> I can't help but feel that this is a futile field to work in.
Considering that training a model costs thousands of dollars, and that people reuse models instead of training from scratch, I somewhat disagree with this in general, for now.
But this specific technique implies the attacker sees the result, which means they can try different models, until one does not produce artifacts.
Models come in a broad spectrum and while it's true that gpt-3 costs a ton, many do not. Any mobile ready snapchat esque real time deep fake filter will typically be super fast and cheap to train (since the model has to be lightweight to run on a phone). There's also transfer learning from an expensive model which could easily be modified to remove whatever 'architecture flagging' is built into the structure.
Considering that training a model costs thousands of dollars, and that people reuse models instead of training from scratch, I somewhat disagree with this in general, for now.
But this specific technique implies the attacker sees the result, which means they can try different models, until one does not produce artifacts.