AntifakePrompt: Prompt-Tuned Vision-Language Models are Fake Image Detectors

We thank all the reviewers for their constructive suggestions, which help improve the completeness of our submission, and the revised part of the paper are marked in red. We are encouraged that reviews are positive in the following four levels:

• The paper is "well written" (Reviewer NiiK).
• The problem we are researching is “a topic of active research interest” (Reviewer eMV8) and “trending” (Reviewer 4Y5R).
• Our solution is “novel”, "highly generalizable" (Reviewer NiiK), “innovative” (Reviewer eMV8), “straightforward” and “effective”(Reviewer 4Y5R).
• Our experiments are “extensive” (Reviewer 4Y5R).

We now address individual concerns of Reviewer 4Y5R below.

1. [The contributions are somewhat limited.]

• This comment differs from all the other reviewers, who agree on our contributions are "novel" (Reviewer NiiK), “innovative” (Reviewer eMV8).
• First, we think that there may be a misunderstanding of our goal. Our goal is to find a more general solution to deepfake detection problem, and then chose VLM as the backbone model. Hence, the review "the proposed method could be applied to various other visual tasks" is out of our original motivation, making it not a strong reason for claiming limited contribution.
• It is true that prompt tuning technique is not a highly original advanced method. However, we pioneer to employ prompt tuning technique on VLM, and propose a simple yet effective solution to deepfake detection, which is a "novel attempt in this area" (NiiK). In Abstract section in the revised submission, our method demonstrates better performance on held-out datasets comparing to the baselines (61.79 to 92.72) with less learnable parameters (~4M vs. 4.96K), highlighting the resource efficiency and effectiveness of our method. This is a non-trivial and significant contribution on its own.
• We respectfully disagree about the comment of "it lacks sufficient adaptation and analysis in the downstream task". As mentioned in Section 3 in the original submission, we carefully formulate the deepfake detection into a visual question answering problem with clear definition and equations. Also, in Section 4.3 in the original submission, we conducted and analyzed several ablation studies (e.g. position of pseudo-word, prompt tuning for Qformer or LLM, number of training images), demostatrating our extensive experiments and complete analysis.

2. [The experiments lack comparison with SOTA baselines]

• Thank you for your comment. We sincerely hope that you can provide the reference of [1] so that we can compare it with our method as soon as possible.
• We chose Wang 2020 and DE-FAKE as the baselines due to their highlight in generalizability and their representativeness in this field. Furthermore, following the comments by reviewer eMV8, we have introduced the results of other deepfake detections methods in Table 1 in the revised submission.

3. [Validate our method on other benchmark datasets]

• Thank you for the advice. As the exact testing dataset of DE-FAKE is not open-sourced, in our original submission we have done our best to follow their experimental setting to adopt COCO, Flickr, LD, SD, and DALLE in our testing dataset except for GLIDE. In order to better fulfill the reviewer's suggestion, we then further introduce GLIDE to our testing dataset with providing the corresponding in the Table 1 of the revised submission.
• What's more, both DE-FAKE and our method are trained on COCO+SD2, while our method is tested on more difficult and more diverse types of datasets (e.g. the held-out testing datasets from image inpainting, super resolution, image attacks, etc), which make our superior experimental results more conclusive and convincing.

The revision partially addressed the reviewer's concerns, including experiments of new baselines and deepfake datasets. However, the reviewer still hold concerns about the contribution. Admittedly, the attempt to employ VLM as a foundational model for generalized deepfake detection is commendable. Yet, the proposed method lacks significant technical contribution (the reviewer concur with Reviewer NiiK’s observation that the proposed method is "quite straightforward"). Deepfake detection has evolved over many years. A robust deepfake detection study should, at a minimum, either unearth unique visual features of deepfake videos [1][2] or identify blind spots in current detection models[3]. The proposed approach merely involves feeding deepfake videos into the VLM model. Similarly, the authors have not demonstrated deepfake characteristics in the text prompts. The method could be easily transferred to other task by altering text prompts, for instance, changing "Is this photo real" to "Is this people playing football," thus prompting the VLM to switch to an action recognition model. Given the lack of in-depth analysis of deepfake characteristics, the reviewer believes that this paper does not yet meet the publication standards of ICLR.

