Attack Surface Diversification

The adversarial robustness problem in AI-generated image detection is, at its core, a problem of attack surface geometry. A detector that relies on a single feature space — say, the activations of a CNN trained on GAN-generated images — presents a coherent, navigable attack surface. An adversary who understands that feature space can craft perturbations that move images across the decision boundary with minimal perceptual impact. The literature on adversarial examples has demonstrated this repeatedly, for classifiers of every architecture and training paradigm.

Heterogeneous detection ensembles change the geometry of this problem fundamentally. When a system derives its confidence from multiple, independent signal sources operating in different feature spaces, the adversary faces not one decision boundary but several — and the boundaries exist in spaces that share no common axes. Perturbing an image to evade a learned classifier may introduce metadata inconsistencies. Removing metadata to avoid provenance analysis does not address spectral artifacts. Adding noise to confound statistical forensics does not fix anatomical implausibility. Each evasion strategy addresses one dimension while leaving others intact or actively worsened.

We formalize this as attack surface diversification: the principle that detection robustness scales with the orthogonality of the signal sources, not merely with the accuracy of any individual source. A system that achieves 85% accuracy through five independent 70%-accurate signals is more robust than a system that achieves 90% accuracy through a single model, because the former requires an adversary to simultaneously defeat five unrelated analysis methods. The probability of simultaneous evasion is the product of individual evasion probabilities — a number that shrinks rapidly with each additional orthogonal dimension.

This has practical implications for system design. Homogeneous ensembles — multiple CNNs trained on the same data with different random seeds, or multiple runs of the same architecture with different hyperparameters — share attack surfaces. They achieve higher accuracy through variance reduction, a useful property for clean-data benchmarks. But they are vulnerable to the same adversarial perturbations, because the underlying feature spaces are correlated. Adversarial transferability between similar architectures is well-documented. Heterogeneous ensembles, by contrast, combine fundamentally different analysis modalities: metadata-level, pixel-level, semantic-level, and learned features. The feature spaces are not merely different. They are incommensurable.

Our architecture embodies this principle. Each layer operates in a different feature space and uses a fundamentally different computational approach. Provenance analysis is deterministic and rule-based. Statistical forensics is parametric but model-free. Semantic reasoning is powered by general-purpose vision-language models with no detection-specific training. Specialized classifiers use supervised learning on curated detection datasets. The diversity is intentional, architectural, and — we believe — essential for any system that must operate in an adversarial environment rather than a controlled benchmark.

We do not claim that this approach is immune to adversarial attack. No detection system is, and claims of adversarial immunity should be treated with the same skepticism as claims of unhackable software. What we claim is that heterogeneous fusion raises the cost of evasion from trivial to significant, and that the cost-of-evasion metric is ultimately more meaningful than the accuracy-on-clean-data metric that dominates academic benchmarks. In the real world, attackers optimize for cost. Defenses should be designed to maximize it.

The open question — and it is genuinely open — is how to calibrate confidence when signal sources disagree. When metadata says "real" and spectral analysis says "synthetic," which do you trust? When the VLM is confident and the statistical layer is uncertain, how should their signals be weighted? Our current approach uses confidence-weighted averaging with empirically tuned weights, but we suspect that condition-dependent fusion — adjusting weights based on the reliability of each signal under the specific characteristics of the input — will yield meaningful improvements. Adaptive fusion under disagreement is an active area of our research.

The arms race between generation and detection will not end. Each improvement in generation capability will require corresponding improvements in detection methodology. But the structural advantage of heterogeneous ensembles is durable: as long as detection can draw on fundamentally different analytical approaches, the cost of comprehensive evasion will remain high. An adversary who must fool physics, statistics, semantics, and learned features simultaneously faces a harder problem than one who must fool only one of them. That asymmetry is the foundation on which robust detection systems must be built.