Konstantin Böttinger’s research while affiliated with Technical University of Munich and other places

What is this page?

This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (62)

DeePen: Penetration Testing for Audio Deepfake Detection
  • Preprint

February 2025

·

13 Reads

Nicolas Müller

·

·

Adriana Stan

·

[...]

·

Konstantin Böttinger

Deepfakes - manipulated or forged audio and video media - pose significant security risks to individuals, organizations, and society at large. To address these challenges, machine learning-based classifiers are commonly employed to detect deepfake content. In this paper, we assess the robustness of such classifiers through a systematic penetration testing methodology, which we introduce as DeePen. Our approach operates without prior knowledge of or access to the target deepfake detection models. Instead, it leverages a set of carefully selected signal processing modifications - referred to as attacks - to evaluate model vulnerabilities. Using DeePen, we analyze both real-world production systems and publicly available academic model checkpoints, demonstrating that all tested systems exhibit weaknesses and can be reliably deceived by simple manipulations such as time-stretching or echo addition. Furthermore, our findings reveal that while some attacks can be mitigated by retraining detection systems with knowledge of the specific attack, others remain persistently effective. We release all associated code.

Harder or Different? Understanding Generalization of Audio Deepfake Detection

June 2024

·

18 Reads

·

·

·

[...]

·

Konstantin Böttinger

Recent research has highlighted a key issue in speech deepfake detection: models trained on one set of deepfakes perform poorly on others. The question arises: is this due to the continuously improving quality of Text-to-Speech (TTS) models, i.e., are newer DeepFakes just 'harder' to detect? Or, is it because deepfakes generated with one model are fundamentally different to those generated using another model? We answer this question by decomposing the performance gap between in-domain and out-of-domain test data into 'hardness' and 'difference' components. Experiments performed using ASVspoof databases indicate that the hardness component is practically negligible, with the performance gap being attributed primarily to the difference component. This has direct implications for real-world deepfake detection, highlighting that merely increasing model capacity, the currently-dominant research trend, may not effectively address the generalization challenge.

Near Real-Time Detection and Rectification of Adversarial Patches

March 2024

·

12 Reads

·

1 Citation

·

Konstantin Böttinger

·

Iheb Ghanmi

·

[...]

·

Ayush Kumar

Neural networks tend to produce false predictions when exposed to adversarial examples. These incorrect predictions raise concerns about the safety and reliability of ML-based decision-making, presenting significant risks in real-world scenarios, particularly in the context of Autonomous Vehicles (AVs). Therefore, we propose a two-step method to address this issue. Firstly, we introduce a method to identify adversarial regions in the input samples, such as adversarial patches or stickers. Secondly, we leverage deep neural networks to correct the detected patches. This approach allows us to obtain accurate predictions from the neural networks after restoring the adversarial regions. Our evaluation results demonstrate that the proposed method is considerably faster than the average human response time, which includes traffic sign recognition and decision-making processes related to applying brakes or not. Additionally, we compare the impact of different restoration methods on the prediction results. Overall, the integration of the detection and correction methods within our proposed framework effectively mitigates the effect of adversarial examples in real-world scenarios.

Complex-valued neural networks for voice anti-spoofing

August 2023

·

23 Reads

·

·

Konstantin Böttinger

Current anti-spoofing and audio deepfake detection systems use either magnitude spectrogram-based features (such as CQT or Melspectrograms) or raw audio processed through convolution or sinc-layers. Both methods have drawbacks: magnitude spectrograms discard phase information, which affects audio naturalness, and raw-feature-based models cannot use traditional explainable AI methods. This paper proposes a new approach that combines the benefits of both methods by using complex-valued neural networks to process the complex-valued, CQT frequency-domain representation of the input audio. This method retains phase information and allows for explainable AI methods. Results show that this approach outperforms previous methods on the "In-the-Wild" anti-spoofing dataset and enables interpretation of the results through explainable AI. Ablation studies confirm that the model has learned to use phase information to detect voice spoofing.

Citations (31)

... Data allows training deepfake detection methods, as well as measuring their progress. As such, many datasets are continuously proposed [1][2][3][4][5][6][7]. These datasets follow the emergence of recent TTS systems [8][9][10], or aim to extend the number of speakers or languages [5,6]. ...

Reference:

Unmasking real-world audio deepfakes: A data-centric approach
MLAAD: The Multi-Language Audio Anti-Spoofing Dataset
  • Citing Conference Paper

  • June 2024

·

·

Wei Herng Choong

·

[...]

·

Konstantin Böttinger

... One alternative approach suggested by Mueller et al. [22] uses Variational Autoencoders to detect latent space 1 github.com/Arsu-Lab/Shortcut-Detection-Mitigation-Transformers dimensions with high label predictiveness and generate a set of images that differ in a single image attribute. ...

Reference:

Efficient Unsupervised Shortcut Learning Detection and Mitigation in Transformers
Shortcut Detection With Variational Autoencoders
  • Citing Conference Paper

  • June 2024

·

·

·

[...]

