DUAP: Dual-task Universal Adversarial Perturbations Against Voice Control Systems

TL;DR

This paper introduces DUAP, a novel dual-task adversarial attack method that effectively disrupts both speech recognition and speaker identification in voice control systems, with high success and imperceptibility.

Contribution

The paper proposes DUAP, a dual-task attack leveraging a surrogate objective and ensemble strategy to attack combined voice recognition tasks, improving transferability and imperceptibility.

Findings

DUAP achieves high success rates against multiple ASR and SR models.

DUAP outperforms existing single-task adversarial attacks in effectiveness.

Perturbations generated by DUAP are highly imperceptible due to psychoacoustic masking.

Abstract

Modern Voice Control Systems (VCS) rely on the collaboration of Automatic Speech Recognition (ASR) and Speaker Recognition (SR) for secure interaction. However, prior adversarial attacks typically target these tasks in isolation, overlooking the coupled decision pipeline in real-world scenarios. Consequently, single-task attacks often fail to pose a practical threat. To fill this gap, we first utilize gradient analysis to reveal that ASR and SR exhibit no inherent conflicts. Building on this, we propose Dual-task Universal Adversarial Perturbation (DUAP). Specifically, DUAP employs a targeted surrogate objective to effectively disrupt ASR transcription and introduces a Dynamic Normalized Ensemble (DNE) strategy to enhance transferability across diverse SR models. Furthermore, we incorporate psychoacoustic masking to ensure perturbation imperceptibility. Extensive evaluations across five ASR and six SR models demonstrate that DUAP achieves high simultaneous attack success rates and superior imperceptibility, significantly outperforming existing single-task baselines.