Efficient Black-Box Adversarial Attacks with Training Surrogate Models Towards Speaker Recognition Systems

Speaker Recognition Systems (SRSs) are gradually introducing Deep Neural Networks (DNNs) as their core architecture, while attackers exploit the weakness of DNNs to launch adversarial attacks. Previous studies generate adversarial examples by injecting the human-imperceptible noise into the gradients of audio data, which is termed as white-box attacks. However, these attacks are impractical in real-world scenarios because they have a high dependency on the internal information of the target classifier. To address this constraint, this study proposes a method applying in a black-box condition which only permits the attacker to estimate the internal information by interacting with the model through its inputs and outputs. We use the idea of the substitution-based method and transfer-based method to train various surrogate models for imitating the target models. Our methods combine the surrogate models with white-box methods like Momentum Iterative Fast Gradient Sign Method (MI-FGSM) and Enhanced Momentum Iterative Fast Gradient Sign Method (EMI-FGSM) to boost the performance of the adversarial attacks. Furthermore, a transferability analysis is conducted on multiple models under cross-architecture, cross-feature and cross-architecture-feature conditions. Additionally, frequency analysis also provides us with valuable findings about adjusting the parameters in attack algorithms. Massive experiments validate that our attack yields a prominent performance compared to previous studies.