Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Study of Pre-processing Defenses against Adversarial Attacks on State-of-the-art Speaker Recognition Systems

Sonal Joshi, Jesús Villalba, Piotr Żelasko, Laureano Moro-Velázquez, Najim Dehak

TL;DR

Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with $L_\infty >0.001$ and CW attack.

Abstract

Adversarial examples to speaker recognition (SR) systems are generated by adding a carefully crafted noise to the speech signal to make the system fail while being imperceptible to humans. Such attacks pose severe security risks, making it vital to deep-dive and understand how much the state-of-the-art SR systems are vulnerable to these attacks. Moreover, it is of greater importance to propose defenses that can protect the systems against these attacks. Addressing these concerns, this paper at first investigates how state-of-the-art x-vector based SR systems are affected by white-box adversarial attacks, i.e., when the adversary has full knowledge of the system. x-Vector based SR systems are evaluated against white-box adversarial attacks common in the literature like fast gradient sign method (FGSM), basic iterative method (BIM)--a.k.a. iterative-FGSM--, projected gradient descent (PGD), and Carlini-Wagner (CW) attack. To mitigate against these attacks, the paper proposes four pre-processing defenses. It evaluates them against powerful adaptive white-box adversarial attacks, i.e., when the adversary has full knowledge of the system, including the defense. The four pre-processing defenses--viz. randomized smoothing, DefenseGAN, variational autoencoder (VAE), and Parallel WaveGAN vocoder (PWG) are compared against the baseline defense of adversarial training. Conclusions indicate that SR systems were extremely vulnerable under BIM, PGD, and CW attacks. Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with $L_\infty>0.001$ and CW attack.

Study of Pre-processing Defenses against Adversarial Attacks on State-of-the-art Speaker Recognition Systems

TL;DR

Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with and CW attack.

Abstract

Adversarial examples to speaker recognition (SR) systems are generated by adding a carefully crafted noise to the speech signal to make the system fail while being imperceptible to humans. Such attacks pose severe security risks, making it vital to deep-dive and understand how much the state-of-the-art SR systems are vulnerable to these attacks. Moreover, it is of greater importance to propose defenses that can protect the systems against these attacks. Addressing these concerns, this paper at first investigates how state-of-the-art x-vector based SR systems are affected by white-box adversarial attacks, i.e., when the adversary has full knowledge of the system. x-Vector based SR systems are evaluated against white-box adversarial attacks common in the literature like fast gradient sign method (FGSM), basic iterative method (BIM)--a.k.a. iterative-FGSM--, projected gradient descent (PGD), and Carlini-Wagner (CW) attack. To mitigate against these attacks, the paper proposes four pre-processing defenses. It evaluates them against powerful adaptive white-box adversarial attacks, i.e., when the adversary has full knowledge of the system, including the defense. The four pre-processing defenses--viz. randomized smoothing, DefenseGAN, variational autoencoder (VAE), and Parallel WaveGAN vocoder (PWG) are compared against the baseline defense of adversarial training. Conclusions indicate that SR systems were extremely vulnerable under BIM, PGD, and CW attacks. Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with and CW attack.

Paper Structure

This paper contains 38 sections, 12 equations, 5 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Prior work
  3. Adversarial attacks on speech systems
  4. Countermeasures against adversarial attacks on speech systems
  5. x-Vector Speaker Recognition
  6. Adversarial Threat Model
  7. Adversarial attack algorithms
  8. Fast gradient sign method (FGSM)
  9. Basic Iterative Method (BIM) and Projected Gradient Descent (PGD)
  10. Carlini-Wagner attack
  11. Transfer universal attacks
  12. Adversarial Defenses
  13. Adversarial Training
  14. Randomized smoothing
  15. Defense-GAN
  16. ...and 23 more sections

Figures (5)

  • Figure 1: x-Vector Speaker Classification Pipeline. Here, $\mathbf x^\prime$ is adversarial sample of benign waveform $\mathbf x$ (with without attack gives classifier output as speaker label $y^{\mathrm{benign}}$) such that the classifier output is $y^{\mathrm{adv}}$ (or in short $y$) such that $y \neq y^{\mathrm{\mathrm{benign}}}$
  • Figure 2: Scheme of Defense-GAN inference step
  • Figure 3: Pipeline of VAE defense. Combination of VAE with randomized smoothing is indicated by optional block
  • Figure 4: Pipeline for PWG Defense. Combination of PWG with randomized smoothing is indicated by the optional blocks.
  • Figure 5: Summary of all defense systems with their best settings for all attack settings as in Table \ref{['tab:results_compare']} using boxplot