In light of recent advancements in generative AI models, it has become essential to distinguish genuine content from AI-generated one to prevent the malicious usage of fake materials as authentic ones and vice versa. Various techniques have been introduced for identifying AI-generated images, with watermarking emerging as a promising approach. In this paper, we analyze the robustness of various AI-image detectors including watermarking and classifier-based deepfake detectors. For watermarking methods that introduce subtle image perturbations (i.e., low perturbation budget methods), we reveal a fundamental trade-off between the evasion error rate (i.e., the fraction of watermarked images detected as non-watermarked ones) and the spoofing error rate (i.e., the fraction of non-watermarked images detected as watermarked ones) upon an application of diffusion purification attack. To validate our theoretical findings, we also provide empirical evidence demonstrating that diffusion purification effectively removes low perturbation budget watermarks by applying minimal changes to images. The diffusion purification attack is ineffective for high perturbation watermarking methods where notable changes are applied to images. In this case, we develop a model substitution adversarial attack that can successfully remove watermarks. Moreover, we show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones, damaging the reputation of the developers. In particular, with black-box access to the watermarking method, a watermarked noise image can be generated and added to real images, causing them to be incorrectly classified as watermarked. Finally, we extend our theory to characterize a fundamental trade-off between the robustness and reliability of classifier-based deep fake detectors and demonstrate it through experiments.

翻译：鉴于生成式AI模型的最新进展，区分真实内容与AI生成内容以防止虚假材料被恶意用作真实材料（反之亦然）已变得至关重要。目前已提出多种识别AI生成图像的技术，其中水印技术成为颇具前景的方法。本文分析了包括水印和基于分类器的深度伪造检测器在内的各类AI图像检测器的鲁棒性。对于引入细微图像扰动（即低扰动预算方法）的水印技术，我们发现应用扩散净化攻击后，逃避错误率（即被检测为非水印图像的水印图像比例）与欺骗错误率（即被检测为水印图像的非水印图像比例）之间存在基本权衡关系。为验证理论发现，我们还提供经验证据表明，扩散净化通过对图像施加最小改动，能有效去除低扰动预算水印。对于对图像施加显著改动的高扰动水印方法，扩散净化攻击效果不佳。在此情形下，我们开发了一种模型替代对抗攻击，可成功移除水印。此外，我们证明水印方法易受欺骗攻击——攻击者旨在使真实图像被识别为水印图像，从而损害开发者声誉。具体而言，在黑盒访问水印方法的情况下，可生成水印噪声图像并将其添加至真实图像，导致其被错误分类为水印图像。最后，我们将理论扩展至刻画基于分类器的深度伪造检测器的鲁棒性与可靠性之间的基本权衡关系，并通过实验加以验证。