Defense against adversarial attacks on spoofing countermeasures of ASV
This work addresses security concerns for ASV systems by enhancing robustness against adversarial spoofing, though it is incremental as it applies known defense techniques to a new domain.
The paper tackles the vulnerability of automatic speaker verification (ASV) spoofing countermeasures to adversarial attacks by introducing spatial smoothing and adversarial training as defense methods, showing that these approaches positively improve model robustness against such attacks.
Various forefront countermeasure methods for automatic speaker verification (ASV) with considerable performance in anti-spoofing are proposed in the ASVspoof 2019 challenge. However, previous work has shown that countermeasure models are vulnerable to adversarial examples indistinguishable from natural data. A good countermeasure model should not only be robust against spoofing audio, including synthetic, converted, and replayed audios; but counteract deliberately generated examples by malicious adversaries. In this work, we introduce a passive defense method, spatial smoothing, and a proactive defense method, adversarial training, to mitigate the vulnerability of ASV spoofing countermeasure models against adversarial examples. This paper is among the first to use defense methods to improve the robustness of ASV spoofing countermeasure models under adversarial attacks. The experimental results show that these two defense methods positively help spoofing countermeasure models counter adversarial examples.