Defend Data Poisoning Attacks on Voice Authentication

TL;DR

This paper demonstrates a simple data poisoning attack on voice authentication systems and proposes Guardian, a CNN-based discriminator, that effectively detects attacked accounts with high accuracy.

Contribution

It introduces a novel data poisoning attack on voice authentication and a robust defense method called Guardian that significantly improves detection accuracy.

Findings

Guardian detects about 95% of attacked accounts

Existing defenses only achieve around 60% accuracy

The attack is easy to implement and hard to defend against

Abstract

With the advances in deep learning, speaker verification has achieved very high accuracy and is gaining popularity as a type of biometric authentication option in many scenes of our daily life, especially the growing market of web services. Compared to traditional passwords, "vocal passwords" are much more convenient as they relieve people from memorizing different passwords. However, new machine learning attacks are putting these voice authentication systems at risk. Without a strong security guarantee, attackers could access legitimate users' web accounts by fooling the deep neural network (DNN) based voice recognition models. In this paper, we demonstrate an easy-to-implement data poisoning attack to the voice authentication system, which can hardly be captured by existing defense mechanisms. Thus, we propose a more robust defense method, called Guardian, which is a convolutional neural network-based discriminator. The Guardian discriminator integrates a series of novel techniques including bias reduction, input augmentation, and ensemble learning. Our approach is able to distinguish about 95% of attacked accounts from normal accounts, which is much more effective than existing approaches with only 60% accuracy.