Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems

TL;DR

Malafide introduces a universal, efficient adversarial noise attack that significantly compromises deepfake and spoofing detection systems by optimizing a small set of filter coefficients, even in black-box scenarios.

Contribution

The paper proposes Malafide, a novel convolutional noise attack that is input-independent, robust, and effective against various spoofing countermeasures in speaker verification systems.

Findings

Malafide degrades CM performance by an order of magnitude.

It is effective even in black-box attack settings.

Self-supervised learning CMs show increased robustness against Malafide.

Abstract

We present Malafide, a universal adversarial attack against automatic speaker verification (ASV) spoofing countermeasures (CMs). By introducing convolutional noise using an optimised linear time-invariant filter, Malafide attacks can be used to compromise CM reliability while preserving other speech attributes such as quality and the speaker's voice. In contrast to other adversarial attacks proposed recently, Malafide filters are optimised independently of the input utterance and duration, are tuned instead to the underlying spoofing attack, and require the optimisation of only a small number of filter coefficients. Even so, they degrade CM performance estimates by an order of magnitude, even in black-box settings, and can also be configured to overcome integrated CM and ASV subsystems. Integrated solutions that use self-supervised learning CMs, however, are more robust, under both black-box and white-box settings.