Defense Against Adversarial Attacks on Audio DeepFake Detection

TL;DR

This paper evaluates and improves the robustness of audio DeepFake detection methods against adversarial attacks, introducing adaptive training and adapting RawNet3 for the first time to this task.

Contribution

It assesses the robustness of three detection architectures against adversarial attacks and proposes a novel adaptive training method to enhance their resilience, including the first adaptation of RawNet3 for DeepFake detection.

Findings

Robustness of detection architectures varies against adversarial attacks.

Adaptive training improves resilience of detection models.

RawNet3 is effectively adapted for DeepFake detection.

Abstract

Audio DeepFakes (DF) are artificially generated utterances created using deep learning, with the primary aim of fooling the listeners in a highly convincing manner. Their quality is sufficient to pose a severe threat in terms of security and privacy, including the reliability of news or defamation. Multiple neural network-based methods to detect generated speech have been proposed to prevent the threats. In this work, we cover the topic of adversarial attacks, which decrease the performance of detectors by adding superficial (difficult to spot by a human) changes to input data. Our contribution contains evaluating the robustness of 3 detection architectures against adversarial attacks in two scenarios (white-box and using transferability) and enhancing it later by using adversarial training performed by our novel adaptive training. Moreover, one of the investigated architectures is RawNet3, which, to the best of our knowledge, we adapted for the first time to DeepFake detection.