Adversarial Transformation of Spoofing Attacks for Voice Biometrics

TL;DR

This paper introduces a new adversarial transformation network that creates sophisticated spoofing attacks capable of bypassing both anti-spoofing and speaker verification systems, revealing vulnerabilities in current voice biometric security.

Contribution

The study develops the first joint adversarial attack framework targeting combined voice biometric and anti-spoofing systems, demonstrating its effectiveness against state-of-the-art defenses.

Findings

ABTN outperforms existing adversarial techniques in white-box scenarios.

ABTN successfully fools both PAD and ASV systems in black-box settings.

The attacks significantly compromise the security of voice biometric systems.

Abstract

Voice biometric systems based on automatic speaker verification (ASV) are exposed to \textit{spoofing} attacks which may compromise their security. To increase the robustness against such attacks, anti-spoofing or presentation attack detection (PAD) systems have been proposed for the detection of replay, synthesis and voice conversion based attacks. Recently, the scientific community has shown that PAD systems are also vulnerable to adversarial attacks. However, to the best of our knowledge, no previous work have studied the robustness of full voice biometrics systems (ASV + PAD) to these new types of adversarial \textit{spoofing} attacks. In this work, we develop a new adversarial biometrics transformation network (ABTN) which jointly processes the loss of the PAD and ASV systems in order to generate white-box and black-box adversarial \textit{spoofing} attacks. The core idea of this system is to generate adversarial \textit{spoofing} attacks which are able to fool the PAD system without being detected by the ASV system. The experiments were carried out on the ASVspoof 2019 corpus, including both logical access (LA) and physical access (PA) scenarios. The experimental results show that the proposed ABTN clearly outperforms some well-known adversarial techniques in both white-box and black-box attack scenarios.