Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

What You Read Isn't What You Hear: Linguistic Sensitivity in Deepfake Speech Detection

Binh Nguyen, Shuji Shi, Ryan Ofman, Thai Le

TL;DR

The paper demonstrates that automatic audio anti-spoofing systems are highly sensitive to linguistic variations in transcripts, not just acoustic perturbations. It introduces a transcript-level adversarial attack framework that operates in a black-box setting to produce semantically preserved perturbations, significantly degrading both open-source and commercial detectors. Through extensive experiments and a feature-attribution analysis, it identifies linguistic complexity and audio embedding similarity as key drivers of vulnerability, and it validates real-world risk with a Brad Pitt deepfake case study. The work highlights the need to extend defenses beyond acoustics to account for linguistic variation, and it provides publicly available code to advance robust anti-spoofing research.

Abstract

Recent advances in text-to-speech technologies have enabled realistic voice generation, fueling audio-based deepfake attacks such as fraud and impersonation. While audio anti-spoofing systems are critical for detecting such threats, prior work has predominantly focused on acoustic-level perturbations, leaving the impact of linguistic variation largely unexplored. In this paper, we investigate the linguistic sensitivity of both open-source and commercial anti-spoofing detectors by introducing transcript-level adversarial attacks. Our extensive evaluation reveals that even minor linguistic perturbations can significantly degrade detection accuracy: attack success rates surpass 60% on several open-source detector-voice pairs, and notably one commercial detection accuracy drops from 100% on synthetic audio to just 32%. Through a comprehensive feature attribution analysis, we identify that both linguistic complexity and model-level audio embedding similarity contribute strongly to detector vulnerability. We further demonstrate the real-world risk via a case study replicating the Brad Pitt audio deepfake scam, using transcript adversarial attacks to completely bypass commercial detectors. These results highlight the need to move beyond purely acoustic defenses and account for linguistic variation in the design of robust anti-spoofing systems. All source code will be publicly available.

What You Read Isn't What You Hear: Linguistic Sensitivity in Deepfake Speech Detection

TL;DR

The paper demonstrates that automatic audio anti-spoofing systems are highly sensitive to linguistic variations in transcripts, not just acoustic perturbations. It introduces a transcript-level adversarial attack framework that operates in a black-box setting to produce semantically preserved perturbations, significantly degrading both open-source and commercial detectors. Through extensive experiments and a feature-attribution analysis, it identifies linguistic complexity and audio embedding similarity as key drivers of vulnerability, and it validates real-world risk with a Brad Pitt deepfake case study. The work highlights the need to extend defenses beyond acoustics to account for linguistic variation, and it provides publicly available code to advance robust anti-spoofing research.

Abstract

Recent advances in text-to-speech technologies have enabled realistic voice generation, fueling audio-based deepfake attacks such as fraud and impersonation. While audio anti-spoofing systems are critical for detecting such threats, prior work has predominantly focused on acoustic-level perturbations, leaving the impact of linguistic variation largely unexplored. In this paper, we investigate the linguistic sensitivity of both open-source and commercial anti-spoofing detectors by introducing transcript-level adversarial attacks. Our extensive evaluation reveals that even minor linguistic perturbations can significantly degrade detection accuracy: attack success rates surpass 60% on several open-source detector-voice pairs, and notably one commercial detection accuracy drops from 100% on synthetic audio to just 32%. Through a comprehensive feature attribution analysis, we identify that both linguistic complexity and model-level audio embedding similarity contribute strongly to detector vulnerability. We further demonstrate the real-world risk via a case study replicating the Brad Pitt audio deepfake scam, using transcript adversarial attacks to completely bypass commercial detectors. These results highlight the need to move beyond purely acoustic defenses and account for linguistic variation in the design of robust anti-spoofing systems. All source code will be publicly available.

Paper Structure

This paper contains 27 sections, 14 equations, 2 figures, 13 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Motivation
  3. Related Work
  4. Preliminary Analysis
  5. Problem Formulation
  6. Method
  7. Experiments
  8. Set-up
  9. Results
  10. Attacking Open-Source Detectors
  11. Attacking Commercial Detectors
  12. Feature Analysis
  13. Feature Engineering
  14. Analysis Results
  15. Case Study: Deepfake Voice Cloning
  16. ...and 12 more sections

Figures (2)

  • Figure 1: Linguistic variation of the transcript can swing the confidence of audio anti-spoofing system.
  • Figure 2: Feature impact on bona-fide probability prediction. A positive effect means the feature increases the likelihood of a perturbed item being classified as bona-fide.