🤖 AI Summary
Current deepfake detectors suffer significant performance degradation under query-free, cross-architecture black-box adversarial transfer settings, such as from CNNs to Transformers. To address this challenge, this work proposes ARMOR++, the first multi-agent adversarial attack framework that integrates a large language model (Qwen3) with a vision-language model (Qwen2.5-VL). ARMOR++ leverages semantic-guided spatial priors and a dynamic orchestration mechanism to adaptively schedule and blend five complementary attack primitives: dense optimization, saliency-based perturbation, spatial transformation, frequency-domain perturbation, and block-structure modification. Evaluated on the AADD-2025 benchmark, ARMOR++ substantially outperforms existing methods, achieving higher blind-target attack success rates across both high- and low-quality inputs and under strong defensive configurations.
📝 Abstract
The reliability of deepfake detectors frequently degrades under black-box adversarial transfer, as these models often rely on fragile, architecture-dependent forensic cues. Existing transfer attacks often lack semantic awareness and struggle to maintain effectiveness under strict no-query constraints, particularly when perturbations are transferred from convolutional surrogates to transformer-based targets. To address these limitations, this paper introduces ARMOR++, a robust multi-agent framework designed for high-transferability deepfake evasion. The framework leverages the Qwen2.5-VL Vision-Language Model (VLM) to supply spatial semantic priors, while the Qwen3 Large Language Model (LLM) orchestrates primitive selection, adaptive hyperparameter reparameterization, and entropy-regularized perturbation mixing. By integrating five complementary primitives, spanning dense optimization, saliency-based methods, spatial transformations, frequency-domain perturbations, and block-structured modifications, ARMOR++ effectively targets heterogeneous inductive biases. Rigorous evaluation on the AADD-2025 benchmark demonstrates that ARMOR++ significantly outperforms existing agentic and non-agentic baselines across both low- and high-quality image regimes. Statistical analysis confirms a substantial gain in blind-target Attack Success Rate (ASR) over the state-of-the-art agentic baseline, with further performance advantages evidenced against non-agentic benchmarks and under robust defensive configurations. These findings highlight a significant residual reliability gap in current deepfake detector deployments and demonstrate the efficacy of agentic orchestration in identifying latent vulnerabilities.