Research On The Defense Mechanism Of Audio Adversarial Attack

Voice plays an important role in human-computer interaction.In addition to transmitting the instructions that the speaker wants to express,it also contains the speaker’s identity information.Speaker verification has a more convenient operation than face recognition and fingerprint recognition.It has a wide range of application scenarios as an authentication technology,such as smart home,in-car voice system,telephone banking,etc.However,in 2018,an adversarial attack against the speaker verification system emerged,which inserts a tiny perturbation imperceptible to the human ear into a piece of audio,so that an originally unregistered speaker is identified as a registered arbitrary target speaker or a specific target speaker,thereby attacking the speaker verification system and causing huge losses to users.Especially in the past two years,with the development of machine learning and deep learning based on the counterattack,there are more and more kinds of counterattacks,the attack capability is getting stronger and stronger,and the attack method is getting more and more covert,causing the attack to be more and more difficult to defend.Since the current defense methods are insufficient to cope with the endless attacks,there is an urgent need to study new defense means to defend against adversarial attacks.Based on this,this paper proposes three defense strategies,one is a defense strategy based on a fifth-order Butterworth low-pass filter;the second is a defense strategy based on convolutional neural network and quantization anti-quantization;the third is a defense strategy based on multi-headed attention mechanism.(1)Fifth-order Butterworth low-pass filter-based defense strategy.For the problem that the attenuation rate of the third-order Butterworth low-pass filter is not high,it is proposed to improve the attenuation rate by defending the fifth-order Butterworth low-pass filter.According to the critical frequency value set by the filter,the high-frequency signal is filtered or suppressed,and the low-frequency signal is retained to achieve the purpose of reducing the counter disturbance.The experimental results show that the effectiveness of using this defense strategy for fast gradient symbolic method attack defense is 71.3% and for Fake Bob attack defense is 40.1%,which is better than other comparative experiments.(2)Defense strategy based on CNN and quantization inverse quantization.CNN can only do the basic detection of audio,and can not ensure that the detected audio is normal,so on this basis proposed quantization inverse quantization method to pass the detection of audio further processing.Firstly,we use a convolutional neural network to detect the input audio,and if it is detected as a normal sample,then we perform the reduction process of quantization and inverse quantization to further reduce the noise,and then input to the speaker verification system for recognition;if it is confrontation sample,then we remove it directly.(3)Defense strategy based on a multi-headed attention mechanism.For the existing defense means such as random masking,the defense effect against Fake Bob attack is poor.Therefore,this paper proposes a high-frequency component method using masked audio to eliminate artificially added perturbations in the original samples,combined with a multi-headed attention model for audio recovery,and re-input into the ASV system for verification after recovery.The experimental results show that the accuracy of using the high-frequency component of the masked audio combined with the multi-headed attention model to recover the adversarial audio to the original audio reaches 95.9%,which can effectively improve the robustness of the ASV system better than the other two defense methods.