·

Konstantin Böttinger

... Bhagtani et al. [11] compared several recently proposed detection tools on their new dataset and demonstrated that synthetic speech detectors show significant drops in accuracy compared to their performance on training datasets. Similarly, Muller et al. [57] evaluated the performance of various detection tools on inand out-of-domain test data. Their findings confirm that these existing detection tools do not generalize well to unseen data. ...

Reference:

VoiceRadar: Voice Deepfake Detection using Micro-Frequency and Compositional Analysis
Harder or Different? Understanding Generalization of Audio Deepfake Detection
  • Citing Conference Paper

  • September 2024

·

·

·

[...]

·

Konstantin Böttinger

... The objective of this section is to analyse some of the threats posed by deepfakes and outline their mitigation methods. Identifying deepfakes is the first step, using deep learning to detect digital artifacts like facial inconsistencies (Müller, N. et al., 2023) The next step is to protect video surveillance systems from hacking, employing biometric authentication, encryption, and network monitoring to secure data (Vennam, P. et al., 2021). The final part of this chapter discusses algorithms for cyberattack detection, such as CNNs and RNNs, which help detect anomalies in video frames and patterns of suspicious activity (Wodajo, D. & Atnafu, S., 2021). ...

Reference:

Application of Computer Vision Methods for Information Security
Complex-valued neural networks for voice anti-spoofing
  • Citing Conference Paper

  • August 2023

·

Philip Sperl

·

Konstantin Böttinger

... The observed performance of the models on the data sets is largely consistent with results from earlier studies conducted by other authors [37], [38]. Differences in performance between the data sets are likely attributable to the varying complexities present in each data set. ...

Reference:

Semisupervised Anomaly Detection using Support Vector Regression with Quantum Kernel
R2-AD2: Detecting Anomalies by Analysing the Raw Gradient
  • Citing Chapter

  • March 2023

Lecture Notes in Computer Science

Jan-Philipp Schulze

·

·

Ana Răduțoiu

·

[...]

·

Konstantin Böttinger

... Adversarial weather attacks. In contrast, adversarial attacks that imitate weather effects have been investigated for classification [7,8,16,23,53], object detection [8,35,52], instance segmentation [8], human pose estimation [44] or autonomous steering [21]. They range from rain [8,23,35,52] over snow [8,16,23] to fog [7,16,21] and shadows [53]. ...

Reference:

Distracting Downpour: Adversarial Weather Attacks for Motion Estimation
Assessing the Impact of Transformations on Physical Adversarial Attacks
  • Citing Conference Paper

  • November 2022

Paul Andrei Sava

·

Jan-Philipp Schulze

·

·

Konstantin Böttinger

... For example, the entropy of a given layer, as well as the closely-related mutual information, have recently been evaluated via replica methods in [32]. Entropy has also been proposed as a training mechanism in the context of adversarial learning in [33]; see also [34,35]. Additionally, estimates of f -divergences (of which the KL divergence is perhaps the canonical example) are relevant for generative adversarial networks, see e.g., [36]. ...

Reference:

Towards quantifying information flows: relative entropy in deep neural networks and the renormalization group
Optimizing Information Loss Towards Robust Neural Networks
  • Citing Conference Paper

  • October 2022

·

Konstantin Böttinger

... The effectiveness of GAN-based techniques, which use a generative adversarial network, can be reduced without any knowledge of the attack (Samangouei et al., 2018). From gradient masking techniques, which modify the gradients of input data, both gradient penalization (Lyu et al., 2016) and loss function minimization (Muller et al., 2021) cannot defend well against black-box attacks. Gradient regularization techniques, which add constraints to the objective function during training, cannot improve significantly the robustness of the neural network without reducing the accuracy of the model (Moosavi-Dezfooli, 2019). ...

Reference:

European Artificial Intelligence Act: an AI security approach
Defending Against Adversarial Denial-of-Service Data Poisoning Attacks
  • Citing Conference Paper

  • October 2022

·

·

Konstantin Böttinger

... Our experiments utilize multiple diverse datasets containing bonafide and synthetically spoofed audio samples that were created using various synthesis methods. We specifically selected datasets that reflect distinct class distributions, thereby allowing comprehensive evaluation under realistic scenarios: ASVspoof2019 [20] is significantly skewed toward spoof samples, making it challenging for models to correctly identify genuine audio; In-the-Wild [21] predominantly comprises bonafide samples, testing the models' sensitivity and specificity in a practical context; and WaveFake [22] presents a balanced dataset equally composed of spoofed and bonafide samples, providing a controlled setting for evaluating model generalization and robustness. Table 1 summarizes key dataset characteristics. ...

Reference:

Can Quantized Audio Language Models Perform Zero-Shot Spoofing Detection?
Does Audio Deepfake Detection Generalize?
  • Citing Conference Paper

  • September 2022

·

·

Franziska Diekmann

·

[...]

·

Konstantin Böttinger