[1] Li et al. "Face x-ray for more general face forgery detection." CVPR 2020.

[2] Wang et al. "DIRE for Diffusion-Generated Image Detection." ICCV 2023.

[3] Dong et al. "Implicit Identity Leakage: The Stumbling Block to Improving Deepfake Detection Generalization." CVPR 2023.

Ps. It should be noted that the reference [1] in the initial comments pertains to DIRE. Many apologies for any confusion.

(Continued)

3. [Why the LoRA-finetuned model achieves better performance than the proposed method except for the three attack tasks?]

• We explained this in the last paragraph of Section 4.3 in the original paper. We state that LoRA-finetuned model introduces more learnable parameters (around 4 millions) into LLM, so it is more likely to overfit to artifacts of the held-in dataset. The images from three attacks are edited from real images by a small difference on pixels, which have artifacts differ from those images generated by other generative models, including the held-in dataset. Hence, we conclude that the accuracy drops of LoRA-finetuned model while being applied to the images from three attacks (in which these attack images have different traits from the held-in dataset) could attribute to the overfitting.
• Here is another high-level insight. We can consider the prompt tuning technique to be "extracting" some useful information in the LLM. On the other hand, LoRA-finetuned model can be seen as adding extra component to "adapt" the specific task, leading to better performance on training set but worse generalizability.

4. [Is it possible to obtain a better model by just replacing LoRA with some other finetuning algorithms?]

• We choose LoRA as one of our baseline as it is one of the most popular, and the most widely-used parameter-efficient finetuning methods of LLM.
• Nevertheless, we are happy to follow your suggestion by replacing LoRA with another finetuning algorithm, AdaLoRA[1]. The results are shown below:

• As being observable from the results, AdaLoRA-finetuned model also suffers (as LoRA does) from accuracy drop when applied to three attack tasks, which underscores the generalizability of our proposed AntifakePrompt again.

5. [Using average accuracy over different datasets and tasks might not be a proper metric.]

• We respectfully disagree. First, it has to be clarified that the numbers of images used in every task are actually the same, so the accuracies can be averaged without any weights. Secondly, the importance of each task can not be formally defined, so we consider every task to have the same importance. Lastly, since we take VLM as our backbone, which directly outputs a text instead of a probability distribution of each class, so the AUC metric may not be suitable in our case.
• Still, we really appreciate your comment upon the relation between the importance of tasks and the weighted accuracy. Therefore, we provide the weighted accuracy, including "Real Accuracy" (average of all real datasets), "Fake Accuracy" (average of all fake datasets), and "Weighted Accuracy" (average of Real Accuracy and Fake Accuracy), considering the same importance of real datasets and fake datasets.

• No matter using what kind of metric, our method shows superior performance than the baselines.

[1] Zhang, Qingru, et al. "Adaptive budget allocation for parameter-efficient fine-tuning." arXiv preprint arXiv:2303.10512 (2023).

We thank all the reviewers for their constructive suggestions, which help improve the completeness of our submission, and the revised part of the paper are marked in red. We are encouraged that reviews are positive in the following four levels:

• The paper is "well written" (Reviewer NiiK).
• The problem we are researching is “a topic of active research interest” (Reviewer eMV8) and “trending” (Reviewer 4Y5R).
• Our solution is “novel”, "highly generalizable" (Reviewer NiiK), “innovative” (Reviewer eMV8), “straightforward” and “effective”(Reviewer 4Y5R).
• Our experiments are “extensive” (Reviewer 4Y5R).

We now address individual concerns of Reviewer NiiK below.

1. [Unfair to compare the two baselines.]

