Inaudible Adversarial Perturbations for Targeted Attack in Speaker Recognition
This work addresses security risks in biometric authentication by demonstrating a targeted attack on speaker recognition systems, which is incremental as it adapts adversarial techniques from other domains to audio.
The authors tackled the vulnerability of speaker recognition systems by generating inaudible adversarial perturbations using psychoacoustic frequency masking, achieving up to 98.5% attack success rate on arbitrary gender targets while remaining indistinguishable to listeners.
Speaker recognition is a popular topic in biometric authentication and many deep learning approaches have achieved extraordinary performances. However, it has been shown in both image and speech applications that deep neural networks are vulnerable to adversarial examples. In this study, we aim to exploit this weakness to perform targeted adversarial attacks against the x-vector based speaker recognition system. We propose to generate inaudible adversarial perturbations achieving targeted white-box attacks to speaker recognition system based on the psychoacoustic principle of frequency masking. Specifically, we constrict the perturbation under the masking threshold of original audio, instead of using a common l_p norm to measure the perturbations. Experiments on Aishell-1 corpus show that our approach yields up to 98.5% attack success rate to arbitrary gender speaker targets, while retaining indistinguishable attribute to listeners. Furthermore, we also achieve an effective speaker attack when applying the proposed approach to a completely irrelevant waveform, such as music.