View Reviews

Paper ID
66
Paper Title
Adversarial Deepfakes: Evaluating Vulnerability of Deepfake Detectors to Adversarial Examples
Track Name
First Round Submission
Reviewer #1

Questions

  • 1. APPLICATIONS OR ALGORITHMS PAPER? You can find this in the Paper Details (in CMT, click on the Paper ID # in your review list). Note for your evaluation that Applications papers will generally have less in the way of theoretical foundations/approach, more in experimental evaluation. Algorithms papers will be the opposite, more in the theory/approach, perhaps slightly less experiments.
    • Applications Track
  • 2. PAPER SUMMARY What is the paper about? Please, be concise (2 to 3 sentences).
    • The paper studies the vulnerability of CNN-based deepfake detection models that operate on individual frames independently. Experiments are presented for white box, robust white box, black box, and robust black box attacks on XceptionNet and MesoNet based detectors. Results show that these detectors are indeed prone to adversarial attacks.
  • 3. PAPER STRENGTHS Please discuss, justifying your comments with the appropriate level of details, the strengths of the paper (i.e. novelty, theoretical approach and/or technical correctness, adequate evaluation, clarity, etc).
    • * The problem studied in this work (adversarial vulnerability of deepfake detectors) is an important field given real-world implications of deepfakes and deepfake detectors.

      * Experimental results validate the claims made by the authors.

      * Well-written and clearly presented.
  • 4. PAPER WEAKNESSES Please discuss, justifying your comments with the appropriate level of details, the weaknesses of the paper (i.e. lack of novelty – given references to prior work-, lack of novelty, technical errors, or/and insufficient evaluation, etc). If you think there is an error in the paper, please explain why it is an error. Please discuss, justifying your comments with the appropriate level of details, the weaknesses of the paper (i.e. lack of novelty – given references to prior work-, lack of novelty, technical errors, or/and insufficient evaluation, etc).
    • * The technical content of the paper is somewhat lacking and is too less for a full conference paper.

      * Experiments are conducted on only two models -- XceptionNet and MesoNet. The authors should expand their study to more detectors. Detectors that utilize temporal relationships (RNN-based models) can also be studied to further expand the scope of the work.
  • 5. FINAL RECOMMENDATION Please use "Borderline" sparingly.
    • Weak Reject
  • 6. JUSTIFICATION Justify your final recommendation based on the strengths and weaknesses. Please be considerate to the authors and provide constructive feedback.
    • Given the lack of technical content, my initial assessment is weak reject.
  • 11. ROUND 2 REVISION (Q1 OF 3) - ADDRESSED CONCERNS? Did the authors address your concerns?
    • Somewhat Yes
  • 12. ROUND 2 REVISION (Q2 OF 3) - UPDATED JUSTIFICATION / WEAKNESSES After looking at the other reviewers' concerns and the revised paper, my thoughts on the paper are (specifically related to whether the paper now seems ready to accept, expressing any reservations/concerns about that, lingering weaknesses, etc.):
    • Based on the concerns raised by other reviewers and updates made to the paper, I think the paper has definitely improved. However, the evaluation and analysis of results still falls somewhat short, especially given that methods presented in the paper are not significantly novel.
  • 13. ROUND 2 REVISION (Q3 OF 3) - FINAL RECOMMENDATION What is your final recommendation for the paper?
    • Slightly Above Threshold
Reviewer #2

Questions

  • 1. APPLICATIONS OR ALGORITHMS PAPER? You can find this in the Paper Details (in CMT, click on the Paper ID # in your review list). Note for your evaluation that Applications papers will generally have less in the way of theoretical foundations/approach, more in experimental evaluation. Algorithms papers will be the opposite, more in the theory/approach, perhaps slightly less experiments.
    • Applications Track
  • 2. PAPER SUMMARY What is the paper about? Please, be concise (2 to 3 sentences).
    • This paper raises concern against the vulnerability of DeepFake detectors to adversarial attacks. The authors conducted an extensive experiment to demonstrates this argument. The empirical results show that existing adversarial attacks methods can invalidate the state-of-the-art DeepFake detectors.
  • 3. PAPER STRENGTHS Please discuss, justifying your comments with the appropriate level of details, the strengths of the paper (i.e. novelty, theoretical approach and/or technical correctness, adequate evaluation, clarity, etc).
    • 1. This paper highlights an important and timely concern against DeepFake detectors, which would further alarm the community to be aware of the social risks caused by AI technologies. Preventing exploitation AI technologies, such as DeepFake, in disinformation campaigns is of vital importance. Recent works have designed several detectors for detecting fake images. This paper conducted an extensive experiment to show these detectors are vulnerable to adversarial attacks which would invalidate the existing detectors.

