Alireza Mohammadi,Keshav Sood,Asef Nazari,Dhananjay Thiruvady

2024-10-01

Abstract:Deep neural network-based voice authentication systems are promising biometric verification techniques that uniquely identify biological characteristics to verify a user. However, they are particularly susceptible to targeted data poisoning attacks, where attackers replace legitimate users' utterances with their own. We propose an enhanced framework using realworld datasets considering realistic attack scenarios. The results show that the proposed approach is robust, providing accurate authentications even when only a small fraction (5% of the dataset) is poisoned.

Cryptography and Security

Ruiwen He,Yushi Cheng,Zhicong Zheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/jiot.2024.3406962

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Due to the open nature of voice and voice interface, an adversary can spoof voice recognition systems by replaying pre-recorded voice commands from legitimate users, known as the voice replay attack. Existing detection methods against voice replay attacks mainly rely on extra hardware to determine the sound source or require excessive computing resources to train a classifier with abundant acoustic features. In this paper, we propose Anti-Replay, a fast and lightweight detection system for voice replay attacks. To overcome the challenge of redundant classification features and complex calculation, we first investigate the time-frequency spectrum difference between the genuine human voice and the replayed audio caused by the non-linear distortion of the attacker’s microphones and speakers. Then, we design 5 types with a total of 77 features in both the time and frequency domains and propose a convolutional neural network classifier SE-ResNet50 for attack detection. Evaluations against the datasets of ASVspoof2017, ASVspoof2019, and ASVspoof2021 demonstrate that Anti-Replay can achieve an average equal error rate (EER) of 1.36% across three datasets. Meanwhile, Anti-Replay decreases the training time by 52.3% and 90.2% and decreases the model size by 83.5% and 99.9% compared with the baseline model CQCC-GMM and the state-of-the-art method Res2Net. We have also confirmed that our system is effective in detecting the adaptive replay attack.

Xiaojiao Chen,Sheng Li,Hao Huang

DOI: https://doi.org/10.3390/app11188450

2021-09-12

Applied Sciences

Abstract:Voice Processing Systems (VPSes), now widely deployed, have become deeply involved in people’s daily lives, helping drive the car, unlock the smartphone, make online purchases, etc. Unfortunately, recent research has shown that those systems based on deep neural networks are vulnerable to adversarial examples, which attract significant attention to VPS security. This review presents a detailed introduction to the background knowledge of adversarial attacks, including the generation of adversarial examples, psychoacoustic models, and evaluation indicators. Then we provide a concise introduction to defense methods against adversarial attacks. Finally, we propose a systematic classification of adversarial attacks and defense methods, with which we hope to provide a better understanding of the classification and structure for beginners in this field.

Ivan Himawan,Srikanth Madikeri,Petr Motlicek,Milos Cernak,Sridha Sridharan,Clinton Fookes

DOI: https://doi.org/10.1007/978-3-319-92627-8_17

2019-01-01

Abstract:Current state-of-the-art automatic speaker verification (ASV) systems are prone to spoofing. The security and reliability of ASV systems can be threatened by different types of spoofing attacks using voice conversion, synthetic speech, or recorded passphrase. It is therefore essential to develop countermeasure techniques which can detect such spoofed speech. Inspired by the success of deep learning approaches in various classification tasks, this work presents an in-depth study of convolutional neural networks (CNNs) for spoofing detection in automatic speaker verification (ASV) systems. Specifically, we have compared the use of three different CNNs architectures: AlexNet, CNNs with max-feature-map activation, and an ensemble of standard CNNs for developing spoofing countermeasures, and discussed their potential to avoid overfitting due to small amounts of training data that is usually available in this task. We used popular deep learning toolkits for the system implementation and have released the implementation code of our methods publicly. We have evaluated the proposed countermeasure systems for detecting replay attacks on recently released spoofing corpora ASVspoof 2017, and also provided in-depth visual analyses of CNNs to aid for future research in this area.

