ARMOR++: Agentic Orchestration of a Multi-Domain Primitive Set for Transferable Attacks on Deepfake Detectors

📅 2026-07-16
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Current deepfake detectors suffer significant performance degradation under query-free, cross-architecture black-box adversarial transfer settings, such as from CNNs to Transformers. To address this challenge, this work proposes ARMOR++, the first multi-agent adversarial attack framework that integrates a large language model (Qwen3) with a vision-language model (Qwen2.5-VL). ARMOR++ leverages semantic-guided spatial priors and a dynamic orchestration mechanism to adaptively schedule and blend five complementary attack primitives: dense optimization, saliency-based perturbation, spatial transformation, frequency-domain perturbation, and block-structure modification. Evaluated on the AADD-2025 benchmark, ARMOR++ substantially outperforms existing methods, achieving higher blind-target attack success rates across both high- and low-quality inputs and under strong defensive configurations.
📝 Abstract
The reliability of deepfake detectors frequently degrades under black-box adversarial transfer, as these models often rely on fragile, architecture-dependent forensic cues. Existing transfer attacks often lack semantic awareness and struggle to maintain effectiveness under strict no-query constraints, particularly when perturbations are transferred from convolutional surrogates to transformer-based targets. To address these limitations, this paper introduces ARMOR++, a robust multi-agent framework designed for high-transferability deepfake evasion. The framework leverages the Qwen2.5-VL Vision-Language Model (VLM) to supply spatial semantic priors, while the Qwen3 Large Language Model (LLM) orchestrates primitive selection, adaptive hyperparameter reparameterization, and entropy-regularized perturbation mixing. By integrating five complementary primitives, spanning dense optimization, saliency-based methods, spatial transformations, frequency-domain perturbations, and block-structured modifications, ARMOR++ effectively targets heterogeneous inductive biases. Rigorous evaluation on the AADD-2025 benchmark demonstrates that ARMOR++ significantly outperforms existing agentic and non-agentic baselines across both low- and high-quality image regimes. Statistical analysis confirms a substantial gain in blind-target Attack Success Rate (ASR) over the state-of-the-art agentic baseline, with further performance advantages evidenced against non-agentic benchmarks and under robust defensive configurations. These findings highlight a significant residual reliability gap in current deepfake detector deployments and demonstrate the efficacy of agentic orchestration in identifying latent vulnerabilities.
Problem

Research questions and friction points this paper is trying to address.

deepfake detectors
adversarial transfer
black-box attacks
semantic awareness
no-query constraints
Innovation

Methods, ideas, or system contributions that make the work stand out.

agentic orchestration
transferable adversarial attack
vision-language model
multi-domain primitives
deepfake detector evasion
🔎 Similar Papers
No similar papers found.
C
Christos Korgialas
Department of Informatics, Aristotle University of Thessaloniki, Thessaloniki, Greece
G
Gabriel Lee Jun Rong
Infocomm Technology Cluster, Singapore Institute of Technology, Singapore
D
Dion Jia Xu Ho
Department of Applied Physics and Applied Mathematics, Columbia University, New York, NY, USA
P
Pai Chet Ng
Infocomm Technology Cluster, Singapore Institute of Technology, Singapore
Xiaoxiao Miao
Xiaoxiao Miao
Duke Kunshan University
Speech PrivacySpeaker and Language IdentificationSpeech Synthesis
K
Konstantinos N. Plataniotis
Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON, Canada