Research On Defense Against Adversarial Examples Of Speaker Recognition Based On Feature Squeezing And Domain Adaption

Voiceprint is a very effective biometric feature.It is convenient,non-contact and can be obtained remotely.Due to the rapid development of deep learning technology in recent years,speaker recognition has gradually been applied to many commercial scenarios.However,there are still many hidden risks when using it.Some attackers can spoof the automatic speaker recognition system by adding imperceptible noise such attack undoubtedly makes people worry about the reliability of the system.Therefore,this thesis studies two defense methods.The specific research content is as follows:(1)Research on passive defense method based on feature squeezing.Aiming at the problem that the current defense method is computationally expensive and difficult to apply to the system conveniently,this thesis proposes a passive defense method that is based on feature squeezing and the method can be directly deployed in the front end of the system in order to detect the adversarial input.According to the assumption that adversarial perturbation mainly exists in the redundant feature space,two feature squeezing methods,spatial smoothing and bit depth reduction,are designed.These methods not only improve the accuracy of identifying adversarial samples,but also effectively enlarge the difference between adversarial samples and clean ones which realizes the effective detection of adversarial voiceprint samples.(2)Research on proactive defense method based on adversarial domain adaptation.Most current proactive defense methods rely on adversarial samples which require huge cost to attain or generate,meanwhile it is challenging for these methods to defend strange attacks.Thus,this thesis designs an proactive defense method inspired by domain adaptation in transfer learning.In training period,the identity classifier and collaborative domain discriminators are designed to help objective function reduce the identity loss and the adversarial domain discriminator is designed to help objective function increase the domain loss.Thus,the network can learn the domain invariant features under the condition that the overall loss function needs to go down.By comparing with other methods in various datasets,it proves that this method has certain advantages in defending against adversarial attacks.