Study of Pre-processing Defenses against Adversarial Attacks on State-of-the-art Speaker Recognition Systems

TL;DR

This paper investigates the vulnerability of state-of-the-art speaker recognition systems to white-box adversarial attacks and evaluates four pre-processing defenses, finding that Parallel WaveGAN combined with randomized smoothing offers the best protection.

Contribution

It introduces and compares four pre-processing defenses against adversarial attacks on speaker recognition systems, demonstrating their effectiveness in a white-box attack scenario.

Findings

SR systems are highly vulnerable to BIM, PGD, and CW attacks.

PWG with randomized smoothing significantly improves robustness, achieving 93% accuracy.

Defense methods outperform baseline adversarial training in protecting SR systems.

Abstract

Adversarial examples to speaker recognition (SR) systems are generated by adding a carefully crafted noise to the speech signal to make the system fail while being imperceptible to humans. Such attacks pose severe security risks, making it vital to deep-dive and understand how much the state-of-the-art SR systems are vulnerable to these attacks. Moreover, it is of greater importance to propose defenses that can protect the systems against these attacks. Addressing these concerns, this paper at first investigates how state-of-the-art x-vector based SR systems are affected by white-box adversarial attacks, i.e., when the adversary has full knowledge of the system. x-Vector based SR systems are evaluated against white-box adversarial attacks common in the literature like fast gradient sign method (FGSM), basic iterative method (BIM)--a.k.a. iterative-FGSM--, projected gradient descent (PGD), and Carlini-Wagner (CW) attack. To mitigate against these attacks, the paper proposes four pre-processing defenses. It evaluates them against powerful adaptive white-box adversarial attacks, i.e., when the adversary has full knowledge of the system, including the defense. The four pre-processing defenses--viz. randomized smoothing, DefenseGAN, variational autoencoder (VAE), and Parallel WaveGAN vocoder (PWG) are compared against the baseline defense of adversarial training. Conclusions indicate that SR systems were extremely vulnerable under BIM, PGD, and CW attacks. Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with $L_\infty>0.001$ and CW attack.