Deepfake Detection Systems: Robustness Framework

• Deepfake detection systems are methods that evaluate and improve resiliency against synthetic media threats using adversarial techniques.
• The DUMBer methodology systematically varies dataset sources, model architectures, and class balance to assess defense performance across diverse scenarios.
• Experimental results show that adaptive and ensemble adversarial training substantially boost detection accuracy and defense robustness.

The DUMBer methodology is a comprehensive framework for evaluating the robustness of adversarially trained models under realistic, transfer-based threat scenarios. Built on the DUMB taxonomy—Dataset sources, Model architecture, and Balance—it targets the intersection of adversarial transferability and heterogeneous deployment factors. DUMBer systematically orchestrates both attack and defense experiments by varying dataset origin, neural architecture, and class-imbalance parameters, and then applies a diverse suite of adversarial training regimes, attack types, and evaluation protocols. This approach enables reproducible, fine-grained measurement of practical defense efficacy across high-dimensional, real-world configurations (Marchiori et al., 23 Jun 2025, &&&1&&&).

1. Defining Axes of the DUMB Taxonomy

The DUMB taxonomy formalizes three key aspects of heterogeneity:

• Dataset Sources (D): Whether the attacker and defender train on the same or distinct datasets. In canonical vision classification tasks, datasets often originate independently (e.g., Bing vs Google)—each $\mathcal{D}_i$ containing 10,000 balanced, cleaned samples. In deepfake detection, this extends to in-distribution data (FaceForensics++) and out-of-distribution data (Celeb-DF-V2).
• Model Architecture (U/M): Whether the attacker’s surrogate and the victim share architecture. Canonical backbones (AlexNet, ResNet18, VGG11), or specialized detectors (Xception, UCF, RECCE, SPSL, SRM) are used to construct populations reflecting real-world architectural diversity.
• Class Balance (B): The proportion of minority to majority class in the training distribution $\pi_{p/(1-p)}$, simulated at multiple imbalance ratios (50/50, 40/60, 30/70, 20/80). For deepfake detection, B is often held fixed.

A DUMB configuration is the tuple $(\mathcal{D}_i, \mathcal{M}_j, \pi_k)$; DUMBer further incorporates adversarial training regime as a fourth axis.

2. Formal Adversarial Problem and Threat Models

DUMBer formalizes the threat via evasion attacks, seeking adversarial perturbations $\delta^*$: $$\delta^* = \arg\max_{\delta \in \Delta_p} \mathcal{L}(f_\theta(x + \delta), y),$$ where $$\Delta_p = \{\delta : \|\delta\|_p \leq \varepsilon\}$$ constrains the perturbation norm and $\mathcal{L}$ is the classification loss.

Transferability is assessed by generating adversarial examples on a surrogate source model $A$ and computing Transfer Success Rate (TSR) on target victim $B$: $$T_{A \rightarrow B} = \frac{1}{N} \sum_{i=1}^N \mathbf{1}\{ f_B(x_i + \delta^*_i) \neq y_i \}.$$

DUMBer enumerates attacker–defender alignment along all eight configurations (C1–C8) for $(D, U, B)$, covering pure white-box, pure black-box, and gray-box scenarios. In deepfake detection (Serrano et al., 9 Jan 2026), B is matched, yielding four principal cases (C₁: white-box, C₃: cross-model, C₅: cross-dataset, C₇: both mismatched).

3. Experimental Pipeline and Attack Taxonomy

The DUMBer evaluation pipeline executes a combinatorial experiment grid:

• Population Construction: For each binary task (e.g., Bikes v Motorbikes), train $2 \times 3 \times 4 \times 10 = 240$ models, varying dataset, architecture, class balance, and training regime (one baseline, nine adversarial training strategies).
• Attack Orchestration: Apply 13 attacks—seven mathematical (FGSM, BIM, PGD, RFGSM, DeepFool, TIFGSM, Square), six non-mathematical (GaussianNoise, Grayscale, BoxBlur, SaltPepper, RandomOcclusion, ColorInvert).
• Deepfake Adaptation: Three attacks (FGSM, PGD, FPBA) across five architectures; adversarial samples crafted using $\varepsilon$-constrained budgets ($\epsilon=9/255$ in $\ell_\infty$).

