Spoofing-Aware Speaker Verification (SASV)

• Spoofing-Aware Speaker Verification (SASV) is a unified framework that combines speaker verification and anti-spoofing to resist text-to-speech and voice conversion attacks.
• Key integration strategies, such as score-level fusion, DNN embedding fusion, and probabilistic product fusion, significantly reduce error rates, with SASV-EER dropping below 1% in top systems.
• Empirical evaluations on benchmarks like ASVspoof2019 LA highlight SASV's effectiveness, underlining the importance of score normalization and joint optimization for robust performance.

Spoofing-Aware Speaker Verification (SASV) systems unify the tasks of automatic speaker verification (ASV) and anti-spoofing (countermeasure, CM) into a single machine learning framework, aiming to simultaneously verify user identity and reliably reject both zero-effort impostors and synthetic (spoofed) speech. Addressing the vulnerability of standalone ASV systems to advanced text-to-speech and voice conversion attacks, SASV frameworks have become a central research area bridging speaker recognition and anti-spoofing communities. Integrated evaluation protocols, large-scale benchmarks, and multiple challenge events have established standardized methodologies for the field, revealing the interplay between subsystem fusion, end-to-end joint optimization, and the intrinsic trade-offs between speaker-discriminative and spoof-discriminative representations (Shim et al., 2022, Jung et al., 2022).

1. Formulation and Evaluation Protocols

Spoofing-Aware Speaker Verification generalizes classical ASV by adding a third trial class—the spoofed non-target (synthetic speech mimicking the enrolled speaker)—to the conventional target (bona fide, same speaker) and bona fide non-target (different speaker) trial types. Every tested system must output a scalar score per trial, indicating the likelihood that the test utterance is both (a) bona fide and (b) produced by the enrolled speaker. The integrated evaluation protocol defines three Equal Error Rate (EER) metrics:

• SV-EER: EER between target and bona fide non-target trials (traditional ASV, ignoring spoofs)
• SPF-EER: EER between target and spoofed trials (anti-spoofing discrimination)
• SASV-EER: EER on all trials, i.e., target vs. the union of bona fide non-target and spoof attacks

Mathematically, letting $S$ be the system score, the error rates at threshold $\tau$ are

$$\mathrm{FAR}(\tau) = \frac{ \# \{ S \ge \tau ~|~ y=0 \} }{ N_{neg} }, \qquad \mathrm{FRR}(\tau) = \frac{ \# \{ S < \tau ~|~ y=1 \} }{ N_{pos} },$$

with $y=1$ for target-bona fide and $y=0$ for non-target or spoof. SASV-EER is $\tau^*$ such that $\mathrm{FAR}(\tau^*) = \mathrm{FRR}(\tau^*)$. This unifies speaker and spoof errors into a single operating point (Jung et al., 2022, Shim et al., 2022).

2. Baseline Architectures and Subsystems

Modern SASV systems leverage state-of-the-art deep models from both the ASV and CM domains:

• ASV Subsystem (e.g., ECAPA-TDNN):
  • Input: 80-dim log-mel filterbank features
  • Architecture: Stacked SE-Res2Net blocks, Attentive Statistics Pooling (ASP)
  • Embedding: 192-dim (or 256-dim), cosine similarity for scoring
  • Objective: Additive Angular Margin Softmax (ArcFace)
  • Baseline SV-EER: 1.63% (eval), but degrades to 23.83% SASV-EER under spoofing (Shim et al., 2022)
• CM Subsystem (e.g., AASIST):
  • Input: Raw waveform, per-utterance standardization
  • Architecture: RawNet2 encoder, Graph Attention Networks (GAT), graph pooling, 2-way softmax
  • Embedding: 160-dim “spoof” embedding, softmax posterior for bona-fide
  • Objective: Binary cross-entropy
  • Baseline SPF-EER: 0.78% (eval); SASV-EER when run alone: 24.38% (Shim et al., 2022, Jung et al., 2022)

The standalone ASV subsystem is highly vulnerable to spoofed test utterances, while the CM subsystem ignores speaker identity, treating all bona fide utterances as equally positive.

