Paper ID | SPE-19.4 | ||
Paper Title | FOOLHD: FOOLING SPEAKER IDENTIFICATION BY HIGHLY IMPERCEPTIBLE ADVERSARIAL DISTURBANCES | ||
Authors | Ali Shahin Shamsabadi, Queen Mary University of London, United Kingdom; Francisco Sepúlveda Teixeira, Alberto Abad, University of Lisbon, Portugal; Bhiksha Raj, Carnegie Mellon University, United States; Andrea Cavallaro, Queen Mary University of London, United Kingdom; Isabel Trancoso, University of Lisbon, Portugal | ||
Session | SPE-19: Speaker Recognition 3: Attention and Adversarial | ||
Location | Gather.Town | ||
Session Time: | Wednesday, 09 June, 14:00 - 14:45 | ||
Presentation Time: | Wednesday, 09 June, 14:00 - 14:45 | ||
Presentation | Poster | ||
Topic | Speech Processing: [SPE-SPKR] Speaker Recognition and Characterization | ||
IEEE Xplore Open Preview | Click here to view in IEEE Xplore | ||
Abstract | Speaker identification models are vulnerable to carefully designed adversarial perturbations of their input signals that induce misclassification. In this work, we propose a white-box steganography-inspired adversarial attack that generates imperceptible adversarial perturbations against a speaker identification model. Our approach, FoolHD, uses a Gated Convolutional Autoencoder that operates in the DCT domain and is trained with a multi-objective loss function, to generate and conceal the adversarial perturbation within the original audio files. In addition to hindering speaker identification performance, this multi-objective loss accounts for human perception through a frame-wise cosine similarity between MFCC feature vectors extracted from the original and adversarial audio files. We validate the effectiveness of FoolHD with a 250-speaker identification x-vector network, trained using VoxCeleb, in terms of accuracy, success rate, and imperceptibility. Our results show that FoolHD generates highly imperceptible adversarial audio files (average PESQ scores above 4.30), while achieving a success rate of 99.6% and 99.2% in misleading the speaker identification model, for untargeted and targeted settings, respectively. |