DeePen: Penetration Testing for Audio Deepfake Detection

TL;DR

This paper introduces DeePen, a systematic method for testing the robustness of deepfake audio detectors using signal processing attacks, revealing widespread vulnerabilities in current systems.

Contribution

DeePen is a novel, model-agnostic penetration testing approach that uncovers vulnerabilities in deepfake audio detection systems without prior model access.

Findings

All tested systems are vulnerable to simple signal manipulations.

Some attacks can be mitigated by retraining, others remain effective.

Real-world and academic models both exhibit weaknesses.

Abstract

Deepfakes - manipulated or forged audio and video media - pose significant security risks to individuals, organizations, and society at large. To address these challenges, machine learning-based classifiers are commonly employed to detect deepfake content. In this paper, we assess the robustness of such classifiers through a systematic penetration testing methodology, which we introduce as DeePen. Our approach operates without prior knowledge of or access to the target deepfake detection models. Instead, it leverages a set of carefully selected signal processing modifications - referred to as attacks - to evaluate model vulnerabilities. Using DeePen, we analyze both real-world production systems and publicly available academic model checkpoints, demonstrating that all tested systems exhibit weaknesses and can be reliably deceived by simple manipulations such as time-stretching or echo addition. Furthermore, our findings reveal that while some attacks can be mitigated by retraining detection systems with knowledge of the specific attack, others remain persistently effective.