时空梯度迭代的声纹对抗攻击算法STI-FGSM  

作　　者：李烁 顾益军[1] 谭昊 LI Shuo;GU Yijun;TAN Hao(College of Information and Cyber Security,People’s Public Security University of China,Beijing 100038,China;Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou 510006,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京100038 [2]广州大学网络空间先进技术研究院,广州510006

出　　处：《计算机工程与应用》2023年第21期151-158,共8页Computer Engineering and Applications

基　　金：公安部科技强警基础工作专项项目(2020GABJC02);中国人民公安大学基本科研业务费项目(2021JKF420)。

摘　　要：为了解决当前声纹对抗攻击算法梯度信息利用不足、迁移性较差等问题,针对说话人识别模型,提出一种时空迭代快速梯度符号法(space-time iterative fast gradient sign method,STI-FGSM)的声纹对抗攻击算法。该算法基于动量迭代快速梯度符号法(momentum iterative fast gradient sign method,MI-FGSM),融合动量和时序梯度信息,使用下一步观测梯度修正扰动更新方向。引入空间梯度信息,充分学习语音样本区域信息,实现不同区域的空间梯度动量累加。结合扰动集成的方法,充分利用已知的白盒模型,实现多模型扰动叠加,进一步提高黑盒攻击成功率。实验结果表明,STI-FGSM算法针对ResNetSE34V2、TDy_ResNet34_half、x-vector、ECAPA-TDNN四种说话人识别模型,均能取得较强的白盒攻击,并实现较高的黑盒攻击成功率,其性能优于其他算法。A space-time iterative fast gradient sign method(STI-FGSM)is proposed for the speaker recognition model in order to solve the problems of insufficient use of gradient information and poor transferability of current voiceprint adver-sarial attack algorithms.The algorithm fuses momentum and timing gradient information firstly based on the momentum iterative fast gradient sign method(MI-FGSM),and uses the next observation gradient to correct the disturbance update direction.Then,the spatial gradient information is introduced to fully learn the region information of the speech samples and realize the accumulation of spatial gradient momentum in different regions.Finally,the perturbation ensemble method is combined to fully use known white-box models to achieve multi-model perturbation ensemble and further improve the black-box attack success rate.The experimental results show that the STI-FGSM algorithm achieves a strong white-box attack and high black-box attack success rate against four speaker recognition models,ResNetSE34V2,TDy_ResNet34_half,x-vector,and ECAPA-TDNN.The performance is better than other algorithms.

关 键 词：说话人识别 对抗攻击 梯度 扰动集成 白盒攻击 黑盒攻击 迁移性 

分 类 号：TN912[电子电信—通信与信息系统]