Hongwei Luo,Yijie Shen,Feng Lin,Guoai Xu

DOI: https://doi.org/10.1155/2021/6664578

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Speaker verification system has gained great popularity in recent years, especially with the development of deep neural networks and Internet of Things. However, the security of speaker verification system based on deep neural networks has not been well investigated. In this paper, we propose an attack to spoof the state-of-the-art speaker verification system based on generalized end-to-end (GE2E) loss function for misclassifying illegal users into the authentic user. Specifically, we design a novel loss function to deploy a generator for generating effective adversarial examples with slight perturbation and then spoof the system with these adversarial examples to achieve our goals. The success rate of our attack can reach 82% when cosine similarity is adopted to deploy the deep-learning-based speaker verification system. Beyond that, our experiments also reported the signal-to-noise ratio at 76 dB, which proves that our attack has higher imperceptibility than previous works. In summary, the results show that our attack not only can spoof the state-of-the-art neural-network-based speaker verification system but also more importantly has the ability to hide from human hearing or machine discrimination.

Jiajie Zhang,Bingsheng Zhang,Bincheng Zhang

DOI: https://doi.org/10.1145/3327962.3331456

2019-01-01

Abstract:With the advancement of deep learning based speech recognition technology, an increasing number of cloud-aided automatic voice assistant applications, such as Google Home, Amazon Echo, and cloud AI services, such as IBM Watson, are emerging in our daily life. In a typical usage scenario, after keyword activation, the user's voice will be recorded and submitted to the cloud for automatic speech recognition (ASR) and then further action(s) might be triggered depending on the user's command(s). However, recent researches show that the deep learning based systems could be easily attacked by adversarial examples. Subsequently, the ASR systems are found being vulnerable to audio adversarial examples. Unfortunately, very few works about defending audio adversarial attack are known in the literature. Constructing a generic and robust defense mechanism to resolve this issue remains an open problem. In this work, we propose several proactive defense mechanisms against targeted audio adversarial examples in the ASR systems via code modulation and audio compression. We then show the effectiveness of the proposed strategies through extensive evaluation on natural dataset.

Wenbin Huang,Wenjuan Tang,Hongbo Jiang,Jun Luo,Yaoxue Zhang

DOI: https://doi.org/10.1109/jiot.2021.3110588

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Both voice communication and automatic speech verification (ASV) over smart devices are vulnerable to the voice impersonation (VI) attack, which is often launched via imitating a target’s voice characteristics to deceive human auditory sense or fool the ASV system. Researchers have designed a number of defense schemes yet without the consideration of universality due to the lack of comprehensive data sets. In this article, we propose a universal defense scheme based on the VI data set collected from a famous TV show named “The Sound.” First, we deliver a thorough study on the VI attacks in both auditory and ASV systems to verify the collected simulated voice could spoof the auditory and the ASV system with a notable probability. Second, we propose a quasi-Gaussian distribution (QGD)-based defense scheme with the discovery about specific voice characteristics that are distinct between attackers and targets. Finally, we conduct extensive experimental results on our collected VI data set as well as the auxiliary ASVspoof2017 data set, to indicate the proposed QGD scheme outperforms the state-of-the-art schemes: backpropagation neural network, support vector machine, and Gaussian mixture model, in terms of accuracy.

Li-Chi Chang,Zesheng Chen,Chao Chen,Guoping Wang,Zhuming Bi

DOI: https://doi.org/10.1109/ipccc51483.2021.9679446

2021-01-01

Abstract:In smart home, voice control becomes a main interface between users and smart devices. To make voice control more secure, speaker verification systems have been researched to apply human voice as biometrics to accurately identify a legitimate user and avoid illegal access. In recent studies, however, it has been shown that speaker verification systems are particularly vulnerable to adversarial attacks. In this work, we attempt to design and implement a defense system that is simple, light-weight, and effective against adversarial attacks for speaker verification. Specifically, we study two opposite operations to preprocess input audios in speaker verification systems against adversarial attacks: denoising that attempts to remove or reduce perturbations and noise-adding that adds small Gaussian noises to an input audio. We show through experiments that both methods can significantly degrade the performance of a state-of-the-art adversarial attack. Specifically, it is shown that denoising and noise-adding can reduce the targeted attack success rate of the attack from 100% to only 56% and 5.2%, respectively. Moreover, noise-adding can slow down the attack 25 times in speed and only has a minor effect on the normal operations of a speaker verification system.