3. System Integration: Fusion Strategies

Effective SASV relies on integrating ASV and CM, with research converging on three main fusion paradigms:

• Score-Level Fusion (Score-Sum, Baseline 1):
  • $$s_{\text{SASV}} = s_{\text{ASV}} + \alpha \, s_{\text{CM}}$$, with $\alpha=1$.
  • No training required; immediate reduction of SASV-EER from 23.83% (ASV only) to 1.71% (score-sum) (Shim et al., 2022).
  • Key insight: even naive addition achieves strong robustness, provided scores are z-normalized or softmaxed (Jung et al., 2022).
• Embedding-Level DNN Fusion (Baseline 2):
  • Concatenation of ECAPA (enrolment, test) and AASIST (test) embeddings into a 544-dim vector; MLP with three hidden layers for classification.
  • Achieves SPF-EER of 0.78% (best among baselines), but degrades SV-EER due to overfitting to the spoof-vs-bona fide signal, yielding SASV-EER of 6.37% (Shim et al., 2022).
  • Caution: Over-regularization or domain mismatch can cause the DNN to prioritize spoof defense over speaker discrimination.
• Cascaded Decision-Level Combination:
  • CM acts as a gate: reject if classified as spoof, else verify speaker via ASV.
  • Yields SASV-HTER of 1.47% (lowest error among baselines), but not directly comparable with EER (Shim et al., 2022).
• Probabilistic Product Fusion:
  • SASV score as the product of calibrated ASV and CM probabilities:

  $$S_{\mathrm{SASV}} = \sigma(\mathcal{S}_{\mathrm{CM}}) \cdot f(\mathcal{S}_{\mathrm{ASV}})$$ - Fine-tuning the CM back-end to the joint objective yields SASV-EER down to 1.53% (Zhang et al., 2022).

These and multi-stage or multi-model fusion extensions (using SVM, LR, DNN with additional auxiliary CM scores) consistently outperform naive methods, with SASV-EER as low as 0.13% achieved by competition-leading teams (Jung et al., 2022, Kurnaz et al., 16 Sep 2025, Wu et al., 2022).

4. Empirical Results and Benchmark Datasets

The ASVspoof2019 Logical Access (LA) dataset is the primary benchmark, with protocols partitioning trials into train, development (dev), and evaluation (eval) sets—each containing three trial types (target, non-target, spoofed). Key results include:

System	SV-EER (%)	SPF-EER (%)	SASV-EER (%)
ECAPA-TDNN (ASV only)	1.63	30.75	23.83
AASIST (CM only)	49.24	0.67	24.38
Score-sum fusion (B1)	1.66	1.76	1.71
DNN embed fusion (B2)	11.48	0.78	6.37
Best submitted systems	<1.0	<1.0	0.13–0.97

Top-performing teams in the SASV2022 challenge employed ensembles of multiple ASV and CM variants (including PLDA, RawGAT-ST, AASIST-L), decision-level cascades, sophisticated DNN fusion, or multi-level fusion blocks (Jung et al., 2022, Wu et al., 2022, Wu et al., 2022).

5. Analysis of Integration Strategies

Integrating ASV and CM recovers the vulnerability of standalone systems:

• Off-the-shelf fusion (e.g., score-sum) is robust, easy to deploy, and sufficient for major error reduction.
• Embedding-level DNN fusion can more tightly merge identity and authenticity cues but may harm their individual discriminability unless appropriately regularized.
• Joint optimization and multi-task learning, in more advanced work, deliver further improvements by allowing shared representations to encode both speaker and spoof characteristics, sometimes pushing SASV-EER below the clean SV-EER, and closing the gap between fusion ensembles and single integrated systems (Shim et al., 2022, Wu et al., 2022).
• Score normalization and calibration are critical, as raw ASV and CM scores may have unmatched dynamic ranges and priors (Zhang et al., 2022, Jung et al., 2022).

6. Key Insights, Challenges, and Future Directions

Research consistently demonstrates the necessity of tightly-coupled SASV systems in the modern threat landscape:

• Integrated systems leveraging joint information from both ASV and CM dramatically outperform standalone modules in both speaker and spoof discrimination.
• Score normalization and explicit probabilistic calibration (e.g., transforming all scores into (0,1) before product fusion) are essential for robust operations.
• End-to-end, jointly-optimized architectures remain an open but promising research direction, especially as more diverse datasets become available.
• The community is encouraged to investigate scalable and domain-adaptive approaches to cover the diversity of future spoofing attacks, as well as techniques for resisting overfitting when training data is limited in either speakers or attack varieties (Jung et al., 2022, Shim et al., 2022).

The Spoofing-Aware Speaker Verification challenge protocols and published baselines now serve as standard benchmarks, with all code and models released for reproducibility. Continued advances in joint ASV/CM optimization, data augmentation, and cross-domain robustness are expected to further reduce error rates and increase reliability in practical voice biometric deployments.