Adversarial Robustness and Deepfake Detection: Content Identity as Detection Substrate

Mechanism

The mechanism rests on a simple structural observation. A legitimately produced piece of content carries a coherent statistical signature across multiple representational bands: low-frequency luminance for imagery, harmonic envelope for audio, layout-block geometry for documents, and tokenisation rhythm for text. These signatures are not independent; they are mutually constrained by the underlying production process. A photograph of a real scene exhibits a particular relationship between its low-frequency luminance distribution and its high-frequency edge distribution because both are produced by the same optical chain. An audio recording of a real source exhibits a particular relationship between its harmonic envelope and its noise floor because both are produced by the same acoustic chain. Adversarial generation and adversarial editing tend to disturb these cross-band relationships even when each individual band looks plausible in isolation.

The content anchoring system computes a structural-variance descriptor for each band of an admitted artefact at the moment of admission. The descriptors are committed jointly into the anchor, alongside a transform manifest that records the bounded operations the artefact may legitimately undergo without invalidating the anchor. The transform manifest is not a list of edits the artefact has received; it is a declaration of the perturbation envelope inside which the anchor remains a valid identity for the content. Operations inside the envelope, such as a reasonable re-encoding, a colour-space conversion, or a mild geometric transform, leave the cross-band relationships intact. Operations outside the envelope disturb the relationships and produce a structural signature that no longer matches the committed descriptors.

Cross-band corroboration is the verification half of the mechanism. When an artefact is presented for verification, the system recomputes the descriptors and compares them not only against the committed values but also against each other through the relationships recorded in the anchor. A perturbation that alters one band while leaving another untouched, which is the typical signature of a region-level deepfake or a localised adversarial patch, registers as a corroboration failure even when the altered band's individual descriptor remains within its tolerance window. The detection event is the inconsistency, not the deviation; this is what makes the mechanism robust to adversaries who optimise their perturbations to stay within per-band tolerances.

Absence of legitimate lineage is the third leg. Content that was never anchored has no committed descriptors against which to corroborate. The verification path treats the absence of an anchor as a distinct outcome from a corroboration failure: the artefact is not declared forged but is declared unverified, and downstream consumers can apply policy that distinguishes anchored corroborated artefacts from unanchored artefacts and from anchored artefacts whose corroboration failed. The three outcomes carry different risk profiles, and the system is careful not to collapse them into a single binary.

The mechanism is not a classifier in the machine-learning sense; it does not learn to recognise forgeries by example. It is a structural test that asks whether an artefact's measured signature is consistent with a previously committed signature under a bounded transform. This places the mechanism in a different security regime from classifier-based detection: it cannot be defeated by training a generator against it, because the test is not an adversarial loss to optimise against but a fixed structural relation to satisfy. An adversary who wishes to produce content that passes the test must reproduce the committed descriptors, which requires possession of the original anchor, which requires legitimate lineage.

Operating Parameters

The system exposes a small set of parameters that govern the perturbation envelope and the corroboration sensitivity. The transform manifest enumerates allowed bounded operations and, for each, the bound on its parameters; for example, a re-encoding bound might admit any encoder within a specified bitrate range, while a geometric bound might admit affine transforms with determinant within a specified range. The bounds are committed at admission time and cannot be retroactively widened.

Per-band tolerance windows define the maximum descriptor deviation that an individual band may exhibit before its descriptor is treated as out-of-window. The windows are calibrated to the natural variability of each band under the allowed bounded operations, with margin for substrate noise. A band whose descriptor remains in-window contributes positively to the corroboration; a band that drifts out-of-window contributes negatively, and the overall corroboration outcome is a function of the per-band contributions and of the cross-band relationship checks.

Cross-band relationship parameters specify which pairs and triples of bands must remain mutually consistent and the tolerances for each relationship. A typical configuration for imagery enforces consistency between low-frequency luminance and high-frequency edge structure; a typical configuration for audio enforces consistency between harmonic envelope and noise floor. The relationships are committed at admission time and travel with the anchor; verification cannot use a different relationship set than the one committed.

Detection thresholds define the boundary at which a corroboration failure is declared. The thresholds are not single scalars but a structured tuple: a per-band contribution threshold, a cross-band relationship threshold, and an aggregate threshold that combines them. The aggregate is consulted only after the per-band and cross-band components are individually evaluated, so that a verifier can report which axis of the test produced the failure. This compound reporting is what allows downstream consumers to distinguish a regional perturbation from a global re-encoding error.

Lineage-absence policy parameters govern how unanchored content is handled. The default policy treats absence as an unverified status, neither passing nor failing the test; alternative policies may declare absence as a failing status for high-assurance contexts in which only anchored content is admitted. The policy is itself a committed object and can be referenced by name from downstream consumers without coupling them to its specific contents.

Alternative Embodiments

The mechanism admits embodiments tailored to different media. For imagery, the bands are typically luminance, chrominance, edge structure, and texture; for audio, they are harmonic envelope, noise floor, transient structure, and spectral flatness; for documents, they are layout-block geometry, glyph distribution, kerning rhythm, and inter-paragraph spacing. The structural-variance descriptor is parameterised by the band set, but the surrounding machinery, the transform manifest, the corroboration logic, and the detection thresholds, is identical across media.

In one embodiment, the bands are computed at multiple scales, producing a pyramid of descriptors. The pyramid embodiment is appropriate for content that may be re-sampled aggressively in legitimate processing, because cross-scale corroboration provides resilience against scale-dependent perturbations. In a complementary embodiment, the bands are computed at a single scale and the pyramid is replaced by a denser per-band feature set; this is appropriate for content that is unlikely to be re-sampled but may be subject to subtle within-scale edits.