Jincheng Zhou,Tao Hai,Dayang N. A. Jawawi,Dan Wang,Ebuka Ibeke,Cresantus Biamba

DOI: https://doi.org/10.1186/s13677-022-00306-5

2022-01-01

Journal of Cloud Computing

Abstract:In our everyday lives, we communicate with each other using several means and channels of communication, as communication is crucial in the lives of humans. Listening and speaking are the primary forms of communication. For listening and speaking, the human voice is indispensable. Voice communication is the simplest type of communication. The Automatic Speaker Verification (ASV) system verifies users with their voices. These systems are susceptible to voice spoofing attacks - logical and physical access attacks. Recently, there has been a notable development in the detection of these attacks. Attackers use enhanced gadgets to record users’ voices, replay them for the ASV system, and be granted access for harmful purposes. In this work, we propose a secure voice spoofing countermeasure to detect voice replay attacks. We enhanced the ASV system security by building a spoofing countermeasure dependent on the decomposed signals that consist of prominent information. We used two main features— the Gammatone Cepstral Coefficients and Mel-Frequency Cepstral Coefficients— for the audio representation. For the classification of the features, we used Bi-directional Long-Short Term Memory Network in the cloud, a deep learning classifier. We investigated numerous audio features and examined each feature’s capability to obtain the most vital details from the audio for it to be labelled genuine or a spoof speech. Furthermore, we use various machine learning algorithms to illustrate the superiority of our system compared to the traditional classifiers. The results of the experiments were classified according to the parameters of accuracy, precision rate, recall, F1-score, and Equal Error Rate (EER). The results were 97%, 100%, 90.19% and 94.84%, and 2.95%, respectively.

Yunjie Ge,Qian Wang,Jiayuan Yu,Chao Shen,Qi Li

DOI: https://doi.org/10.1109/mcom.012.2200596

IF: 9.03

2023-01-01

IEEE Communications Magazine

Abstract:Training high-performance audio models requires a large corpus of training samples, expensive computational resources, and expert knowledge. These costs are computationally intensive for individuals with limited resources. Consequently, users may turn to third-party resources, for example, outsourcing the training to powerful cloud servers or automatically scraping data from the Internet. While these available resources provide a playground for developing audio models, a concerning fact is that malicious third parties may render users vulnerable to data poisoning and backdoor attacks. These attacks can seriously undermine the security and usability of the system supported by the audio model, sometimes with catastrophic consequences. In this article, we review the existing schemes of the backdoor and data poisoning attacks on audio intelligence systems. We classify the state-of-the-art attack schemes into three categories based on their goals, that is, untargeted poisoning attacks, triggerless attacks, and backdoor attacks. We briefly introduce the state-of-the-art solutions, followed by a comprehensive comparison. Moreover, we quantitatively compare several attack methods in terms of the performance of the attacks and the inaudibility of the poisoned examples. Finally, we highlight some promising future research directions in this field.