The framework executes source-target transfer experiments: 24 baseline sources $\times$ 7 math attacks $\times$ 240 targets, plus non-math attacks on all targets, yielding over 130,000 cross-parameter evaluations per task (Marchiori et al., 23 Jun 2025). Computing resources are parallelized per (task, source, attack), with inference vectorization for scalability.

4. Metrics, Statistical Summaries, and Evaluation Protocols

Robustness is quantitatively assessed via:

Metric	Formula (as given)	Interpretation
Clean Accuracy	$$\mathrm{Acc_{clean}} = \frac{1}{N} \sum_{i=1}^N \mathbf{1}\{f(x_i) = y_i\}$$	Unattacked sample accuracy
Adversarial Accuracy	$$\mathrm{Acc_{adv}} = \frac{1}{N} \sum_{i=1}^N \mathbf{1}\{f(x_i + \delta_i) = y_i\}$$	Accuracy under perturbation
Attack Success Rate	$\mathrm{ASR} = 1 - \mathrm{Acc_{adv}}$	Fraction of successful attacks
Attack Mitigation Rate	$$\mathrm{AMR} = \frac{\mathrm{ASR_{base}} - \mathrm{ASR_{atk\_trained}}}{\mathrm{ASR_{base}}}$$	Relative robustness gain

Additional tools include bootstrapped 95% confidence intervals for AMR, and severity bucketing of ASR to partition results by attack strength.

For deepfake detectors (Serrano et al., 9 Jan 2026), the protocol measures area under the ROC curve (AUC) for clean accuracy, and reports ASR and AMR across DUMB cases—averaged by architecture and attack, and stratified by dataset shift (in-distribution vs out-distribution).

5. Adversarial Training Strategies and Population Diversity

Adversarial training (AT) is instantiated in several forms:

• Single-attack AT: FGSM-AT, PGD-AT—models trained with gradient-based attacks.
• Ensemble-AT: Training on multiple attack types.
• Surrogate-AT: AT examples crafted using a diversity of architectures.
• Curriculum and Adaptive AT: Online scheduling (increasing $\varepsilon$) and progressive attack difficulty.
• Non-mathematical AT: Image-based augmentations (Gaussian, noise, occlusion).

Deepfake-specific ensembles include spatial plus frequency-domain diversity (e.g., FPBA). Training splits allocate 80% clean and 20% adversarial samples with balanced attack and surrogate representation. All models are trained from scratch (no fine-tuning or pretraining artifacts).

6. Principal Findings and Practical Implications

DUMBer enables nuanced insights into attack and defense robustness:

• Adaptive adversarial training delivers peak AMR (up to $\sim$96%) against strong attacks, particularly on less complex tasks.
• Ensemble and Surrogate AT outperform single-attack defenses in dataset or balance mismatch scenarios, with ensemble diversity crucial for transfer robustness (Ens_Surr AMR$\sim$90% in cross-model cases).
• Non-mathematical training consistently improves robustness by 20–40%, especially in gray-box conditions.
• Architecture matching (U axis) is pivotal: transferability and ASR peak when attacker and victim architectures coincide. Exclusively white-box evaluation strongly overestimates robustness.
• Class balance exerts secondary effects: moderate imbalance slightly degrades robustness, but extreme imbalance amplifies transfer attack success.
• Cross-dataset generalization remains the limiting factor for adversarial training strategies—robustness gains dwindle and negative AMR emerges under out-of-distribution scenarios.

Practitioners are advised to:

• Combine augmentations with curriculum AT for anticipated black-box threats.
• Employ adaptive AT with validation on DUMBer-style diverse populations for security-sensitive deployments.
• Report robust and clean accuracy metrics, stratified by attack severity, with confidence intervals over DUMB axes.
• In deepfake applications, supplement AT with domain-generalization (e.g., compression invariance, hybrid detectors) for resilient out-of-distribution performance.

7. Benchmark Reproducibility and Future Research Directions

The DUMBer framework establishes a reproducible protocol—datasets, architectures, attacks, training regimes, and metrics—that supports transparent stress-testing of defenses. By systematically varying real-world deployment dimensions, it reveals the nuanced balance between transferability, model diversity, adversarial training, and operational threat model alignment.

A plausible implication is that future developments in adversarial robustness will necessitate synergy between AT and generalized domain adaptation strategies, especially to cope with ever-shifting data and architecture landscapes encountered in practice (Marchiori et al., 23 Jun 2025, Serrano et al., 9 Jan 2026).