基于分治方法的声纹识别系统模型反演

摘要/Abstract

摘要： 模型反演越来越引起人们对隐私的关注,它可以从模型中重构私有隐私数据，从而引发更加严重的信息安全问题.针对语音信息安全，首次尝试了一个新的模型反演应用：从声纹识别系统中提取说话人语音的语谱图特征.为了减少反演过程中的复杂度及误差，采用分治法的思想逐层反演，并通过循环一致性的有效监督，成功重构与说话人身份一致的反演样本；另外，由于语音的特殊性，模型特征层已包含丰富的说话人信息，进一步减弱语义信息相似后，改进的方法显著提高了反演样本的识别准确率，表明反演所得语谱图中已含有有效表示说话人身份的信息.实验结果证明了模型反演在语谱图上的可行性，突出了提取此类语音特征信息的深度网络模型所带来的隐私信息泄露风险.

关键词: 模型反演, 神经网络, 声纹识别, 语谱图, 信息安全

Abstract: Model inversion (MI) has raised increasing concerns about privacy, which can reconstruct private data from a recognition or classification model, thus leading to more serious privacy information security problems. This paper is the first attempt at a new model inversion application for speech information security: extracting spectrogram features of speaker speech from voiceprint recognition systems. In order to reduce the complexity and error in the inversion process, this paper adopts the idea of divideandconquer method to invert layer by layer, and through the effective supervision of cycleconsistency, the inversion samples consistent with the speaker’s identity is successfully reconstructed; In addition, due to the particularity of speech, the model feature layer has contained rich speaker information, and after further weakening the similarity of semantic information, the improved method significantly improves the recognition accuracy of inversion samples, indicating that the inversion obtained spectrogram has contained information that effectively represents the identity of the speaker. The research shows that the MI of the recognition model is feasible on the spectrogram features, highlighting the risk of privacy information leakage resulting from the extraction of the speech feature information in the deep network model

Key words: model inversion, neural network, voiceprint recognition, spectrogram, information security

中图分类号:

张骏飞, 张雄伟, 孙蒙, . 基于分治方法的声纹识别系统模型反演[J]. 信息安全研究, 2024, 10(2): 130-.

参考文献

［1］Krger J L, Lutz O H M, Raschke P. Privacy implications of voice and speech analysisinformation disclosure by inference［C］ Proc of the 14th IFIP Int Summer School on Privacy and Identity Management (Privacy and Identity). Berlin: Springer, 2019: 242258［2］Yoshioka T, Ragni A, Gales M J F. Investigation of unsupervised adaptation of DNN acoustic models with filter bank input［C］ Proc of IEEE Int Conf on Acoustics, Speech and Signal Processing (ICASSP). Piscataway, NJ: IEEE, 2014: 63446348［3］Fredrikson M, Lantz E, Jha S, et al. Privacy in pharma cogenetics: An endtoend case study of personalized warfarin dosing［C］ Proc of the 23rd USENIX Security Symp. Berkeley, CA: USENIX Association, 2014: 1732［4］Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures［C］ Proc of the 22nd ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2015: 13221333［5］Zhang Y, Jia R, Pei H, et al. The secret revealer: Generative modelinversion attacks against deep neural networks［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 253261［6］Chen S, Kahla M, Jia R, et al. Knowledgeenriched distributional model inversion attacks［C］ Proc of the IEEECVF Int Conf on Computer Vision. Piscataway, NJ: IEEE, 2021: 1617816187［7］Dosovitskiy A, Brox T. Generating images with perceptual similarity metrics based on deep networks［J］. arXiv preprint, arXiv:1602.02644, 2016［8］Jacobsen J H, Smeulders A, Oyallon E. iRevNet: Deep invertible networks［J］. arXiv preprint, arXiv:1802.07088, 2018［9］Gomez A N, Ren M, Urtasun R, et al. The reversible residual network: Backpropagation without storing activations［COL］ Proc of the 31st Conf on Neural Information Processing Systems. 2017［20231013］. https:www.doc88.comp91161589770769.html［10］Yang Z, Zhang J, Chang E C, et al. Neural network inversion in adversarial setting via background knowledge alignment［C］ Proc of the 2019 ACM SIGSAC Conf on Computer Communications Security. New York: ACM, 2019: 225240［11］Dong X, Yin H, Alvarez J M, et al. Deep neural networks are surprisingly reversible: A baseline for zeroshot inversion［J］. arXiv preprint, arXiv: 2107.06304, 2021［12］Wang Z, Song M, Zhang Z, et al. Beyond inferring class representatives: Userlevel privacy leakage from federated learning［C］ Proc of IEEE Conf on Computer and Communications. Piscataway, NJ: IEEE, 2019: 25122520［13］Shi Y, Sagduyu Y, Grushin A. How to steal a machine learning classifier with deep learning［C］ Proc of IEEE Int Symp on Technologies for Homeland Security (HST). Piscataway, NJ: IEEE, 2017: 15［14］Shi Y, Zeng H, Nguyen T T. Adversarial machine learning for network security［C］ Proc of IEEE Int Symp on Technologies for Homeland Security (HST). Piscataway, NJ: IEEE, 2019: 17［15］Zhang Y, Lv Z, Wu H, et al. Mfaconformer: Multiscale feature aggregation conformer for automatic speaker verification［J］. arXiv preprint, arXiv:2203.15249, 2022［16］Desplanques B, Thienpondt J, Demuynck K. ECAPATDNN: Emphasized channel attention, propagation and aggregation in TDNN based speaker verification［J］. arXiv preprint, arXiv:2005.07143, 2020［17］Snyder D, GarciaRomero D, Sell G, et al. Xvectors: Robust DNN embeddings for speaker recognition［C］ Proc of IEEE Int Conf on Acoustics, Speech and Signal Processing (ICASSP). Piscataway, NJ: IEEE, 2018: 53295333［18］Bu H, Du J, Na X, et al. Aishell1: An opensource mandarin speech corpus and a speech recognition baseline［C］ Proc of the 20th Conf of Oriental Chapter of the Int Coordinating Committee on Speech Databases and Speech IO Systems and Assessment (OCOCOSDA). Piscataway, NJ: IEEE, 2017: 15［19］Waibel A, Hanazawa T, Hinton G, et al. Phoneme recognition using timedelay neural networks［J］. IEEE Trans on Acoustics, Speech, and Signal Processing, 1989, 37(3): 328339