• The main goal of our work is to propose a solution to deepfake detection with stronger generality, and thus we mainly focus on the performance on the held-out datasets. Therefore, we chose the two baselines (Wang 2020 and DEFAKE) due to their highlighted generalizability. When testing, those held-out datasets are unseen data for both our method and the baselines, so we think it is a fair comparison for our method and the two baselines.
• We respectfully disagree with the idea of changing backbones. Wang 2020 and DE-FAKE use ResNet as their backbone model, while we choose InstructBLIP (VLM) as our backbone model. Because of the difference of input and output between ResNet and InstructBLIP, we think the backbone is not transferable.
• Still, we really appreciated your suggestion about fairness, so we have trained the model of Wang 2020 and our model with a subset (due to the insufficient time) of training data (COCO+SD2, not including SD2IP). We did not train DE-FAKE as its training code is not open-sourced, however please note that official DE-FAKE was actually trained on COCO+SD2 which is the same as our training dataset. The results are shown below:

• Following the suggestion of reviewer eMV8, we test the methods on more fake datasets (DFDC, FF++). The results demostrate that Wang 2020 suffers from insufficient generalizability, leading to poor performance on held-out datasets (datasets other than COCO & SD2). We think the reason behind is that Wang 2020 chooses ResNet as the backbone, which may result in overfitting to the training due to the large number of trainable parameters (instead, noting that our proposed method does not finetune the entire VLM model but only optimizes for the pseudo-word $S_\ast$).

2. [Reasons for our good performance]

• Thank you for your comment. As mentioned in Section 2.3 in the original submission, VLM helps multimodal comprehension through utilizing the strong generality of LLMs. Specifically, the strong generality of LLM comes from the large scale of its training data (e.g. corpus), enabling the LLM to answer the questions that it has never seen before. Therefore, VLM can also achieve strong generality with the help of its LLM component. This detailed discussion has been added in red to Paragraph 5 of Section 1 and Paragraph 4 of Section 4.2 in the revised submission.

(Continued)

6. [Other preset questions may achieve better performance?]

• The influence of the preset question is quite small. Actually, we have tried different preset question in Section 4.3 in the original paper, namely "prefix" ("$S_*$ Is this photo real?"), "postfix" ("Is this photo real $S_*$?"), and "replace" ("Is this photo $S_*$?"). The experimental results of "postfix" and "replace", which have different preset questions, show that the accuracy (88.94 / 91.59) is not sensitive to the preset question or the position of the pseudo-word.
• Still, we also conduct more experiments on other preset questions during rebuttal, which we set the question to be "Is this photo real or generated by deep learning models $S_*$?" (denoted as "Extended" in the results below) and "$S_*$" (denoted as "One word" in the results below), and here are the results:

• The difference between the three average accuracies is less than 2%, which implies that the performance is not sensitive to the preset question.

I partially agree with the authors' response. Specifically, I am satisfied with the answers in part 2, 3, and 4. As for the other parts:

(1) In part 1, it seems that Wang 2020 with VLM backbone performs even worse than the ResNet-based version. The results supports the superiority of the proposed method. However, it is still likely that Wang 2020 could achieve much better performance by carefully tuning the training schedule. I suggest the authors to explore such possibility in future works.

(2) In part 5, the authors gave the results under more metrics, which I appreciate. However, more metrics should be considered, e.g. false positive rate (FPR), false negative rate (FNR) etc.. Such metrics could help users get a better understanding of the possible problems of the current method. On the other hand, I still believe that average accuracy is not a good metric for comparing different methods. To be specific, the choice of evaluation datasets might severely affect the results. For example, if we don't care about the model's performance on adversarial attack images, and we choose not to evaluate the models on such datasets, the conclusion could be totally different. Or if we have more image datasets generated by diffusion models, the average accuracy metric would put more weights on such datasets, and the final metric would be biased. Therefore, more considerations should be taken.

(3) In part 6, there is no wonder that the proposed question (Is this photo real?) achieves the best performance, since the model and the additional token S are trained with this question. However, I believe the results in this parts is enough to validate that the model is insensitive to the specific question, which addresses my concern well enough.

