Attack on Practical Speaker Verification System Using Universal Adversarial Perturbations

Abstract: In authentication scenarios, applications of practical speaker verification systems usually require a person to read a dynamic authentication text. Previous studies played an audio adversarial example as a digital signal to perform physical attacks, which would be easily rejected by audio replay detection modules. This work shows that by playing our crafted adversarial perturbation as a separate source when the adversary is speaking, the practical speaker verification system will misjudge the adversary as a ta… Show more

“…We use L ∞ and L 2 norms to quantify the perturbation magnitude in adversarial example generation, and adopt SNR and PESQ to measure the imperceptibility of crafted adversarial voices. These metrics have been widely adopted in the literature [9], [10], [11], [13], [14], [15], [16] and in general, can consistently reflect the degree of distortions according to our experimental results. Moreover, PESQ is an objective perceptual measure simulating the human auditory system [62].…”

“…Recently, adversarial attacks on speaker recognition have been extensively studied [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. Results show that both state-of-the-art open-source and commercial SRSs can be fooled by adding small perturbations to the original voice, even playing over the air in the physical world.…”

“…A.1 Details of the Datasets Spk 10 -enroll consists of 10 speakers (5 males and 5 females), 10 voices per speaker. The speakers are randomly selected from the "test-other" and "dev-other" subsets of the popular dataset Librispeech [9], [10], [11], [15], [57]. For each speaker, we select the top-10 longest voices in order to have better enrollment embedding [98], [99].…”

“…The popularity of SRSs has brought new security concerns. Recent studies have shown that both open-source and commercial SRSs are vulnerable to adversarial attacks [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. To thwart adversarial attacks, five input transformations [15], [16], [18], [19] and two adversarial training [9], derived from other domains, have been studied.…”

“…To thoroughly evaluate the defenses, we extend and implement all the recent promising adversarial attacks [7], [8], [9], [10], [15], [16], [17], [21], including 4 white-box attacks and 3 black-box attacks. The evaluation on 22 concrete attacks shows that the effectiveness of transformations does not necessarily decrease with increase of both distortion and attack strength, and their effectiveness varies with attacks, e.g., two time-domain transformations are more effective than others against L ∞ attacks (i.e., perturbations are limited in L ∞ norm) and feature-level transformations are often more effective than others against L 2 white-box attacks.…”

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

“…We use L ∞ and L 2 norms to quantify the perturbation magnitude in adversarial example generation, and adopt SNR and PESQ to measure the imperceptibility of crafted adversarial voices. These metrics have been widely adopted in the literature [9], [10], [11], [13], [14], [15], [16] and in general, can consistently reflect the degree of distortions according to our experimental results. Moreover, PESQ is an objective perceptual measure simulating the human auditory system [62].…”

“…Recently, adversarial attacks on speaker recognition have been extensively studied [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. Results show that both state-of-the-art open-source and commercial SRSs can be fooled by adding small perturbations to the original voice, even playing over the air in the physical world.…”

“…A.1 Details of the Datasets Spk 10 -enroll consists of 10 speakers (5 males and 5 females), 10 voices per speaker. The speakers are randomly selected from the "test-other" and "dev-other" subsets of the popular dataset Librispeech [9], [10], [11], [15], [57]. For each speaker, we select the top-10 longest voices in order to have better enrollment embedding [98], [99].…”

“…The popularity of SRSs has brought new security concerns. Recent studies have shown that both open-source and commercial SRSs are vulnerable to adversarial attacks [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. To thwart adversarial attacks, five input transformations [15], [16], [18], [19] and two adversarial training [9], derived from other domains, have been studied.…”

“…To thoroughly evaluate the defenses, we extend and implement all the recent promising adversarial attacks [7], [8], [9], [10], [15], [16], [17], [21], including 4 white-box attacks and 3 black-box attacks. The evaluation on 22 concrete attacks shows that the effectiveness of transformations does not necessarily decrease with increase of both distortion and attack strength, and their effectiveness varies with attacks, e.g., two time-domain transformations are more effective than others against L ∞ attacks (i.e., perturbations are limited in L ∞ norm) and feature-level transformations are often more effective than others against L 2 white-box attacks.…”

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

A One-class Model for Voice Replay Attack Detection

Efficient Black-Box Adversarial Attacks with Training Surrogate Models Towards Speaker Recognition Systems