Backdoor Attack against Speaker Verification

TL;DR

This paper reveals a novel backdoor attack method on speaker verification systems that uses poisoning of training data with cluster-specific triggers, enabling attackers to bypass verification without knowing enrolled speakers.

Contribution

It introduces a clustering-based poisoning attack tailored for speaker verification, highlighting a new security threat and providing a baseline for developing more robust models.

Findings

Poisoned models pass verification with attacker-specified triggers

Existing backdoor methods are ineffective against speaker verification

The attack maintains normal performance on benign samples

Abstract

Speaker verification has been widely and successfully adopted in many mission-critical areas for user identification. The training of speaker verification requires a large amount of data, therefore users usually need to adopt third-party data ($e.g.$, data from the Internet or third-party data company). This raises the question of whether adopting untrusted third-party data can pose a security threat. In this paper, we demonstrate that it is possible to inject the hidden backdoor for infecting speaker verification models by poisoning the training data. Specifically, we design a clustering-based attack scheme where poisoned samples from different clusters will contain different triggers ($i.e.$, pre-defined utterances), based on our understanding of verification tasks. The infected models behave normally on benign samples, while attacker-specified unenrolled triggers will successfully pass the verification even if the attacker has no information about the enrolled speaker. We also demonstrate that existing backdoor attacks cannot be directly adopted in attacking speaker verification. Our approach not only provides a new perspective for designing novel attacks, but also serves as a strong baseline for improving the robustness of verification methods. The code for reproducing main results is available at \url{https://github.com/zhaitongqing233/Backdoor-attack-against-speaker-verification}.