改进Xception网络的声纹对抗检测研究

doi:10.3778/j.issn.1002-8331.2203-0228

摘要/Abstract

摘要： 近年来，针对说话人识别模型的对抗攻击引起了广泛的关注，对说话人识别系统的安全构成了严重的威胁。为了解决现有的声纹对抗样本检测方法参数量过大、鲁棒性差的问题，提出一个声纹对抗样本检测模型e_Xception，该模型以Xception为主干网络，嵌入高效通道注意力（efficient channel attention，ECA）模块，充分提取语音特征。通过合理减少网络模型的宽度，设计了一个轻量级网络模型e_halfXception，减少参数量的同时，仍保持较高的精度。提出一种高频掩码的语音数据增强策略HF-Mask，提高模型的泛化性。实验结果证明，在对FGSM、BIM、PGD、MI-FGSM、C&W、FAKEBOB六种对抗样本的检测中，取得了较高的准确率，优于其他检测方法，并对模型开展了未知攻击算法、未知目标模型、未知扰动程度的鲁棒性研究，验证了模型的泛化能力。

关键词: 说话人识别, 对抗攻击, 对抗检测, Xception网络, 数据增强, 鲁棒性

Abstract: Adversarial attacks against speaker recognition models have attracted widespread attention and posed a serious threat to speaker recognition systems’ security in recent years. A voiceprint adversarial sample detection model e_Xception is proposed to solve the problems of excessive parameter size and poor robustness of existing voiceprint adversarial sample detection methods. Xception is taken as the backbone network and embeds efficient channel attention（ECA） modules to fully extract speech features. A lightweight network model e_halfXception is designed to reduce parameters’ number while still maintaining high accuracy by reasonably reducing the width of the network model. Finally, a high-frequency masked speech data enhancement strategy HF-Mask is proposed to improve the model’s generalization. Experimental results demonstrate that high accuracy is achieved in the detection of six adversarial samples, FGSM, BIM, PGD, MI-FGSM, C&W and FAKEBOB, outperforming other detection methods, and the robustness of the model is investigated unknown attack algorithms, unknown target models, and unknown perturbation degrees, validating the model’s generalization.

Key words: speaker recognition, adversarial attack, adversarial detection, XceptionNet, data augmentation, robustness

李烁, 顾益军, 谭昊, 彭舒凡. 改进Xception网络的声纹对抗检测研究[J]. 计算机工程与应用, 2023, 59(14): 232-241.

LI Shuo, GU Yijun, TAN Hao, PENG Shufan. Research on Voiceprint Adversarial Detection of Improved Xception Network[J]. Computer Engineering and Applications, 2023, 59(14): 232-241.