Yunjie Ge,Qian Wang,Jingfeng Zhang,Juntao Zhou,Yunzhu Zhang,Chao Shen

DOI: https://doi.org/10.48550/arXiv.2203.13497

2022-03-25

Abstract:People are not always receptive to their voice data being collected and misused. Training the audio intelligence systems needs these data to build useful features, but the cost for getting permissions or purchasing data is very high, which inevitably encourages hackers to collect these voice data without people's awareness. To discourage the hackers from proactively collecting people's voice data, we are the first to propose a clean-label poisoning attack, called WaveFuzz, which can prevent intelligence audio models from building useful features from protected (poisoned) voice data but still preserve the semantic information to the humans. Specifically, WaveFuzz perturbs the voice data to cause Mel Frequency Cepstral Coefficients (MFCC) (typical representations of audio signals) to generate the poisoned frequency features. These poisoned features are then fed to audio prediction models, which degrades the performance of audio intelligence systems. Empirically, we show the efficacy of WaveFuzz by attacking two representative types of intelligent audio systems, i.e., speaker recognition system (SR) and speech command recognition system (SCR). For example, the accuracies of models are declined by $19.78\%$ when only $10\%$ of the poisoned voice data is to fine-tune models, and the accuracies of models declined by $6.07\%$ when only $10\%$ of the training voice data is poisoned. Consequently, WaveFuzz is an effective technique that enables people to fight back to protect their own voice data, which sheds new light on ameliorating privacy issues.

Sound,Cryptography and Security,Audio and Speech Processing

Awais Khan,Khalid Mahmood Malik

2023-10-06

Abstract:The Automatic Speaker Verification (ASV) system is vulnerable to fraudulent activities using audio deepfakes, also known as logical-access voice spoofing attacks. These deepfakes pose a concerning threat to voice biometrics due to recent advancements in generative AI and speech synthesis technologies. While several deep learning models for speech synthesis detection have been developed, most of them show poor generalizability, especially when the attacks have different statistical distributions from the ones seen. Therefore, this paper presents Quick-SpoofNet, an approach for detecting both seen and unseen synthetic attacks in the ASV system using one-shot learning and metric learning techniques. By using the effective spectral feature set, the proposed method extracts compact and representative temporal embeddings from the voice samples and utilizes metric learning and triplet loss to assess the similarity index and distinguish different embeddings. The system effectively clusters similar speech embeddings, classifying bona fide speeches as the target class and identifying other clusters as spoofing attacks. The proposed system is evaluated using the ASVspoof 2019 logical access (LA) dataset and tested against unseen deepfake attacks from the ASVspoof 2021 dataset. Additionally, its generalization ability towards unseen bona fide speech is assessed using speech data from the VSDC dataset.

Sound,Audio and Speech Processing

Jiawei Zhu,Lin Chen,Dongwei Xu,Wenhong Zhao

DOI: https://doi.org/10.1109/access.2022.3217322

IF: 3.9

2022-11-09

IEEE Access

Abstract:Voice print recognition is one of the most mature biometric authentication technologies, and the application of deep neural networks (DNNs) has led to a significant improvement in the accuracy of voice print recognition. However, DNN models can be attacked by backdoor attackers, which poses a serious threat to the security of model for voice print recognition. In this paper, a method is proposed for backdoor defence of voice print recognition model based on speech enhancement and weight pruning. Firstly, input samples are perturbed by superimposing various speech patterns, and the backdoor samples are determined based on the randomness (entropy value) of the prediction classes with perturbed inputs from a given deployment model (malicious or benign). Secondly, the backdoor samples are fed into a network (Deep Complex Convolution Recurrent Network) dedicated for speech enhancement, with which the backdoor samples can be denoised by removing the backdoor noise. Finally, the model is pruned using an automatic progressive weight pruning algorithm, which can avoid the accuracy degradation caused by neurons pruning. Experimental results on the AISHELL speech dataset show that the method not only reduces the success rate of backdoor attacks, but also greatly realizes the purification of the backdoor samples.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhe Ye,Terui Mao,Li Dong,Diqun Yan

