English

Spoofing attack augmentation: can differently-trained attack models improve generalisation?

Cryptography and Security 2024-01-09 v2 Sound Audio and Speech Processing

Abstract

A reliable deepfake detector or spoofing countermeasure (CM) should be robust in the face of unpredictable spoofing attacks. To encourage the learning of more generaliseable artefacts, rather than those specific only to known attacks, CMs are usually exposed to a broad variety of different attacks during training. Even so, the performance of deep-learning-based CM solutions are known to vary, sometimes substantially, when they are retrained with different initialisations, hyper-parameters or training data partitions. We show in this paper that the potency of spoofing attacks, also deep-learning-based, can similarly vary according to training conditions, sometimes resulting in substantial degradations to detection performance. Nevertheless, while a RawNet2 CM model is vulnerable when only modest adjustments are made to the attack algorithm, those based upon graph attention networks and self-supervised learning are reassuringly robust. The focus upon training data generated with different attack algorithms might not be sufficient on its own to ensure generaliability; some form of spoofing attack augmentation at the algorithm level can be complementary.

Keywords

Cite

@article{arxiv.2309.09586,
  title  = {Spoofing attack augmentation: can differently-trained attack models improve generalisation?},
  author = {Wanying Ge and Xin Wang and Junichi Yamagishi and Massimiliano Todisco and Nicholas Evans},
  journal= {arXiv preprint arXiv:2309.09586},
  year   = {2024}
}

Comments

Accepted to ICASSP 2024

R2 v1 2026-06-28T12:24:29.986Z