参考文献

[1] REYNOLDS D A，QUATIERI T F，DUNN R B.Speaker verification using adapted Gaussian mixture models[J].Digital Signal Processing，2000，10（1/2/3）：19-41.
[2] DEHAK N，KENNY P J，DEHAK R，et al.Front-end factor analysis for speaker verification[J].IEEE Transactions on Audio，Speech，and Language Processing，2010，19（4）：788-798.
[3] SNYDER D，GARCIA-ROMERO D，SELL G，et al.X-vectors：robust DNN embeddings for speaker recognition[C]//2018 IEEE International Conference on Acoustics，Speech and Signal Processing（ICASSP），Calgary，April 15-20，2018.New York：IEEE，2018：5329-5333.
[4] ZEINALI H，WANG S，SILNOVA A，et al.But system description to voxceleb speaker recognition challenge 2019[J].arXiv：1910.12592，2019.
[5] PRINCE S J D，ELDER J H.Probabilistic linear discriminant analysis for inferences about identity[C]//2007 IEEE 11th International Conference on Computer Vision，Rio de Janeiro，October 14-20，2007.New York：IEEE，2007：1-8.
[6] SZEGEDY C，ZAREMBA W，SUTSKEVER I，et al.Intriguing properties of neural networks[J].arXiv：1312.6199，2013.
[7] BALUJA S，FISCHER I.Adversarial transformation networks：learning to generate adversarial examples[J].arXiv：1703.
09387，2017.
[8] XIE C，ZHANG Z，ZHOU Y，et al.Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition，Long Beach，June 16-20，2019.New York：IEEE，2019：2730-2739.
[9] JIA R，LIANG P.Adversarial examples for evaluating reading comprehension systems[J].arXiv：1707.07328，2017.
[10] EGER S，?AHIN G G，RüCKLé A，et al.Text processing like humans do：visually attacking and shielding NLP systems[J].arXiv：1903.11508，2019.
[11] SCH?NHERR L，KOHLS K，ZEILER S，et al.Adversarial attacks against automatic speech recognition systems via psychoacoustic hiding[J].arXiv：1808.05665，2018.
[12] QIN Y，CARLINI N，COTTRELL G，et al.Imperceptible，robust，and targeted adversarial examples for automatic speech recognition[C]//International Conference on Machine Learning，Long Beach，June 9-15，2019.New York：ACM，2019：5231-5240.
[13] KREUK F，ADI Y，CISSE M，et al.Fooling end-to-end speaker verification with adversarial examples[C]//2018 IEEE International Conference on Acoustics，Speech and Signal Processing（ICASSP），Calgary，April 15-20，2018.New York：IEEE，2018：1962-1966.
[14] 廖俊帆，顾益军，张培晶，等.端到端说话人辨认的对抗样本应用比较研究[J].计算机工程，2021，47（6）：132-141.
LIAO J F，GU Y J，ZHANG P J，et al.Comparative research on application of adversarial samples for end-to-end speaker identification[J].Computer Engineering，2021，47（6）：132-141.
[15] GOODFELLOW I J，SHLENS J，SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv：1412.6572，2014.
[16] KURAKIN A，GOODFELLOW I J，BENGIO S.Adversarial examples in the physical world[M]//Artificial intelligence safety and security.[S.l.]：Chapman and Hall/CRC，2018：99-112.
[17] MADRY A，MAKELOV A，SCHMIDT L，et al.Towards deep learning models resistant to adversarial attacks[J].arXiv：1706.06083，2017.
[18] DONG Y，LIAO F，PANG T，et al.Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，Salt Lake City，June 18-22，2018.New York：IEEE，2018：9185-9193.
[19] CARLINI N，WAGNER D.Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy（sp），San Jose，May 22-26，2017.New York：IEEE，2017：39-57.
[20] PAPERNOT N，MCDANIEL P，JHA S，et al.The limitations of deep learning in adversarial settings[C]//2016 IEEE European Symposium on Security and Privacy（EuroS&P），Saarbrücken，March 21-24，2016.New York：IEEE，2016：372-387.
[21] CHEN G，CHENB S，FAN L，et al.Who is real bob? adversarial attacks on speaker recognition systems[C]//2021 IEEE Symposium on Security and Privacy（SP），San Francisco，May 24-27，2021.New York：IEEE，2021：694-711.
[22] DU T，JI S，LI J，et al.Sirenattack：generating adversarial audio for end-to-end acoustic systems[C]//Proceedings of the 15th ACM Asia Conference on Computer and Communications Security，Taipei，October 5-9，2020.New York：ACM，2020：357-369.
[23] SUN S，YEH C F，OSTENDORF M，et al.Training augmentation with adversarial examples for robust speech recognition[J].arXiv：1806.02782，2018.
[24] PAL M，JATI A，PERI R，et al.Adversarial defense for deep speaker recognition using hybrid adversarial training[C]//2021 IEEE International Conference on Acoustics，Speech and Signal Processing（ICASSP），Toronto，June 6-11，2021.New York：IEEE，2021：6164-6168.
[25] RAJARATNAM K，KALITA J.Noise flooding for detecting audio adversarial examples against automatic speech recognition[C]//2018 IEEE International Symposium on Signal Processing and Information Technology（ISSPIT），Louisville，December 6-8，2018.New York：IEEE，2018：197-201.
[26] ANDRONIC I，KüRZINGER L，CHAVEZ ROSAS E R，et al.MP3 compression to diminish adversarial noise in end-to-end speech recognition[C]//International Conference on Speech and Computer，St.Petersburg，October 7-9，2020.Berlin：Springer，2020：22-34.
[27] LI X，LI N，ZHONG J，et al.Investigating robustness of adversarial samples detection for automatic speaker verification[J].arXiv：2006.06186，2020.
[28] NAUTSCH A，WANG X，EVANS N，et al.ASVspoof 2019：spoofing countermeasures for the detection of synthesized，converted and replayed speech[J].IEEE Transactions on Biometrics，Behavior，and Identity Science，2021，3（2）：252-265.
[29] CHOLLET F.Xception：deep learning with depthwise separable convolutions[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，Honolulu，July 21-26，2017.New York：IEEE，2017：1251-1258.
[30] WANG Q，WU B，ZHU P，et al.ECA-Net：efficient channel attention for deep convolutional neural networks[C]//2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition（CVPR），Seattle，June 13-19，2020.New York：IEEE，2020：3-8.
[31] PARK D S，CHAN W，ZHANG Y，et al.SpecAugment：a simple data augmentation method for automatic speech recognition[J].arXiv：1904.08779，2019.
[32] SZEGEDY C，VANHOUCKE V，IOFFE S，et al.Rethinking the inception architecture for computer vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，Las Vegas，June 27-30，2016.New York：IEEE，2016：2818-2826.
[33] HU J，SHEN L，SUN G.Squeeze-and-excitation networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，Salt Lake City，June 18-22，2018.New York：IEEE，2018：7132-7141.
[34] LIAO F，LIANG M，DONG Y，et al.Defense against adversarial attacks using high-level representation guided denoiser[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，Salt Lake City，June 18-22，2018.New York：IEEE，2018：1778-1787.
[35] PANAYOTOV V，CHEN G，POVEY D，et al.Librispeech：an ASR corpus based on public domain audio books[C]//2015 IEEE International Conference on Acoustics，Speech and Signal Processing（ICASSP），South Brisbane，April 19-24，2015.New York：IEEE，2015：5206-5210.