first time. Then once enough fake data generated by this attack is collected, we then train a supervised method to detect this attack with greater accuracy. Furthermore, a semi-supervised scheme can be divided to detect fake data, not originally detected by FACTOR. We believe this is a very interesting direction for future work.

״The currently validated data appears to consist of features that are relatively prominent. When faced with a large-scale dataset of natural content, quantifying the true impact of FACTOR becomes considerably challenging. Although this may present a difficulty for the authors, if supplemental experiments were conducted in this area, it would greatly enhance the comprehensiveness and excellence of this paper״. We would be happy to run these experiments for a followup project. Which features does the reviewer consider most interesting?

“is that the best that current generative models can do?”. These are currently the standard academic benchmarks (indeed DFDC is considered the most challenging benchmark). We agree that new deepfake benchmarks may be very useful, but as the focus of our paper is methodological, we did not create new benchmarks here.

“For the Audio-Visual DeepFake detection, what is the train/test split?”. We used precisely the same split as in Feng et al. (2023). The precise split was kindly provided by the authors of that paper by private communications. We uploaded our code and the splits as a zip file.

“For all the tables, the authors should report the mean performance across different datasets; for all the methods (baselines + their own method).” A revised manuscript has been uploaded with all of the comments clarified.

“In the discussion of Table 3, the authors say that their method sometimes outperforms the supervised baselines even though they do not require labeled data is a bit misleading. Even though they do not need supervised data to train their model, they do need labeled data in the form of a reference set to do test time inference.” Table. 3 refers to the audio-visual correspondence fact for which FACTOR does not require any further supervision (and no reference set). Note that even in the case of face forgery, we do not require seeing any fake images for training the encoder or in the reference set, in contradiction to the supervision approaches.

Thank you for putting much effort into the review. We appreciate the reviewer liked the simplicity, originality and versatility of the approach. The main concern was its relation with the common “in-the-wild” setting. We address the concerns below:

“new form of problem statement for detecting deepfakes for two out of the three settings presented in the paper”,”Overall, I believe that the task that the authors are trying to solve is not the same task that the baselines are trying to solve.”. The crux of the reviewer’s comment is that most of the state-of-the-art deals with detecting deepfakes in the wild i.e. without using any additional facts. The core idea of FACTOR is that in many cases there are claimed facts which can improve detection. The two main facts that we showed strong results on are: i) claimed facial identity and ii) audio-visual agreement. While the reviewer implicitly agrees that audio-visual agreement is a commonly available claimed fact, the reviewer called into question the availability of the claimed facial identity. We believe the use of face identity is practical in many cases (but we agree that not in ALL cases). Generally, in impersonation deepfake attacks, the false identity is of a person known to us (this is the very point of the attack). Most known people have publicly available photos, and we showed that even a single photo is enough for our method to work well (the more the better of course). Indeed, over 2 billion people have Facebook profiles and around 1 billion have Linkedin profiles, producing a lower bound. We agree that when impersonating unknown persons, or when the impersonated person is very discrete and has no public images, we will not be able to construct a reference set. But the reviewer will surely agree that many practical scenarios are still covered by our method? Finally, we emphasize that the text-to-image case was never meant as a practical setting but was provided to highlight interesting findings with respect to overfitting. We therefore agree with the reviewer, and believe this was already mentioned in the paper in the beginning of Sec. 7.

“The baselines are trying to solve, what I would call, instance-level deepfake detection; … it does not seem to be an apples to apples comparison.” The purpose of the comparison to the baseline method is to highlight that when claimed facts are available, they should be used, and demonstrating FACTOR is an effective method for using the claimed facts. The purpose is not to claim that they are not effective, as indeed, when there are no claimed facts, they are the best approach. We believe this is already discussed in the limitations section (Sec. 8).

“authors should change their title to account for the modified nature of deepfake detection.”. Would the title “Detecting Deepfakes Without Seeing Any by Debunking False Facts” clarify that we only apply to cases with claimed facts?

“BLIP - CLIP … it is not clear why someone would arrive at this particular way of computing the scores”. The purpose of all the text-to-image experiments was not to highlight a practical defense but rather to showcase an interesting consequence of overfitting. As the Stable-Diffusion (SD) model is overfitted to CLIP, we showed that fake images more closely agree with the fake facts than true images agree with true facts when using CLIP to measure agreement. However, when using a new text-image similarity measure such as BLIP, the expected behavior is recovered. The best results were therefore recovered by using the difference between the overfitted and non-overfitted scores. The main take-home message is that overfitting may make fake images seem to agree closely with false facts. The solution is to use new feature encoders not used in the training of the model (or an ensemble of encoders if we do not know exactly which encoder was used for training). We revised the text to clarify this.

“there is no discussion on the effect of different feature extractors”. The use of a powerful feature extractor is important, but our method is not overadapted to any particular feature extractor. Interestingly, we found that even using CLIP which was trained on irrelevant data is already quite effective. The results are shown here and in the revised manuscript.

$\text{Dataset}\hspace{0.75cm}\text{CLIP}\hspace{0.5cm}\text{Swin-S}\hspace{0.5cm}\text{Attention-92(MX)}$

$\text{Celeb-DF}\hspace{0.6cm}89.3\hspace{0.625cm}94.5\hspace{1.55cm}**97.0**$

$\text{DFD}\hspace{1.45cm}95.7\hspace{0.625cm}96.1\hspace{1.55cm}**96.3**$

$\text{DFDC}\hspace{1.15cm}98.8\hspace{0.625cm}99.3\hspace{1.55cm}**99.9**$

We are keen to continue the discussion. Are there any remaining comments following our rebuttal or have we addressed all the reviewer’s concerns?

“What are method A and method B in section 5?”. Method A and method B are terms used in Sec.5 to denote the deepfake generation methods within the DFDC dataset. Note that the dataset does not provide specific information about the technical details of these deepfake generation techniques; they are simply identifiers within the DFDC dataset metadata. We clarified this in the revision.

“How do you decide the threshold for predicting real/fake? What are the thresholds?”. As we share the reviewer’s worries about thresholds, our evaluation metric does not use thresholds at all! We use AUROC (Area Under the Receiver Operating Characteristic curve) and AUPR (Area Under the Precision-Recall curve), which measure performance across various operating points without relying on predefined thresholds. Most other deepfake detection papers use the same evaluation approach.

We appreciate the reviewer's engagement with our work and address the concerns raised.

“It is essentially claiming …Given a feature extractor, one cannot train a generative model to make the embedding of the generated samples close to a target (real) sample. This is very strong and likely wrong”. We do not claim that generative models will never be able to create perfectly realistic fake images in the future i.e. with the exact claimed identity and perfectly aligned audio-visual data. We claim (and provide empirical evidence) that current models do not achieve this. We think it may take some time until they do so. Our method is therefore highly effective against current models. The reviewer might be suggesting that attacks may cheat by generating target identities that overfit against specific pretrained encoders while not yet solving the difficult task of perfect identity transfer. This is reasonable. Indeed we showed in the CLIP experiment that text-to-image models can overfit to specific backbones well. However, as also shown in the same experiment, it is possible to detect such false facts by using other backbones, different from those used to train the overfitted attack model e.g. as we showed for BLIP. Note that the advantage is on the defenders’ side, as the attacker has no idea which feature extractor FACTOR will use (or indeed an ensemble of feature extractors). See also the response below where we show our face forgery detection is robust to the choice of identity encoder.

“How can one retrieve such a reference sample in practice? How will distribution shifts (e.g. different angles, different cameras, different places) affect the effectiveness of the proposed detection method?” The reference set in the empirical evaluation uses other videos of the same person. These videos differ in background, camera, angle etc. It therefore already showcases significant resilience to distribution shifts of the type that the reviewer requested. In practice, a reference set can be constructed by retrieving public videos or images of the claimed identity. For example, if we claim a particular video is of Obama, we would go to Google Image Search and retrieve a set of images of Obama. This will not only work for past US presidents like Obama, but also for ordinary people that have some media presence e.g. a Facebook or Linkedin profile image, previously shared Instagram photos or Youtube videos. Of course, if the claimed identity has no known images, our method does not apply. However, as around 2 billion people have Facebook profiles, we believe that our method is useful in many cases.

“The assumption is basically requiring the pre-trained feature extractor to naturally distinguish real samples from fake ones … fooling a pre-trained feature extractor should be considered relatively easier than 'encode the false fact into fake media with sufficient accuracy'”. We do not assume that pretrained features can naturally distinguish real and fake images, but rather they can help recognize if the claimed fact is true or not. For example, if the identity is truly the claimed one or the audio and visual data in correspondence. This is the core of our approach which led to state-of-the-art results in detection of zero-day deepfake attacks. Note that we (and most other deepfake detection works) do not tackle the adversarial case. As the defender is free to choose any backbone they see fit, it would not be easy for the attacker to know which backbone to attack, and it is even harder to be adversarial to all possible backbones simultaneously. Also, many face swapping attacks we tested against do include deep pretrained features of the target identity therefore being somewhat adversarial to our method. The results showed that our method was still effective against such attacks. Furthermore, our method is not overfitted to a single feature extractor. We found that CLIP, which has been trained on quite irrelevant data, is already quite effective. We included the results here and in the revised manuscript.

$\text{Dataset}\hspace{0.75cm}\text{CLIP}\hspace{0.5cm}\text{Swin-S}\hspace{0.5cm}\text{Attention-92(MX)}$

$\text{Celeb-DF}\hspace{0.6cm}89.3\hspace{0.625cm}94.5\hspace{1.55cm}**97.0**$

$\text{DFD}\hspace{1.45cm}95.7\hspace{0.625cm}96.1\hspace{1.55cm}**96.3**$

$\text{DFDC}\hspace{1.15cm}98.8\hspace{0.625cm}99.3\hspace{1.55cm}**99.9**$

We are keen to continue the discussion. Are there any remaining comments following our rebuttal or have we addressed all the reviewer’s concerns?