In a further embodiment, the transform manifest is stratified by trust level. Operations at the lowest trust level are admitted without any additional commitment; operations at higher trust levels require the producer of the operation to commit a lineage entry recording the operation's parameters. This stratification permits a flexible policy in which routine re-encodings flow without friction while substantive edits are recorded explicitly. The verifier's behaviour adapts to the trust level: a stratified manifest produces a stratified corroboration outcome.

A composite-content embodiment handles artefacts assembled from multiple anchored sources. Each constituent retains its own anchor, and the composite carries a binding object that records which constituents are present and the geometric or temporal relationships between them. Verification of the composite consults the constituent anchors and verifies the binding; a perturbation that alters a constituent or that disturbs the composite's binding produces a corroboration failure on the relevant axis. This embodiment is essential for video, which is naturally a composite of frames and audio segments, and for documents, which are naturally composites of text, imagery, and layout.

A streaming embodiment continuously commits anchors as the content is produced rather than committing a single anchor at admission. This is appropriate for live capture, in which the content has no single moment of admission. Each committed anchor covers a window of the stream, and verification evaluates each window independently and the inter-window consistency. Adversarial substitutions that span window boundaries are exposed as inter-window failures.

Composition

Adversarial robustness composes with the pre-release admissibility primitive: an artefact that fails admissibility cannot acquire an anchor in the first place, so the detection substrate is populated only by content that has already passed governance. This produces a clean separation between content that was never admitted (no anchor, unverified status) and content that was admitted and may or may not retain corroboration (anchor present, corroborates or fails).

Composition with the lineage primitive is the source of the mechanism's audit story. Every committed anchor, every transform-manifest entry, and every detected corroboration failure becomes a lineage event, so the history of an artefact can be reconstructed end to end. A downstream consumer can not only ask whether an artefact is currently corroborating but can also ask when it last corroborated, what bounded operations it has been subject to, and which axis of the test produced any failures it has accumulated.

Composition with policy evaluation permits high-level governance to express requirements in terms of the corroboration outcome rather than in terms of band-level descriptors. A policy that admits only anchored, currently corroborating content can be expressed and evaluated against the lineage offline. A policy that admits anchored content with a stratified-manifest history but no high-trust failures can likewise be expressed; the policy layer composes with the detection layer through stable, named outcome values.

Composition with cross-substrate distribution preserves the anchor across boundaries. Because the descriptors and the transform manifest travel with the artefact rather than residing in a registry, an artefact migrated from one substrate to another can be verified at the destination using the same machinery. The detection substrate is, in this sense, portable, and a verifier requires no out-of-band coordination with the original admission point.

Prior-Art Differentiation

Conventional deepfake detection systems are predominantly classifier-based: a model is trained on labelled examples of real and synthetic content, and the classifier produces a probability estimate. These systems are vulnerable to adversaries who train generators against the classifier, and they tend to degrade rapidly as new generative architectures appear. The present mechanism is not a classifier and does not have a training-time exposure surface; it is a structural test against committed descriptors, and it cannot be defeated by improving a generator.

Watermarking systems embed a signal into content at production time and detect the signal at verification time. Watermarks address a related problem but are vulnerable to legitimate processing that disturbs the embedding, and they tend to require a tradeoff between robustness and imperceptibility. The present mechanism does not modify the content; it derives descriptors from the content's natural structural variance and commits them externally. The artefact is bit-exact with what would have been produced without anchoring, and the bounded transforms in the manifest preserve the anchor without requiring any embedded signal to survive.

Hash-based provenance systems commit a cryptographic hash of the artefact and verify by recomputing the hash. These systems fail under any legitimate processing because cryptographic hashes are deliberately fragile to perturbation. The present mechanism's bounded-transform manifest is the structural extension that makes anchoring usable in production: it admits the operations that legitimate processing requires while still committing to the content's identity.

Metadata-based provenance systems, including those built on the C2PA family of specifications, depend on producers attaching signed metadata to content and on that metadata surviving downstream processing. They are vulnerable to metadata stripping and to producers who fail to participate. The present mechanism derives its detection substrate from the content itself, not from attached metadata, so stripping a metadata block does not remove the anchor's verifiability against the committed descriptors.

The closest prior art in structural-feature analysis comes from the forensic-signal-processing literature, which has long studied per-band statistics of natural content. The novel contribution here is the joint commitment of cross-band relationships, the bounded-transform manifest as a first-class committed object, and the integration of all three legs (descriptor match, cross-band corroboration, lineage absence) into a single structural test that distinguishes three outcome classes rather than two.

Disclosure Scope

The disclosure encompasses the joint commitment of per-band structural-variance descriptors and cross-band relationships, the bounded-transform manifest as a committed object, and the three-class verification outcome that distinguishes anchored corroborating, anchored failing, and unanchored content. It encompasses the per-medium embodiments (imagery, audio, document, text), the multi-scale and single-scale variants, the stratified-trust-level manifest, the composite-content binding object, and the streaming embodiment with windowed anchors and inter-window consistency.

The disclosure does not constrain the specific descriptor functions used per band, the specific cross-band relationships chosen, or the specific tolerances. These are deployment choices that depend on the medium and the threat model. The disclosure does constrain the structural properties: descriptors must be derived from the content's natural statistics rather than from an embedded signal, the manifest must be committed at admission time and may not be retroactively widened, and the verification outcome must distinguish the three classes rather than collapse them.

The disclosure is filed under Provisional 63/808,372 and forms a structural primitive of the content anchoring system. A system that omits the cross-band corroboration is outside the disclosure, as is a system whose manifest is not committed or whose three-class outcome is collapsed to a binary. The structural properties are jointly necessary; no proper subset is sufficient.