      2. The experiment is comprehensive and convincing. The experiments involve four DeepFake-like algorithms and two attacks in black-box, robust black-box, white-box, and robust white-box settings.
  • 4. PAPER WEAKNESSES Please discuss, justifying your comments with the appropriate level of details, the weaknesses of the paper (i.e. lack of novelty – given references to prior work-, lack of novelty, technical errors, or/and insufficient evaluation, etc). If you think there is an error in the paper, please explain why it is an error. Please discuss, justifying your comments with the appropriate level of details, the weaknesses of the paper (i.e. lack of novelty – given references to prior work-, lack of novelty, technical errors, or/and insufficient evaluation, etc).
    • The raised problem lacks novelty from the technical aspects. Specifically, to what extent the raised issue is different from the well-aware risks caused by adversarial attacks in other areas; e.g., [1, 2]?

      [1] Goodfellow, Shlens, Szegedy: "Explaining and harnessing adversarial examples", ICLR 2015.
      [2] Nguyen, Yosinski, Clune: "Deep neural networks are easily fooled: High confidence predictions for unrecognizable images", CVPR 2015.
  • 5. FINAL RECOMMENDATION Please use "Borderline" sparingly.
    • Weak Accept
  • 6. JUSTIFICATION Justify your final recommendation based on the strengths and weaknesses. Please be considerate to the authors and provide constructive feedback.
    • This paper raises an important and timely issue of AI safety and ethics, although the technical difference between the raised issue and the risk of adversarial attacks in other areas is relatively marginal.
  • 11. ROUND 2 REVISION (Q1 OF 3) - ADDRESSED CONCERNS? Did the authors address your concerns?
    • Not Really
  • 12. ROUND 2 REVISION (Q2 OF 3) - UPDATED JUSTIFICATION / WEAKNESSES After looking at the other reviewers' concerns and the revised paper, my thoughts on the paper are (specifically related to whether the paper now seems ready to accept, expressing any reservations/concerns about that, lingering weaknesses, etc.):
    • Reviewer #4 commented that "Although the basic white-box and black-box attack methods are not new, it is novel that the authors further improve these methods and propose two "robust" versions that are robust to common image/video codecs such as JPEG compression."

      This comment answers my concerns although the authors did response to it. Thus, my recommendation for this paper is on the positive side: "Slightly Above Threshold".
  • 13. ROUND 2 REVISION (Q3 OF 3) - FINAL RECOMMENDATION What is your final recommendation for the paper?
    • Slightly Above Threshold
Reviewer #5

Questions

  • 11. ROUND 2 REVISION (Q1 OF 3) - ADDRESSED CONCERNS? Did the authors address your concerns?
    • Definitely Yes
  • 12. ROUND 2 REVISION (Q2 OF 3) - UPDATED JUSTIFICATION / WEAKNESSES After looking at the other reviewers' concerns and the revised paper, my thoughts on the paper are (specifically related to whether the paper now seems ready to accept, expressing any reservations/concerns about that, lingering weaknesses, etc.):
    • The main concerns were (1) experiments were conducted on only two models and (2) a lack of novelty. I believe that with the addition and evaluation of a third model with a suitably different architecture, and on a more state of the art dataset, clearly addresses at least the first concern. In my opinion, this also addresses the second concern (and this reviewer had already given the paper a weak accept).
  • 13. ROUND 2 REVISION (Q3 OF 3) - FINAL RECOMMENDATION What is your final recommendation for the paper?
    • Slightly Above Threshold