Adversarial Attacks on Spoofing Countermeasures of automatic speaker verification
This work addresses security risks in speaker verification systems, showing that existing spoofing countermeasures are not robust to adversarial attacks, which is an incremental but important finding for the field.
The paper investigates the vulnerability of spoofing countermeasure systems for automatic speaker verification to adversarial attacks, finding that all tested models are vulnerable to white-box attacks using FGSM and PGD methods, and black-box attacks are also effective.
High-performance spoofing countermeasure systems for automatic speaker verification (ASV) have been proposed in the ASVspoof 2019 challenge. However, the robustness of such systems under adversarial attacks has not been studied yet. In this paper, we investigate the vulnerability of spoofing countermeasures for ASV under both white-box and black-box adversarial attacks with the fast gradient sign method (FGSM) and the projected gradient descent (PGD) method. We implement high-performing countermeasure models in the ASVspoof 2019 challenge and conduct adversarial attacks on them. We compare performance of black-box attacks across spoofing countermeasure models with different network architectures and different amount of model parameters. The experimental results show that all implemented countermeasure models are vulnerable to FGSM and PGD attacks under the scenario of white-box attack. The more dangerous black-box attacks also prove to be effective by the experimental results.