计算机工程与应用 ›› 2023, Vol. 59 ›› Issue (21): 151-158.DOI: 10.3778/j.issn.1002-8331.2207-0476

• 模式识别与人工智能 • 上一篇    下一篇

时空梯度迭代的声纹对抗攻击算法STI-FGSM

李烁,顾益军,谭昊   

  1. 1.中国人民公安大学 信息网络安全学院,北京 100038
    2.广州大学 网络空间先进技术研究院,广州 510006
  • 出版日期:2023-11-01 发布日期:2023-11-01

Space-Time Gradient Iterative Voiceprint Adversarial Attack Algorithm STI-FGSM

LI Shuo, GU Yijun, TAN Hao   

  1. 1.College of Information and Cyber Security, People’s Public Security University of China, Beijing 100038, China
    2.Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China
  • Online:2023-11-01 Published:2023-11-01

摘要: 为了解决当前声纹对抗攻击算法梯度信息利用不足、迁移性较差等问题,针对说话人识别模型,提出一种时空迭代快速梯度符号法(space-time iterative fast gradient sign method,STI-FGSM)的声纹对抗攻击算法。该算法基于动量迭代快速梯度符号法(momentum iterative fast gradient sign method,MI-FGSM),融合动量和时序梯度信息,使用下一步观测梯度修正扰动更新方向。引入空间梯度信息,充分学习语音样本区域信息,实现不同区域的空间梯度动量累加。结合扰动集成的方法,充分利用已知的白盒模型,实现多模型扰动叠加,进一步提高黑盒攻击成功率。实验结果表明,STI-FGSM算法针对ResNetSE34V2、TDy_ResNet34_half、x-vector、ECAPA-TDNN四种说话人识别模型,均能取得较强的白盒攻击,并实现较高的黑盒攻击成功率,其性能优于其他算法。

关键词: 说话人识别, 对抗攻击, 梯度, 扰动集成, 白盒攻击, 黑盒攻击, 迁移性

Abstract: A space-time iterative fast gradient sign method(STI-FGSM) is proposed for the speaker recognition model in order to solve the problems of insufficient use of gradient information and poor transferability of current voiceprint adversarial attack algorithms. The algorithm fuses momentum and timing gradient information firstly based on the momentum iterative fast gradient sign method(MI-FGSM), and uses the next observation gradient to correct the disturbance update direction. Then, the spatial gradient information is introduced to fully learn the region information of the speech samples and realize the accumulation of spatial gradient momentum in different regions. Finally, the perturbation ensemble method is combined to fully use known white-box models to achieve multi-model perturbation ensemble and further improve the black-box attack success rate. The experimental results show that the STI-FGSM algorithm achieves a strong white-box attack and high black-box attack success rate against four speaker recognition models, ResNetSE34V2, TDy_ResNet34_half, x-vector, and ECAPA-TDNN. The performance is better than other algorithms.

Key words: speaker recognition, adversarial attack, gradient, perturbation ensemble, white-box attack, black-box attack, transferability