(Continued)

• Overall average

• We designated label "fake" as positive and label "real" as negative.
• In the overall average table, InstructBLIP demonstrates the lowest average FPR (0.01), yet its average FNR is pretty high (0.66). This indicates that InstructBLIP tends to classify most of the images as real, resulting in its relatively low F-score. In contrast, our AntifakePrompt strikes a better balance between the abilities of detecting real images and fake images, and thus shows the best performances on the average FNR and the average F-score. It also highlights the superiority of our AntifakePrompt.

3. [The model is insensitive to the specific question]

• We are pleased that we successfully addressed your concern :)

[1] Wang, Zhendong et al. “DIRE for Diffusion-Generated Image Detection.” ArXiv abs/2303.09295 (2023)

Best,

Authors of Submission2329

We thank all the reviewers for their constructive suggestions, which help improve the completeness of our submission, and the revised part of the paper are marked in red. We are encouraged that reviews are positive in the following four levels:

• The paper is "well written" (Reviewer NiiK).
• The problem we are researching is “a topic of active research interest” (Reviewer eMV8) and “trending” (Reviewer 4Y5R).
• Our solution is “novel”, "highly generalizable" (Reviewer NiiK), “innovative” (Reviewer eMV8), “straightforward” and “effective”(Reviewer 4Y5R).
• Our experiments are “extensive” (Reviewer 4Y5R).

We now address individual concerns of Reviewer eMV8 below.

1. [Compare analysis with other studies]

• Thank you for suggesting these related works. The reason why we chose the two baselines (Wang2020 & DE-FAKE) is that both works highlighted their generalizability, and they are well-known or SOTA method in this field before the submission.
• We investigated the listed related works: [1] proposes a detection method using reverse and denoising computation error of intermediate steps; [2] proposes a method via language-guided contrastive learning; [3] proposes a method related to diffusion reconstruction error at the initial timestep; [4] proposes a method using their local intrinsic dimensionality; [5] conducts extensive experiments on many different datasets; [6] proposes a collaborative learning framework to conduct detection of different quality of deepfakes.
• We follow reviewer's suggestion to include the comparison with the methods of [2,3,5,6], where the experimental results and the corresponding analysis are added to Table 1 and Section 4.2 respectively in the revised submission. We did not do experiments on [1,4] since they are regrettably not open-sourced, but we will introduce the experimental results into our final version as long as their codes are published.

2. [Test dataset is biased towards diffusion model-generated data.]

• Thank you for pointing this out. Since diffusion-based models are known for their outstanding ability of generating more genuine and more photorealistic images than those from GAN-based models, we naturally incoporated more diffusion-based models to generate various types of fake images to conduct more persuasive evaluations of our method and other baseline methods. Moreover, we chose DeeperForensics instead of other deepfake datasets because it is a newer and thus more difficult dataset than DFDC and FF++ datasets, which makes our performance more convincing. Out of similar reasons, we selected SGXL to represent GAN-based models. The rationale is that SGXL can generate images with lower FID and higher IS score than those generated by other GAN-based methods.
• Also, we have followed your suggestion to test the methods on DFDC and FF++. The results are presented in Table 1 in the revised submission.
• The reason why we did not test on DFC is that the link of DFC directs us to the dataset of DFDC, so we considered DFC and DFDC as the same dataset. If there is any misunderstanding, please let us know.

3. [Leverage unique features of VQA models beyond merely using them as detectors.]

• We sincerely appreciate the idea! Actually, we have conducted some experiments trying to leverage the unique features of VLM.
• First, we have used GradCAM to analyze the important region in the images. Although we did observe AntifakePrompt focused on certain region in some samples to consider them as fake, we have not found any significant or consistent visual characteristic throughout all GradCAM results of our samples to draw a concrete conclusion.
• Secondly, we tried to ask the VLM to give additional "reasons" when classifying the images by asking the question "Is this photo real $S_*$? Why?". However, the response still contain only "Yes" or "No" without any extra reason, which may results from the significant influence of the prompt-tuned question ("Is this photo real $S_*$?").
• Despite not getting the promising result from the aforementioned experiments, we believe that there does exist more abstractive but valuable reasons hidden behind. We would delve further into it in the coming future, thanks to your constructive suggestions.