Existing adversarial defense methods are constrained by pixel-level perturbation limits and reliance on white-box or GAN-specific assumptions, rendering them ineffective against the diverse deepfake attacks encountered in real-world scenarios. This work proposes AEGIS, a novel framework that introduces diffusion model guidance into adversarial defense by injecting perturbations in the latent space along the DDIM denoising trajectory. This approach decouples perturbation magnitude from pixel-space constraints, enabling adaptive amplification of adversarial effects. AEGIS overcomes conventional limitations by offering cross-model, general-purpose defense applicable to both white-box and black-box settings. Extensive experiments demonstrate that AEGIS consistently and significantly disrupts identity manipulation across various GAN- and diffusion-based deepfake models, while maintaining high perceptual image quality and exhibiting strong transferability.

Recent advances in GAN and diffusion models have significantly improved the realism and controllability of facial deepfake manipulation, raising serious concerns regarding privacy, security, and identity misuse. Proactive defenses attempt to counter this threat by injecting adversarial perturbations into images before manipulation takes place. However, existing approaches remain limited in effectiveness due to suboptimal perturbation injection strategies and are typically designed under white-box assumptions, targeting only simple GAN-based attribute editing. These constraints hinder their applicability in practical real-world scenarios. In this paper, we propose AEGIS, the first diffusion-guided paradigm in which the AdvErsarial facial images are Generated for Identity Shielding. We observe that the limited defense capability of existing approaches stems from the peak-clipping constraint, where perturbations are forcibly truncated due to a fixed $L_\infty$-bounded. To overcome this limitation, instead of directly modifying pixels, AEGIS injects adversarial perturbations into the latent space along the DDIM denoising trajectory, thereby decoupling the perturbation magnitude from pixel-level constraints and allowing perturbations to adaptively amplify where most effective. The extensible design of AEGIS allows the defense to be expanded from purely white-box use to also support black-box scenarios through a gradient-estimation strategy. Extensive experiments across GAN and diffusion-based deepfake generators show that AEGIS consistently delivers strong defense effectiveness while maintaining high perceptual quality. In white-box settings, it achieves robust manipulation disruption, whereas in black-box settings, it demonstrates strong cross-model transferability.