Interpretable Spectrum Transformation Attacks to Speaker Recognition
- URL: http://arxiv.org/abs/2302.10686v1
- Date: Tue, 21 Feb 2023 14:12:29 GMT
- Title: Interpretable Spectrum Transformation Attacks to Speaker Recognition
- Authors: Jiadi Yao, Hong Luo, and Xiao-Lei Zhang
- Abstract summary: A general framework is proposed to improve the transferability of adversarial voices to a black-box victim model.
The proposed framework operates voices in the time-frequency domain, which improves the interpretability, transferability, and imperceptibility of the attack.
- Score: 8.770780902627441
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The success of adversarial attacks to speaker recognition is mainly in
white-box scenarios. When applying the adversarial voices that are generated by
attacking white-box surrogate models to black-box victim models, i.e.
\textit{transfer-based} black-box attacks, the transferability of the
adversarial voices is not only far from satisfactory, but also lacks
interpretable basis. To address these issues, in this paper, we propose a
general framework, named spectral transformation attack based on modified
discrete cosine transform (STA-MDCT), to improve the transferability of the
adversarial voices to a black-box victim model. Specifically, we first apply
MDCT to the input voice. Then, we slightly modify the energy of different
frequency bands for capturing the salient regions of the adversarial noise in
the time-frequency domain that are critical to a successful attack. Unlike
existing approaches that operate voices in the time domain, the proposed
framework operates voices in the time-frequency domain, which improves the
interpretability, transferability, and imperceptibility of the attack.
Moreover, it can be implemented with any gradient-based attackers. To utilize
the advantage of model ensembling, we not only implement STA-MDCT with a single
white-box surrogate model, but also with an ensemble of surrogate models.
Finally, we visualize the saliency maps of adversarial voices by the class
activation maps (CAM), which offers an interpretable basis to transfer-based
attacks in speaker recognition for the first time. Extensive comparison results
with five representative attackers show that the CAM visualization clearly
explains the effectiveness of STA-MDCT, and the weaknesses of the comparison
methods; the proposed method outperforms the comparison methods by a large
margin.
Related papers
- SA-Attack: Improving Adversarial Transferability of Vision-Language
Pre-training Models via Self-Augmentation [56.622250514119294]
In contrast to white-box adversarial attacks, transfer attacks are more reflective of real-world scenarios.
We propose a self-augment-based transfer attack method, termed SA-Attack.
arXiv Detail & Related papers (2023-12-08T09:08:50Z) - SLMIA-SR: Speaker-Level Membership Inference Attacks against Speaker
Recognition Systems [6.057334150052503]
SLMIA-SR is the first membership inference attack tailored to speaker recognition (SR)
Our attack is versatile and can work in both white-box and black-box scenarios.
arXiv Detail & Related papers (2023-09-14T18:40:28Z) - T-SEA: Transfer-based Self-Ensemble Attack on Object Detection [9.794192858806905]
We propose a single-model transfer-based black-box attack on object detection, utilizing only one model to achieve a high-transferability adversarial attack on multiple black-box detectors.
We analogize patch optimization with regular model optimization, proposing a series of self-ensemble approaches on the input data, the attacked model, and the adversarial patch.
arXiv Detail & Related papers (2022-11-16T10:27:06Z) - Mel Frequency Spectral Domain Defenses against Adversarial Attacks on
Speech Recognition Systems [33.21836814000979]
This paper explores speech specific defenses using the mel spectral domain, and introduces a novel defense method called'mel domain noise flooding' (MDNF)
MDNF applies additive noise to the mel spectrogram of a speech utterance prior to re-synthesising the audio signal.
We test the defenses against strong white-box adversarial attacks such as projected gradient descent (PGD) and Carlini-Wagner (CW) attacks.
arXiv Detail & Related papers (2022-03-29T06:58:26Z) - Modelling Adversarial Noise for Adversarial Defense [96.56200586800219]
adversarial defenses typically focus on exploiting adversarial examples to remove adversarial noise or train an adversarially robust target model.
Motivated by that the relationship between adversarial data and natural data can help infer clean data from adversarial data to obtain the final correct prediction.
We study to model adversarial noise to learn the transition relationship in the label space for using adversarial labels to improve adversarial accuracy.
arXiv Detail & Related papers (2021-09-21T01:13:26Z) - Self-Supervised Iterative Contextual Smoothing for Efficient Adversarial
Defense against Gray- and Black-Box Attack [24.66829920826166]
We propose a novel input transformation based adversarial defense method against gray- and black-box attack.
Our defense is free of computationally expensive adversarial training, yet, can approach its robust accuracy via input transformation.
arXiv Detail & Related papers (2021-06-22T09:51:51Z) - Gradient-based Adversarial Attacks against Text Transformers [96.73493433809419]
We propose the first general-purpose gradient-based attack against transformer models.
We empirically demonstrate that our white-box attack attains state-of-the-art attack performance on a variety of natural language tasks.
arXiv Detail & Related papers (2021-04-15T17:43:43Z) - Towards Robust Speech-to-Text Adversarial Attack [78.5097679815944]
This paper introduces a novel adversarial algorithm for attacking the state-of-the-art speech-to-text systems, namely DeepSpeech, Kaldi, and Lingvo.
Our approach is based on developing an extension for the conventional distortion condition of the adversarial optimization formulation.
Minimizing over this metric, which measures the discrepancies between original and adversarial samples' distributions, contributes to crafting signals very close to the subspace of legitimate speech recordings.
arXiv Detail & Related papers (2021-03-15T01:51:41Z) - Decision-based Universal Adversarial Attack [55.76371274622313]
In black-box setting, current universal adversarial attack methods utilize substitute models to generate the perturbation.
We propose an efficient Decision-based Universal Attack (DUAttack)
The effectiveness of DUAttack is validated through comparisons with other state-of-the-art attacks.
arXiv Detail & Related papers (2020-09-15T12:49:03Z) - Defense for Black-box Attacks on Anti-spoofing Models by Self-Supervised
Learning [71.17774313301753]
We explore the robustness of self-supervised learned high-level representations by using them in the defense against adversarial attacks.
Experimental results on the ASVspoof 2019 dataset demonstrate that high-level representations extracted by Mockingjay can prevent the transferability of adversarial examples.
arXiv Detail & Related papers (2020-06-05T03:03:06Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.