Defense against adversarial attacks on spoofing countermeasures of ASV (2003.03065v1)

Abstract: Various forefront countermeasure methods for automatic speaker verification (ASV) with considerable performance in anti-spoofing are proposed in the ASVspoof 2019 challenge. However, previous work has shown that countermeasure models are vulnerable to adversarial examples indistinguishable from natural data. A good countermeasure model should not only be robust against spoofing audio, including synthetic, converted, and replayed audios; but counteract deliberately generated examples by malicious adversaries. In this work, we introduce a passive defense method, spatial smoothing, and a proactive defense method, adversarial training, to mitigate the vulnerability of ASV spoofing countermeasure models against adversarial examples. This paper is among the first to use defense methods to improve the robustness of ASV spoofing countermeasure models under adversarial attacks. The experimental results show that these two defense methods positively help spoofing countermeasure models counter adversarial examples.

• The paper explores defenses against adversarial attacks targeting spoofing countermeasures in automatic speaker verification (ASV) systems.
• Spatial smoothing techniques like median filtering significantly improve ASV robustness against adversarial examples, increasing accuracy from 37% to over 92% in experiments.
• Adversarial training also enhances resilience, with combined spatial smoothing and adversarial training offering the strongest defense against attacks.

Defense Against Adversarial Attacks on Spoofing Countermeasures of Automatic Speaker Verification

The paper "Defense against adversarial attacks on spoofing countermeasures of ASV" addresses a critical challenge faced in the field of automatic speaker verification (ASV): the vulnerability of ASV systems, specifically their spoofing countermeasures, to adversarial examples. ASV systems are integral to biometric authentication applications, and their security against spoofing and adversarial attacks is paramount.

Context and Contributions

ASV systems operate by verifying whether a given audio sample corresponds to an enrolled speaker. These systems are susceptible to spoofing attacks via methods like voice conversion, text-to-speech synthesis, and audio replay, which are extensively investigated in challenges like ASVspoof 2019. Despite achieving reasonable performance levels against such spoofing, these systems remain vulnerable to adversarial attacks, where inputs are subtly perturbed to deceive the system, bypassing its spoofing countermeasures.

This paper is among the first to explore strategies for defending ASV systems against such adversarial attacks. It introduces two approaches:

1. Spatial Smoothing - a passive defense method that filters input data using spatial processing techniques.
2. Adversarial Training - a proactive method involving the integration of adversarial examples into the training process to enhance model robustness.

Experimental Methods and Results

The authors implemented two models, a VGG-like network and a Squeeze-Excitation ResNet (SENet), both inspired by state-of-the-art architectures from ASVspoof challenges. The VGG-like network leverages convolutional layers for feature extraction, while SENet applies squeeze-and-excitation blocks for improved discriminative performance.

To evaluate their defenses, the authors generated adversarial examples using Projected Gradient Descent (PGD), a well-established method for adversarial creation. The models were initially trained on clean data, then exposed to adversarial inputs both with and without spatial filtering.

Spatial Smoothing: Filtering techniques, including Gaussian, Mean, and Median filters, were applied to adversarial examples, yielding significant improvements in model accuracy post-attack. For instance, the VGG model's accuracy against unfiltered adversarial examples increased from about 37% to over 92% when combined with median filtering.

Adversarial Training: Upon incorporating adversarial training, both VGG and SENet models demonstrated enhanced resilience, with unfiltered adversarial accuracy nearing 93% for SENet. Combining adversarial training with spatial smoothing further bolstered robustness, achieving peak accuracy levels.

Implications

The paper's findings have significant implications for practical applications of ASV systems. By integrating spatial smoothing with adversarial training, ASV systems can attain improved security profiles, mitigating risks posed by adversarial attacks without significant computational overhead.

From a theoretical standpoint, exploring adversarial defenses in ASV systems stimulates further discourse on adversarial vulnerability across various machine learning contexts, prompting advancements in training regimes and model architectures. As AI continues to proliferate in security-sensitive domains, such research is invaluable for fortifying next-generation authentication technologies.

Future research will likely delve into ensemble adversarial training and other advanced methodologies to further enhance ASV systems' resilience in dynamic threat environments.