ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (11): 2350-2363.doi: 10.7544/issn1000-1239.2021.20210632

所属专题: 2021密码学与网络空间安全治理专题

• 信息安全 • 上一篇    下一篇

基于单“音频像素”扰动的说话人识别隐蔽攻击

沈轶杰1,李良澄1,刘子威1,刘天天1,罗浩1,沈汀3,林峰1,2,任奎1   

  1. 1(浙江大学网络空间安全研究中心 杭州 310027);2(浙江省区块链与网络空间治理重点实验室(浙江大学) 杭州 310027);3(浙江东安检测技术有限公司 杭州 310063) (shenyijie@zju.edu.cn)
  • 出版日期: 2021-11-01
  • 基金资助: 
    国家重点研发计划项目(2020AAA0107700);国家自然科学基金项目(62032021,61772236,61972348);浙江省重点研发计划项目(2019C03133);浙江省引进培育领军型创新创业团队项目(2018R01005);阿里巴巴-浙江大学前沿技术联合研究中心项目;网络空间国际治理研究基地项目

Stealthy Attack Towards Speaker Recognition Based on One-“Audio Pixel” Perturbation

Shen Yijie1, Li Liangcheng1, Liu Ziwei1, Liu Tiantian1, Luo Hao1, Shen Ting3, Lin Feng1,2, Ren Kui1   

  1. 1(Institute of Cyberspace Research, Zhejiang University, Hangzhou 310027);2(Key Laboratory of Blockchain and Cyberspace Governance of Zhejiang Province (Zhejiang University), Hangzhou 310027);3(Zhejiang Dong’an Testing Technology Co., Ltd., Hangzhou 310063)
  • Online: 2021-11-01
  • Supported by: 
    This work was supported by the National Key Research and Development Program of China (2020AAA0107700), the National Natural Science Foundation of China(62032021, 61772236, 61972348), Zhejiang Key Research and Development Plan (2019C03133), the Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (2018R01005), the Fund of Alibaba-Zhejiang University Joint Institute of Frontier Technologies, and the Fund of Research Institute of Cyberspace Governance in Zhejiang University.

摘要: 目前针对说话人识别的攻击需要对音频注入长时间的扰动,因此容易被机器或者管理人员发现.提出了一种新颖的基于单“音频像素”扰动的针对说话人识别的隐蔽攻击.该攻击利用了差分进化算法不依赖于模型的黑盒特性和不依赖梯度信息的搜索模式,克服了已有攻击中扰动时长无法被约束的问题,实现了使用单“音频像素”扰动的有效攻击.特别地,设计了一种基于音频段-音频点-扰动值多元组的候选点构造模式,针对音频数据的时序特性,解决了在攻击方案中差分进化算法的候选点难以被描述的问题.攻击在LibriSpeech数据集上针对60个人的实验表明这一攻击能达到100%的成功率.还开展了大量的实验探究不同条件(如性别、数据集、说话人识别方法等)对于隐蔽攻击性能的影响.上述实验的结果为进行有效地攻击提供了指导.同时,提出了分别基于去噪器、重建算法和语音压缩的防御思路.

关键词: 单“音频像素”扰动, 黑盒攻击, 说话人识别, 差分进化算法, 扰动攻击

Abstract: Attacks towards the speaker recognition system need to inject a long-time perturbation, so it is easy to be detected by machines or administrators. We propose a novel attack towards the speaker recognition based on one-“audio pixel”. Such attack uses the black-box characteristics and search mode of the differential evolution algorithm that does not rely on the model and the gradient information. It overcomes the problem in previous works that the disturbance duration cannot be constrained. Thus, our attack effectively spoofs the speaker recognition via one-“audio pixel” perturbation. In particular, we design a candidate point construction model based on the audio-point-disturbance tuple targeting time series of audio data. It solves the problem that candidate points of differential evolution algorithm are difficult to be described against our attack. The success rate of our attack achieves 100% targeting 60 people in LibriSpeech dataset. In addition, we also conduct abundant experiments to explore the impact of different conditions (e.g., gender, dataset and speaker recognition method) on the performance of our stealthy attack. The result of above experiments provides guidance for effective attacks. At the same time, we put forward ideas based on denoising, reconstruction algorithm and speech compression to defend against our stealthy attack, respectively.

Key words: one-“audio pixel” perturbation, black-box attack, speaker recognition, differential evolution algorithm, perturbation attack

中图分类号: