Multi-layer Feature Augmentation Based Transferable Adversarial Examples Generation for Speaker Recognition

Adversarial examples that almost remain imperceptible for human can mislead practical speaker recognition systems. However, most existing adversaries generated by substitute models have a poor transferability to attack the unseen victim models. To tackle this problem, in this work we propose a multilayer feature augmentation method to improve the transferability of adversarial examples. Specifically, we apply data augmentation on the intermediate-layer feature maps of the substitute model to create diverse pseudo victim models. By attacking the ensemble of the substitute model and the corresponding augmented models, the proposed method can help the adversarial examples avoid overfitting, resulting in more transferable adversarial examples. Experimental results on the VoxCeleb dataset verify the effectiveness of the proposed approach for the speaker identification and speaker verification tasks.