摘要
为探究对抗样本对端到端说话人辨认系统的安全威胁与攻击效果,比较现有对抗样本生成算法在语音环境下的性能优劣势,分析FGSM、JSMA、BIM、C&W、PGD 5种白盒算法和ZOO、HSJA 2种黑盒算法。将7种对抗样本生成算法在ResCNN和GRU两种网络结构的端到端说话人辨认模型中实现有目标和无目标攻击,并制作音频对抗样本,通过攻击成功率和信噪比等性能指标评估攻击效果并进行人工隐蔽性测试。实验结果表明,现有对抗样本生成算法可在端到端说话人辨认模型中进行实现,白盒算法中的BIM、PGD具有较好的性能表现,黑盒算法的无目标攻击能达到白盒算法的攻击效果,但其有目标攻击性能有待进一步提升。
In order to explore the security threats and attack effects of the adversarial samples on the end-to-end speaker identification system,this paper analyzes five white box algorithms(FGSM,JSMA,BIM,C&W,PGD)and two black box algorithms(ZOO,HSJA)to compare the advantages and disadvantages of the existing adversarial sample generation algorithms in a phonetic context.Each generation algorithm implements targeted and non-targeted attacks in the end-to-end speaker identification model of ResCNN and GRU,and creates effective audio adversarial samples.Then the attack effects are evaluated by using the performance indicators such as Attack Success Rate(ASR)and Signal to Noise Ratio(SNR).Finally,a manual concealment test is performed.Experimental results show that the existing adversarial sample generation algorithms can be implemented in the end-to-end speaker identification model.The BIM and PGD in the white box generation algorithm have excellent performance.The black box generation algorithm gets non-targeted attacks that are on par with that of the white box generation algorithm,while its targeted attack effect still needs improvement.
作者
廖俊帆
顾益军
张培晶
廖茜
LIAO Junfan;GU Yijun;ZHANG Peijing;LIAO Qian(College of Information Network Security,People’s Public Security University of China,Beijing 102600,China;Network Information Center,People’s Public Security University of China,Beijing 100038,China)
出处
《计算机工程》
CAS
CSCD
北大核心
2021年第6期132-141,共10页
Computer Engineering
基金
公安部技术研究计划竞争性遴选项目(2019JZX009)
中国人民公安大学公共安全行为科学研究与技术创新专项。
关键词
说话人辨认
对抗样本
鲁棒性
对抗攻击
信噪比
speaker identification
adversarial sample
robustness
adversarial attack
Signal to Noise Ratio(SNR)
