Previous works have shown that automatic speaker verification (ASV) is seriously vulnerable to malicious spoofing attacks, such as replay, synthetic speech, and recently emerged adversarial attacks. Great efforts have been dedicated to defending ASV against replay and synthetic speech; however, only a few approaches have been explored to deal with adversarial attacks. All the existing approaches to tackle adversarial attacks for ASV require the knowledge for adversarial samples generation, but it is impractical for defenders to know the exact attack algorithms that are applied by the in-the-wild attackers. This work is among the first to perform adversarial defense for ASV without knowing the specific attack algorithms. Inspired by self-supervised learning models (SSLMs) that possess the merits of alleviating the superficial noise in the inputs and reconstructing clean samples from the interrupted ones, this work regards adversarial perturbations as one kind of noise and conducts adversarial defense for ASV by SSLMs. Specifically, we propose to perform adversarial defense from two perspectives: 1) adversarial perturbation purification and 2) adversarial perturbation detection. Experimental results show that our detection module effectively shields the ASV by detecting adversarial samples with an accuracy of around 80%. Moreover, since there is no common metric for evaluating the adversarial defense performance for ASV, this work also formalizes evaluation metrics for adversarial defense considering both purification and detection based approaches into account. We sincerely encourage future works to benchmark their approaches based on the proposed evaluation framework.
翻译:先前的著作表明,自动扬声器核查(ASV)极易受到恶意恐吓攻击,如重弹、合成言语和最近出现的对抗性攻击;已作出巨大努力,致力于保护ASV免遭重弹和合成言论;然而,只探索了少数方法来对付对抗性攻击;所有现有的应对ASV对抗性攻击的方法都要求有对抗性样品生成的知识,但对于维权者来说,了解在野攻击者采用的确切攻击算法是不切实际的。这项工作是最早在不了解特定攻击算法的情况下为ASV进行对抗性辩护的工作之一。在自我监督的学习模型(SLMs)的激励下,这些模型拥有减少投入中的表面噪音和从被打断的样本中重建清洁样品的好处;关于对抗性攻击性攻击的所有现行方法都需要有对抗性攻击性攻击性攻击性攻击样品的生成知识,但对于敌对性攻击性攻击者来说,对维权者来说不切实际适用。我们提议从两个角度进行对抗性辩护:1) 对抗性攻击性净化和2) 反向性攻击性攻击性检查性探测性检查性探测性检查。实验结果显示,我们未来的防御性探测性研究结果,自反向反向反比对性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性攻击性研究。