DOI: https://doi.org/10.21437/Interspeech.2023-733

2023-06-28

Abstract:Deep speech classification has achieved tremendous success and greatly promoted the emergence of many real-world applications. However, backdoor attacks present a new security threat to it, particularly with untrustworthy third-party platforms, as pre-defined triggers set by the attacker can activate the backdoor. Most of the triggers in existing speech backdoor attacks are sample-agnostic, and even if the triggers are designed to be unnoticeable, they can still be audible. This work explores a backdoor attack that utilizes sample-specific triggers based on voice conversion. Specifically, we adopt a pre-trained voice conversion model to generate the trigger, ensuring that the poisoned samples does not introduce any additional audible noise. Extensive experiments on two speech classification tasks demonstrate the effectiveness of our attack. Furthermore, we analyzed the specific scenarios that activated the proposed backdoor and verified its resistance against fine-tuning.

Sound,Cryptography and Security,Machine Learning,Audio and Speech Processing

Si Chen,Kui Ren,Sixu Piao,Cong Wang,Qian Wang,Jian Weng,Lu Su,Aziz Mohaisen

DOI: https://doi.org/10.1109/ICDCS.2017.133

2017-01-01

Abstract:Voice, as a convenient and efficient way of information delivery, has a significant advantage over the conventional keyboard-based input methods, especially on small mobile devices such as smartphones and smartwatches. However, the human voice could often be exposed to the public, which allows an attacker to quickly collect sound samples of targeted victims and further launch voice impersonation attacks to spoof those voice-based applications. In this paper, we propose the design and implementation of a robust software-only voice impersonation defense system, which is tailored for mobile platforms and can be easily integrated with existing off-the-shelf smart devices. In our system, we explore magnetic field emitted from loudspeakers as the essential characteristic for detecting machine-based voice impersonation attacks. Furthermore, we use a state-of-the-art automatic speaker verification system to defend against human imitation attacks. Finally, our evaluation results show that our system achieves simultaneously high accuracy (100%) and low equal error rates (EERs) (0%) in detecting the machine-based voice impersonation attack on smartphones.

Haodong Zhao,Wei Du,Junjie Guo,Gongshen Liu

2023-03-28

Abstract:Speaker verification has been widely used in many authentication scenarios. However, training models for speaker verification requires large amounts of data and computing power, so users often use untrustworthy third-party data or deploy third-party models directly, which may create security risks. In this paper, we propose a backdoor attack for the above scenario. Specifically, for the Siamese network in the speaker verification system, we try to implant a universal identity in the model that can simulate any enrolled speaker and pass the verification. So the attacker does not need to know the victim, which makes the attack more flexible and stealthy. In addition, we design and compare three ways of selecting attacker utterances and two ways of poisoned training for the GE2E loss function in different scenarios. The results on the TIMIT and Voxceleb1 datasets show that our approach can achieve a high attack success rate while guaranteeing the normal verification accuracy. Our work reveals the vulnerability of the speaker verification system and provides a new perspective to further improve the robustness of the system.

Cryptography and Security,Sound,Audio and Speech Processing

Haibin Wu,Andy T. Liu,Hung-yi Lee

DOI: https://doi.org/10.21437/interspeech.2020-2026

2020-01-01

Abstract:High-performance anti-spoofing models for automatic speaker verification (ASV), have been widely used to protect ASV by identifying and filtering spoofing audio that is deliberately generated by text-to-speech, voice conversion, audio replay, etc. However, it has been shown that high-performance anti-spoofing models are vulnerable to adversarial attacks. Adversarial attacks, that are indistinguishable from original data but result in the incorrect predictions, are dangerous for anti-spoofing models and not in dispute we should detect them at any cost. To explore this issue, we proposed to employ Mockingjay, a self-supervised learning based model, to protect anti-spoofing models against adversarial attacks in the black-box scenario. Self-supervised learning models are effective in improving downstream task performance like phone classification or ASR. However, their effect in defense for adversarial attacks has not been explored yet. In this work, we explore the robustness of self-supervised learned high-level representations by using them in the defense against adversarial attacks. A layerwise noise to signal ratio (LNSR) is proposed to quantize and measure the effectiveness of deep models in countering adversarial noise. Experimental results on the ASVspoof 2019 dataset demonstrate that high-level representations extracted by Mockingjay can prevent the transferability of adversarial examples, and successfully counter black-box attacks.

