Malicious use of deepfakes leads to serious public concerns and reduces people's trust in digital media. Although effective deepfake detectors have been proposed, they are substantially vulnerable to adversarial attacks. To evaluate the detector's robustness, recent studies have explored various attacks. However, all existing attacks are limited to 2D image perturbations, which are hard to translate into real-world facial changes. In this paper, we propose adversarial head turn (AdvHeat), the first attempt at 3D adversarial face views against deepfake detectors, based on face view synthesis from a single-view fake image. Extensive experiments validate the vulnerability of various detectors to AdvHeat in realistic, black-box scenarios. For example, AdvHeat based on a simple random search yields a high attack success rate of 96.8% with 360 searching steps. When additional query access is allowed, we can further reduce the step budget to 50. Additional analyses demonstrate that AdvHeat is better than conventional attacks on both the cross-detector transferability and robustness to defenses. The adversarial images generated by AdvHeat are also shown to have natural looks. Our code, including that for generating a multi-view dataset consisting of 360 synthetic views for each of 1000 IDs from FaceForensics++, is available at https://github.com/twowwj/AdvHeaT.

翻译：深度伪造的恶意使用引发了严重的公众担忧，并削弱了人们对数字媒体的信任。尽管已提出有效的深度伪造检测器，但它们对对抗性攻击仍存在显著脆弱性。为评估检测器的鲁棒性，近期研究探索了多种攻击方式。然而，现有攻击均局限于二维图像扰动，难以转化为真实世界的人脸变化。本文提出对抗性头部转动（AdvHeat）——首个针对深度伪造检测器的三维对抗性人脸视角攻击方法，该方法基于单视角伪造图像的人脸视角合成技术实现。大量实验验证了各类检测器在真实黑盒场景下对AdvHeat的脆弱性。例如，基于简单随机搜索的AdvHeat在360次搜索步骤中达到96.8%的高攻击成功率；若允许额外查询访问，可进一步将步骤预算降低至50次。附加分析表明，AdvHeat在跨检测器迁移性和防御鲁棒性两方面均优于传统攻击。经AdvHeat生成的对抗性图像同样展现出自然外观。我们的代码（包含生成FaceForensics++中1000个身份各360个合成视图的多视角数据集）已开源至https://github.com/twowwj/AdvHeaT。