[1]	杨晓文, 张健, 况立群, 庞敏, . 融合CNN-BiGRU和注意力机制的网络入侵检测模型[J]. 信息安全研究, 2024, 10(3): 202-.
[2]	赵荻, 尹志超, 崔苏苏, 曹中华, 卢志刚, . 基于图表示的恶意TLS流量检测方法[J]. 信息安全研究, 2024, 10(3): 209-.
[3]	单晨棱, 张新有, 邢焕来, 冯力, . 一种基于内容和ERNIE3.0-CapsNet的中文垃圾邮件识别方法[J]. 信息安全研究, 2024, 10(3): 233-.
[4]	丁丽媛, . 金融机构ICT供应链信息安全风险分析及应对措施研究[J]. 信息安全研究, 2024, 10(1): 55-.
[5]	尘兴灿, 万明明, 王仲宇, 刘昊, 李程, . 智能网联汽车安全合规测试平台研究[J]. 信息安全研究, 2023, 9(E2): 109-.
[6]	于奇, 郭振, 任世轩, 薛世豪, 霍全瑞, . 智能网联汽车信息安全分析及防护策略[J]. 信息安全研究, 2023, 9(E1): 121-.
[7]	霍全瑞, 边臣雅, 于奇, . 智能网联汽车近场通信安全研究与对策[J]. 信息安全研究, 2023, 9(E1): 159-.
[8]	闫一非, 文斌, 张逢, . 基于图神经网络的智能合约源码漏洞检测[J]. 信息安全研究, 2023, 9(E1): 55-.
[9]	梁飞, 卫兰, 林文成, . 基于子空间图聚类检测以太坊恶意账户的方法[J]. 信息安全研究, 2023, 9(E1): 68-.
[10]	李玲, 朱立东, 李卫榜, . 6G网络安全与隐私保护的研究现状及展望[J]. 信息安全研究, 2023, 9(9): 822-.
[11]	盛丹丹, . 基于大数据分析的隐私信息保护系统设计与实现[J]. 信息安全研究, 2023, 9(9): 914-.
[12]	李敬. 基于卷积神经网络的加密代理流量识别方法[J]. 信息安全研究, 2023, 9(8): 722-.
[13]	刘亦纯, 张光华, 宿景芳. 基于多级度量差值的神经网络后门检测方法[J]. 信息安全研究, 2023, 9(6): 587-.
[14]	张明明, 刘凯, 李贤慧, 许梦晗, 顾颖程, 张见豪, 程环宇, 王永利, . 基于广义神经网络的网络攻击检测与分类方法[J]. 信息安全研究, 2023, 9(6): 593-.
[15]	杨哲, 陈应虎, . 赌博网站自动识别技术研究[J]. 信息安全研究, 2023, 9(5): 440-.