A reliable deepfake detector or spoofing countermeasure (CM) should be robust in the face of unpredictable spoofing attacks. To encourage the learning of more generaliseable artefacts, rather than those specific only to known attacks, CMs are usually exposed to a broad variety of different attacks during training. Even so, the performance of deep-learning-based CM solutions are known to vary, sometimes substantially, when they are retrained with different initialisations, hyper-parameters or training data partitions. We show in this paper that the potency of spoofing attacks, also deep-learning-based, can similarly vary according to training conditions, sometimes resulting in substantial degradations to detection performance. Nevertheless, while a RawNet2 CM model is vulnerable when only modest adjustments are made to the attack algorithm, those based upon graph attention networks and self-supervised learning are reassuringly robust. The focus upon training data generated with different attack algorithms might not be sufficient on its own to ensure generaliability; some form of spoofing attack augmentation at the algorithm level can be complementary.

翻译：可靠的深度伪造检测器或欺骗对抗措施（CM）在面对不可预测的欺骗攻击时应具备鲁棒性。为促使模型学习更具泛化性的伪造特征（而非仅针对已知攻击的特定特征），CM训练时通常会暴露于多种多样的攻击类型。即便如此，基于深度学习的CM解决方案在采用不同初始化参数、超参数或训练数据划分进行重新训练时，其性能仍会发生变化，有时甚至波动显著。本文表明，同样基于深度学习的欺骗攻击的效能也会因训练条件差异而产生类似变化，有时会导致检测性能显著下降。然而，当仅对攻击算法进行轻微调整时，RawNet2 CM模型会出现脆弱性，而基于图注意力网络和自监督学习的模型则展现出令人安心的鲁棒性。仅关注由不同攻击算法生成的训练数据可能不足以确保泛化能力；在算法层面引入某种形式的欺骗攻击增强方法可形成互补。