Backbone is All You Need: Assessing Vulnerabilities of Frozen Foundation Models in Synthetic Image Forensics

Authors: Chiara Musso, Joy Battocchio, Andrea Montibeller, Giulia Boato

Published: 2026-05-13 11:35:56+00:00

AI Summary

This paper introduces the Surrogate Iterative Adversarial Attack (SIAA), a gray-box attack that exploits knowledge of a Vision Transformer (ViT) backbone to undermine synthetic image detectors. SIAA operates by training a surrogate feature-processing head to align ViT features with CLIP text embeddings, then uses Projected Gradient Descent (PGD) in this feature space to craft adversarial examples. The attack achieves high success rates, often comparable to white-box attacks, highlighting a critical vulnerability in ViT-based deepfake detection models.

Abstract

As AI-generated synthetic images become increasingly realistic, Vision Transformers (ViTs) have emerged as a cornerstone of modern deepfake detection. However, the prevailing reliance on frozen, pre-trained backbones introduces a subtle yet critical vulnerability. In this work, we present the Surrogate Iterative Adversarial Attack (SIAA), a gray-box attack that exploits knowledge of the detector's ViT backbone alone and operates entirely within the target detector's feature space to craft highly effective adversarial examples. Through our experiments, involving multiple ViT-based detectors and diverse gray-box scenarios, including few-shot learning, complete training misalignment and attack transferability tests, we demonstrate that this vulnerability consistently yields high attack success rates, often approaching white-box performance. By doing so, we reveal that backbone knowledge alone is sufficient to undermine detector reliability, highlighting the urgent need for more resilient defenses in adversarial multimedia forensics.