Discrete optimal transport is a strong audio adversarial attack

• URL: http://arxiv.org/abs/2509.14959v1
• Date: Thu, 18 Sep 2025 13:46:16 GMT
• Title: Discrete optimal transport is a strong audio adversarial attack
• Authors: Anton Selitskiy, Akib Shahriyar, Jishnuraj Prakasan,
• Abstract summary: We show that discrete optimal transport (DOT) is an effective black-box adversarial attack against modern audio anti-spoofing countermeasures (CMs)<n>Our attack operates as a post-processing, distribution-alignment step: frame-level WavLM embeddings are aligned to an unpaired bona fide pool via entropic OT and a top-$k$ barycentric projection, then decoded with a neural vocoder.
• Score: 0.2752817022620644
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In this paper, we show that discrete optimal transport (DOT) is an effective black-box adversarial attack against modern audio anti-spoofing countermeasures (CMs). Our attack operates as a post-processing, distribution-alignment step: frame-level WavLM embeddings of generated speech are aligned to an unpaired bona fide pool via entropic OT and a top-$k$ barycentric projection, then decoded with a neural vocoder. Evaluated on ASVspoof2019 and ASVspoof5 with AASIST baselines, DOT yields consistently high equal error rate (EER) across datasets and remains competitive after CM fine-tuning, outperforming several conventional attacks in cross-dataset transfer. Ablation analysis highlights the practical impact of vocoder overlap. Results indicate that distribution-level alignment is a powerful and stable attack surface for deployed CMs.

Related papers

• Potent but Stealthy: Rethink Profile Pollution against Sequential Recommendation via Bi-level Constrained Reinforcement Paradigm [44.622203626828345]
  Sequential Recommenders, which exploit dynamic user intents through interaction sequences, are vulnerable to adversarial attacks.<n>This paper focuses on the Profile Pollution Attack that subtly contaminates partial user interactions to induce targeted mispredictions.<n>We propose a constrained reinforcement driven attack CREAT that synergizes a bi-level optimization framework with multi-reward reinforcement learning to balance adversarial efficacy and stealthiness.
  arXiv  Detail & Related papers  (2025-11-12T15:00:52Z)
• SecDiff: Diffusion-Aided Secure Deep Joint Source-Channel Coding Against Adversarial Attacks [73.41290017870097]
  SecDiff is a plug-and-play, diffusion-aided decoding framework.<n>It significantly enhances the security and robustness of deep J SCC under adversarial wireless environments.
  arXiv  Detail & Related papers  (2025-11-03T11:24:06Z)
• Improving Black-Box Generative Attacks via Generator Semantic Consistency [51.470649503929344]
  generative attacks produce adversarial examples in a single forward pass at test time.<n>We enforce semantic consistency by aligning the early generator's intermediate features to an EMA teacher.<n>Our approach can be seamlessly integrated into existing generative attacks with consistent improvements in black-box transfer.
  arXiv  Detail & Related papers  (2025-06-23T02:35:09Z)
• Efficient Adversarial Training in LLMs with Continuous Attacks [99.5882845458567]
  Large language models (LLMs) are vulnerable to adversarial attacks that can bypass their safety guardrails. We propose a fast adversarial training algorithm (C-AdvUL) composed of two losses. C-AdvIPO is an adversarial variant of IPO that does not require utility data for adversarially robust alignment.
  arXiv  Detail & Related papers  (2024-05-24T14:20:09Z)
• Exploring Frequencies via Feature Mixing and Meta-Learning for Improving Adversarial Transferability [26.159434438078968]
  We introduce a frequency decomposition-based feature mixing method to exploit frequency characteristics in both clean and adversarial samples. Our findings suggest that incorporating features of clean samples into adversarial features extracted from adversarial examples is more effective in attacking normally-trained models. We propose a cross-frequency meta-optimization approach comprising the meta-train step, meta-test step, and final update.
  arXiv  Detail & Related papers  (2024-05-06T06:32:58Z)
• Towards Transferable Adversarial Attacks with Centralized Perturbation [4.689122927344728]
  Adversa transferability enables black-box attacks on unknown victim deep neural networks (DNNs) Current transferable attacks create adversarial perturbation over the entire image, resulting in excessive noise that overfit the source model. We propose a transferable adversarial attack with fine-grained perturbation optimization in the frequency domain, creating centralized perturbation.
  arXiv  Detail & Related papers  (2023-12-11T08:25:50Z)
• Interpretable Spectrum Transformation Attacks to Speaker Recognition [8.770780902627441]
  A general framework is proposed to improve the transferability of adversarial voices to a black-box victim model. The proposed framework operates voices in the time-frequency domain, which improves the interpretability, transferability, and imperceptibility of the attack.
  arXiv  Detail & Related papers  (2023-02-21T14:12:29Z)
• Distributed Adversarial Training to Robustify Deep Neural Networks at Scale [100.19539096465101]
  Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification. To defend against such attacks, an effective approach, known as adversarial training (AT), has been shown to mitigate robust training. We propose a large-batch adversarial training framework implemented over multiple machines.
  arXiv  Detail & Related papers  (2022-06-13T15:39:43Z)
• Modelling Adversarial Noise for Adversarial Defense [96.56200586800219]
  adversarial defenses typically focus on exploiting adversarial examples to remove adversarial noise or train an adversarially robust target model. Motivated by that the relationship between adversarial data and natural data can help infer clean data from adversarial data to obtain the final correct prediction. We study to model adversarial noise to learn the transition relationship in the label space for using adversarial labels to improve adversarial accuracy.
  arXiv  Detail & Related papers  (2021-09-21T01:13:26Z)
• Policy Smoothing for Provably Robust Reinforcement Learning [109.90239627115336]
  We study the provable robustness of reinforcement learning against norm-bounded adversarial perturbations of the inputs. We generate certificates that guarantee that the total reward obtained by the smoothed policy will not fall below a certain threshold under a norm-bounded adversarial of perturbation the input.
  arXiv  Detail & Related papers  (2021-06-21T21:42:08Z)
• Towards Robust Speech-to-Text Adversarial Attack [78.5097679815944]
  This paper introduces a novel adversarial algorithm for attacking the state-of-the-art speech-to-text systems, namely DeepSpeech, Kaldi, and Lingvo. Our approach is based on developing an extension for the conventional distortion condition of the adversarial optimization formulation. Minimizing over this metric, which measures the discrepancies between original and adversarial samples' distributions, contributes to crafting signals very close to the subspace of legitimate speech recordings.
  arXiv  Detail & Related papers  (2021-03-15T01:51:41Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.