ML Security PapersScores Know Bobs Voice: Speaker Impersonation Attack
Chanwoo Hwang 1, Sunpill Kim 1, Yong Kiam Tan 2,3, Tianchi Liu 4, Seunghun Paik 1, Dongsoo Kim 1, Mondal Soumik 2, Khin Mi Mi Aung 2, Jae Hong Seo 1
Published on arXiv
2603.02781
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Subspace-projection-based attack achieves up to 91.65% impersonation success using only 50 score-based queries, with an average 10x reduction in query count versus prior approaches.
Feature-Aligned Inversion Attack
Novel technique introduced
Advances in deep learning have enabled the widespread deployment of speaker recognition systems (SRSs), yet they remain vulnerable to score-based impersonation attacks. Existing attacks that operate directly on raw waveforms require a large number of queries due to the difficulty of optimizing in high-dimensional audio spaces. Latent-space optimization within generative models offers improved efficiency, but these latent spaces are shaped by data distribution matching and do not inherently capture speaker-discriminative geometry. As a result, optimization trajectories often fail to align with the adversarial direction needed to maximize victim scores. To address this limitation, we propose an inversion-based generative attack framework that explicitly aligns the latent space of the synthesis model with the discriminative feature space of SRSs. We first analyze the requirements of an inverse model for score-based attacks and introduce a feature-aligned inversion strategy that geometrically synchronizes latent representations with speaker embeddings. This alignment ensures that latent updates directly translate into score improvements. Moreover, it enables new attack paradigms, including subspace-projection-based attacks, which were previously infeasible due to the absence of a faithful feature-to-audio mapping. Experiments show that our method significantly improves query efficiency, achieving competitive attack success rates with on average 10x fewer queries than prior approaches. In particular, the enabled subspace-projection-based attack attains up to 91.65% success using only 50 queries. These findings establish feature-aligned inversion as a key tool for evaluating the robustness of modern SRSs against score-based impersonation threats.
Key Contributions
- Feature-aligned inversion strategy that geometrically synchronizes the generative model's latent space with the speaker recognition system's discriminative embedding space, ensuring latent updates translate directly into score improvements.
- New subspace-projection-based attack paradigm enabled by the faithful feature-to-audio mapping, previously infeasible without such alignment.
- ~10x query efficiency improvement over prior score-based attacks, achieving 91.65% impersonation success with only 50 queries.
🛡️ Threat Analysis
Proposes a generative adversarial attack that crafts audio inputs to fool speaker recognition systems at inference time via score-based black-box queries — a direct input manipulation/evasion attack where the adversarial goal is causing the SRS to misidentify the speaker.