De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks
This work addresses privacy and security concerns for individuals vulnerable to voice cloning attacks, but it is incremental as it builds on existing purification methods.
The study systematically evaluated protective adversarial perturbations against voice cloning attacks under realistic threat models, finding that existing purification methods cause distortions that degrade cloning performance, and proposed a novel two-stage purification method that outperforms state-of-the-art approaches in disrupting these defenses.
The rapid advancement of speech generation models has heightened privacy and security concerns related to voice cloning (VC). Recent studies have investigated disrupting unauthorized voice cloning by introducing adversarial perturbations. However, determined attackers can mitigate these protective perturbations and successfully execute VC. In this study, we conduct the first systematic evaluation of these protective perturbations against VC under realistic threat models that include perturbation purification. Our findings reveal that while existing purification methods can neutralize a considerable portion of the protective perturbations, they still lead to distortions in the feature space of VC models, which degrades the performance of VC. From this perspective, we propose a novel two-stage purification method: (1) Purify the perturbed speech; (2) Refine it using phoneme guidance to align it with the clean speech distribution. Experimental results demonstrate that our method outperforms state-of-the-art purification methods in disrupting VC defenses. Our study reveals the limitations of adversarial perturbation-based VC defenses and underscores the urgent need for more robust solutions to mitigate the security and privacy risks posed by VC. The code and audio samples are available at https://de-antifake.github.io.