SA: Sliding attack for synthetic speech detection with resistance to clipping and self-splicing

TL;DR

This paper introduces the sliding attack, a new adversarial attack method for synthetic speech detection that improves transferability of adversarial examples across different input lengths and models, especially under clipping and self-splicing conditions.

Contribution

The paper proposes a novel sliding attack method that enhances transferability of adversarial examples in audio models with varying input lengths and features, addressing practical clipping and self-splicing scenarios.

Findings

Significantly improves transferability of adversarial examples after clipping or self-splicing.

Enhances transferability between models based on different features.

Effective against state-of-the-art synthetic speech detection models.

Abstract

Deep neural networks are vulnerable to adversarial examples that mislead models with imperceptible perturbations. In audio, although adversarial examples have achieved incredible attack success rates on white-box settings and black-box settings, most existing adversarial attacks are constrained by the input length. A More practical scenario is that the adversarial examples must be clipped or self-spliced and input into the black-box model. Therefore, it is necessary to explore how to improve transferability in different input length settings. In this paper, we take the synthetic speech detection task as an example and consider two representative SOTA models. We observe that the gradients of fragments with the same sample value are similar in different models via analyzing the gradients obtained by feeding samples into the model after cropping or self-splicing. Inspired by the above observation, we propose a new adversarial attack method termed sliding attack. Specifically, we make each sampling point aware of gradients at different locations, which can simulate the situation where adversarial examples are input to black-box models with varying input lengths. Therefore, instead of using the current gradient directly in each iteration of the gradient calculation, we go through the following three steps. First, we extract subsegments of different lengths using sliding windows. We then augment the subsegments with data from the adjacent domains. Finally, we feed the sub-segments into different models to obtain aggregate gradients to update adversarial examples. Empirical results demonstrate that our method could significantly improve the transferability of adversarial examples after clipping or self-splicing. Besides, our method could also enhance the transferability between models based on different features.