Interpretable Spectrum Transformation Attacks to Speaker Recognition

TL;DR

This paper introduces a spectral transformation attack framework using modified discrete cosine transform to enhance transferability and interpretability of adversarial voices in speaker recognition, with visual explanations via saliency maps.

Contribution

It proposes a novel time-frequency domain attack method, STA-MDCT, improving transferability and interpretability over existing time-domain approaches in speaker recognition adversarial attacks.

Findings

STA-MDCT significantly outperforms existing attack methods.

Saliency maps provide clear interpretability of attack success.

Ensemble of surrogate models enhances attack transferability.

Abstract

The success of adversarial attacks to speaker recognition is mainly in white-box scenarios. When applying the adversarial voices that are generated by attacking white-box surrogate models to black-box victim models, i.e. \textit{transfer-based} black-box attacks, the transferability of the adversarial voices is not only far from satisfactory, but also lacks interpretable basis. To address these issues, in this paper, we propose a general framework, named spectral transformation attack based on modified discrete cosine transform (STA-MDCT), to improve the transferability of the adversarial voices to a black-box victim model. Specifically, we first apply MDCT to the input voice. Then, we slightly modify the energy of different frequency bands for capturing the salient regions of the adversarial noise in the time-frequency domain that are critical to a successful attack. Unlike existing approaches that operate voices in the time domain, the proposed framework operates voices in the time-frequency domain, which improves the interpretability, transferability, and imperceptibility of the attack. Moreover, it can be implemented with any gradient-based attackers. To utilize the advantage of model ensembling, we not only implement STA-MDCT with a single white-box surrogate model, but also with an ensemble of surrogate models. Finally, we visualize the saliency maps of adversarial voices by the class activation maps (CAM), which offers an interpretable basis to transfer-based attacks in speaker recognition for the first time. Extensive comparison results with five representative attackers show that the CAM visualization clearly explains the effectiveness of STA-MDCT, and the weaknesses of the comparison methods; the proposed method outperforms the comparison methods by a large margin.