Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems

Chen, Guangke; Chenb, Sen; Fan, Lingling; Du, Xianfeng; Zhao, Zhe; Song, Fu; Liu, Yang

doi:10.1109/sp40001.2021.00004

Cited by 123 publications

(155 citation statements)

References 65 publications

Supporting

Mentioning

152

Contrasting

Order By: Relevance

“…As shown in Section IV, one straightforward countermeasure by attackers is to reduce the perturbation threshold so that the standard deviation of perturbations (i.e., σ) can be less than σ D in Equation (23). However, as shown in [3] and in our experiments in Section VI-B, when decreases, the attack success rate of an adversarial attack would decrease as well. That is, a small value of can let adversarial attacks reduce the attacking power in the first place.…”

Section: A Reducing the Perturbation Thresholdmentioning

confidence: 49%

“…An attacker can design an adversarial example attack to make the SV system falsely accept an illegal user as a legitimate user. FAKEBOB is the state-of-the-art black-box adversarial attack against popular score-based SV systems such as GMM and i-vector [3]. The basic idea of FAKEBOB attacks is to find small perturbations p[n], so that an SV system would reject s should be small.…”

Section: B Fakebob Attacks Against Speaker Verification Systemsmentioning

confidence: 99%

“…The implementation of the FAKEBOB attack is summarized in Algorithm 1. In [3], FAKEBOB is shown to be able to achieve a very high targeted attack success rate on popular SV systems.…”

Section: B Fakebob Attacks Against Speaker Verification Systemsmentioning

confidence: 99%

“…Such a sniffing and spoofing attack requires an attacker to obtain a legitimate user's audio. The other attack is called adversarial attacks that generate a speech acceptable to the system by adding small and well-designed perturbations to an illegal user's speech [3], [1]. Such an attack does not need a copy of the legitimate user's speech and is imperceptible to humans.…”

Section: Introductionmentioning

confidence: 99%

“…Since the currently widely-used speaker verification systems, such as GMM, ivector, d-vector, and x-vector, are based on machine learning, they are vulnerable to adversarial attacks. Specially, Chen et al designed a black-box adversarial attack, called FAKEBOB, that does not require the implementation information of a speaker verification system and is effective against both open-source and commercial systems [3]. Moreover, it has been shown in [3] that several defense methods, including local smoothing, quantization, and temporal dependency detection [21], that work well against adversarial attacks in the image domain are not able to counteract FAKEBOB.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

On the Detection of Adaptive Adversarial Attacks in Speaker Verification Systems

Chen¹

2022

Preprint

View full text Add to dashboard Cite

Speaker verification systems have been widely used in smart phones and Internet of things devices to identify a legitimate user. In recent work, it has been shown that adversarial attacks, such as FAKEBOB, can work effectively against speaker verification systems. The goal of this paper is to design a detector that can distinguish an original audio from an audio contaminated by adversarial attacks. Specifically, our designed detector, called MEH-FEST, calculates the minimum energy in high frequencies from the short-time Fourier transform of an audio and uses it as a detection metric. Through both analysis and experiments, we show that our proposed detector is easy to implement, fast to process an input audio, and effective in determining whether an audio is corrupted by FAKEBOB attacks. The experimental results indicate that the detector is extremely effective: with near zero false positive and false negative rates for detecting FAKEBOB attacks in Gaussian mixture model (GMM) and i-vector speaker verification systems. Moreover, adaptive adversarial attacks against our proposed detector and their countermeasures are discussed and studied, showing the game between attackers and defenders.

show abstract

Section: A Reducing the Perturbation Thresholdmentioning

confidence: 49%

Section: B Fakebob Attacks Against Speaker Verification Systemsmentioning

confidence: 99%

“…The implementation of the FAKEBOB attack is summarized in Algorithm 1. In [3], FAKEBOB is shown to be able to achieve a very high targeted attack success rate on popular SV systems.…”

Section: B Fakebob Attacks Against Speaker Verification Systemsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

On the Detection of Adaptive Adversarial Attacks in Speaker Verification Systems

Chen¹

2022

Preprint

View full text Add to dashboard Cite

show abstract

Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers

Song

Lei

Chen

et al. 2021

Int J of Intelligent Sys

Self Cite

View full text Add to dashboard Cite

Machine learning (ML) based classifiers are vulnerable to evasion attacks, as shown by recent attacks. However, there is a lack of systematic study of evasion attacks on ML‐based anti‐phishing detection. In this study, we show that evasion attacks are not only effective on practical ML‐based classifiers, but can also be efficiently launched without destructing the functionalities and appearance. For this purpose, we propose three mutation‐based attacks, differing in the knowledge of the target classifier, addressing a key technical challenge: automatically crafting an adversarial sample from a known phishing website in a way that can mislead classifiers. To launch attacks in the white‐ and gray‐box scenarios, we also propose a sample‐based collision attack to gain the knowledge of the target classifier. We demonstrate the efficacy of our evasion attacks on the state‐of‐the‐art, Google's phishing page filter, achieved 100% attack success rate in less than one second per website. Moreover, the transferability attack on BitDefender's industrial phishing page classifier, TrafficLight, achieved up to 81.25% attack success rate. We further propose a similarity‐based method to mitigate such evasion attacks, Pelican, which compares the similarity of an unknown website with recently detected phishing websites. We demonstrate that Pelican can effectively detect evasion attacks, hence could be integrated into ML‐based classifiers. We also highlight two strategies of classification rule selection to enhance the robustness of classifiers. Our findings contribute to design more robust phishing website classifiers in practice.

show abstract

Voxstructor: Voice Reconstruction from Voiceprint

Zhu

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems

Cited by 123 publications

References 65 publications

On the Detection of Adaptive Adversarial Attacks in Speaker Verification Systems

On the Detection of Adaptive Adversarial Attacks in Speaker Verification Systems

Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers

Voxstructor: Voice Reconstruction from Voiceprint

Contact Info

Product

Resources

About