Jun Wang,Juan Liu

DOI: https://doi.org/10.1109/access.2024.3506605

IF: 3.9

2024-12-07

IEEE Access

Abstract:Recent breakthroughs in deep learning applied to voice processing have sparked an upsurge in security and privacy concerns. This paper presents an inventive adversarial sample generation technique termed the "Ultrasonic Attack," crafted to covertly steer downstream voice-related tasks – encompassing voice emotion classification, voice synthesis, and voice recognition processes such as biometric authentication used in sporting events. This technique is distinctive in its employment of a multi-feature fitting strategy that allows for precise targeting and alteration of key voice attributes critical for downstream tasks. Ingeniously integrating ultrasonic noise into the original vocal recordings, our method can mislead sophisticated deep learning systems while remaining undetectable to the human ear, leading to erroneous outcomes in voice-based applications. The implications of this are particularly profound in high-stakes situations like athlete identity verification or voice command integrity in sports technology systems. Rigorous experimental validations underscore the "Ultrasonic Attack" as a potent method. When juxtaposed with leading-edge adversarial sample generation techniques, our approach stands out, delivering unrivaled performance in tasks as varied as Voice Emotion Classification and Speaker Identification. Our method triumphs in creating adversarial samples that not only carry out successful attacks with enhanced efficacy but also conserve the natural features of the voice, underscoring the critical need for fortified security in speech-processing technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

You Zhang,Fei Jiang,Zhiyao Duan

DOI: https://doi.org/10.1109/LSP.2021.3076358

2021-02-09

Abstract:Human voices can be used to authenticate the identity of the speaker, but the automatic speaker verification (ASV) systems are vulnerable to voice spoofing attacks, such as impersonation, replay, text-to-speech, and voice conversion. Recently, researchers developed anti-spoofing techniques to improve the reliability of ASV systems against spoofing attacks. However, most methods encounter difficulties in detecting unknown attacks in practical use, which often have different statistical distributions from known attacks. Especially, the fast development of synthetic voice spoofing algorithms is generating increasingly powerful attacks, putting the ASV systems at risk of unseen attacks. In this work, we propose an anti-spoofing system to detect unknown synthetic voice spoofing attacks (i.e., text-to-speech or voice conversion) using one-class learning. The key idea is to compact the bona fide speech representation and inject an angular margin to separate the spoofing attacks in the embedding space. Without resorting to any data augmentation methods, our proposed system achieves an equal error rate (EER) of 2.19% on the evaluation set of ASVspoof 2019 Challenge logical access scenario, outperforming all existing single systems (i.e., those without model ensemble).

Audio and Speech Processing,Sound

Feiyu Han,Panlong Yang,Haohua Du,Xiang-Yang Li

DOI: https://doi.org/10.1145/3560905.3568522

2022-01-01

Abstract:Most existing voice-based user authentication systems mainly rely on microphones to capture the unique vocal characteristics of an individual, which makes these systems vulnerable to various acoustic attacks and suffer high-security risks. In this work, we present Accuth , a novel authentication system that takes advantage of a low-cost accelerometer to verify the user's identity and resist spoofing acoustic attacks. Accuth captures unique sound vibrations during the human pronunciation process and extracts multi-level features to verify the user's identity. Specifically, we analyze and model the differences between the physical sound field of human beings and loudspeakers, and extract a novel sound-field-level liveness feature to defend against spoofing attacks. Accuth is an effective complement to existing authentication approaches as it only leverages a ubiquitous, low-cost, and small-size accelerometer. In real-world experiments, Accuth achieves over 90% identification accuracy among 15 human participants and an average equal error rate (EER) of 3.02% for spoofing attack detection.