A fast gray-box adversarial example generation algorithm based on FakeBob

Jia Zheng , Wanjin Hou , Hua Zhang , Ming Lv , Huiyu Zhou

High-Confidence Computing ›› 2026, Vol. 6 ›› Issue (1) : 100337

PDF (1014KB)
High-Confidence Computing ›› 2026, Vol. 6 ›› Issue (1) :100337 DOI: 10.1016/j.hcc.2025.100337
Research Articles
research-article
A fast gray-box adversarial example generation algorithm based on FakeBob
Author information +
History +
PDF (1014KB)

Abstract

There are the excessive queries to the targeted model during the generates of gray-box adversarial examples for speaker recognition systems, which result in high costs of attacks. In this paper, a fast generates algorithm of gray-box adversarial example is proposed based on FakeBob, named F-FakeBob. This algorithm introduces a threshold mechanism for optimization to the optimization strategy of gradient. Only when the increasing of the confidence scores of the adversarial example before and after optimizing is less than the threshold, the gradient is recalculated for the next iteration. By reducing the frequency of gradient calculations, the number of queries to the targeted system is decreased. Experiments on three public datasets of speech, TIMIT, Common Voice, and Voxceleb2, are conducted to generate adversarial examples. The targeted speaker recognition models are based on ECAPA-TDNN and TitaNet architectures. The experimental results show that F-FakeBob can achieve a targeted attack success rate of 99.2% and the number of queries are effectively reduced in the adversarial example generates, with an average query reduction of 25.71% compared to FakeBob.

Keywords

Gray-box adversarial example generate / Speaker recognition / Gradient optimization

Cite this article

Download citation ▾
Jia Zheng, Wanjin Hou, Hua Zhang, Ming Lv, Huiyu Zhou. A fast gray-box adversarial example generation algorithm based on FakeBob. High-Confidence Computing, 2026, 6(1): 100337 DOI:10.1016/j.hcc.2025.100337

登录浏览全文

4963

注册一个新账户 忘记密码

CRediT authorship contribution statement

Jia Zheng: Writing - original draft. Wanjin Hou: Project ad-ministration. Hua Zhang: Writing - review & editing. Ming Lv: Writing - review & editing. Huiyu Zhou: Writing - review & editing.

Declaration of competing interest

The authors declare that they have no known competing finan-cial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work is supported by the National Natural Science Foun-dation of China (Grant Nos. 62472047, 62072051).

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]

B. Zheng, P. Jiang, Q. Wang, et al., Black-box adversarial attacks on commercial speech platforms with minimal information, in: ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 86-107.
[2]

I.J. Goodfellow, J. Shlens, C. Szegedy, et al., Explaining and harnessing adversarial examples, Stat 1050 (2015) 20.
[3]

X. Yuan, Y. Chen, Y. Zhao, et al., CommanderSong: A systematic approach for practical adversarial voice recognition, in: USENIX Security Symposium, 2018, pp. 49-64.
[4]

C. Guangke, Z. Yedi, Z. Zhe, et al., QFA2SR: query-free adversarial transfer attacks to speaker recognition systems, in: In Proceedings of the 32nd USENIX Conference on Security Symposium, 2023, pp. 2437-2454.
[5]

J. Lan, R. Zhang, Z. Yan, et al., Adversarial attacks and defenses in speaker recognition systems: A survey, J. Syst. Archit. 127 (2022) 102526.
[6]

M. Alzantot, B. Balaji, M. Srivastava, Did you hear that? Adversarial examples against automatic speech recognition, 2018, arXiv preprint arXiv:1801.00554.
[7]

T.H. Yuan, S.H. Ji, P.C. Zhang, H.B. Cai, Q.Y. Dai, S.J. Ye, B. Ren, Adversarial example generation method for black box intelligent speech software, J. Softw. 33 (05) (2022) 1569-1586.
[8]

R. Taori, A. Kamsetty, B. Chu, et al., Targeted adversarial examples for black box audio systems, in: IEEE Security and Privacy Workshops, vol. 6, 2019, pp. 15-20.
[9]

J. Chen, L. Ye, H. Zheng, et al., Black-box adversarial attack toward speech recognition system, Chin. Comput. Syst. 41 (5) (2020) 1019-1029.
[10]

X.S. Yang, Firefly algorithm, stochastic test functions and design optimisation, Int. J. Bio-Inspired Comput. 2 (2) (2010) 78-84.
[11]

L. Zhang, Y. Meng, J. Yu, et al., Voiceprint mimicry attack towards speaker verification system in smart home, in: IEEE Conference on Computer Communications, 2020, pp. 377-386.
[12]

G. Chen, S. Chen, L. Fan, et al., Who is real bob? Adversarial attacks on speaker recognition systems, in: IEEE Symposium on Security and Privacy, 2021, pp. 694-711.
[13]

D. Wang, J. Lin, Y. Wang, et al., Query-efficient adversarial attack based on latin hypercube sampling, in: IEEE International Conference on Image Processing, 2022, pp. 546-550.
[14]

J. Chen, H. Chen, K. Chen, Y. Zhang, et al., Diffusion models for impercep-tible and transferable adversarial attack, IEEE Trans. Pattern Anal. Mach. Intell. (2024).
[15]

A. Kurakin, I. Goodfellow, S. Bengio, Adversarial examples in the physical world, in: Artificial Intelligence Safety and Security, 2018, pp. 99-112.
[16]

P.Y. Chen, H. Zhang, Y. Sharma, et al., Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models, in: ACM Workshop on Artificial Intelligence and Security, 2017, pp. 15-26.
[17]

N. Carlini, D. Wagner, Towards evaluating the robustness of neural networks, in: IEEE Symposium on Security and Privacy, 2017, pp. 39-57.
[18]

Y.K. Kan, K. Xu, H. Li, J. Shi, VoiceDefense: Protecting automatic speaker verification models against black-box adversarial attacks,in:Proc. Interspeech., 2024, pp. 517-521.
[19]

Xin Wang, Kai Chen, Xingjun Ma, et al., AdvQDet: Detecting query-based adversarial attacks with adversarial contrastive prompt tuning, in: Proceedings of the 32nd ACM International Conference on Multimedia, 2024, pp. 6212-6221.
[20]

A. Athalye, N. Carlini, D. Wagner, Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,in: International Conference on Machine Learning, 2018, pp. 274-283.
[21]

F. Tramèr, A. Kurakin, N. Papernot, et al., Ensemble adversarial training: Attacks and defenses, 2017, arXiv preprint arXiv:1705.07204.
[22]

F. Tramer, N. Carlini, W. Brendel, et al., On adaptive attacks to adversarial example defenses, Neural Inf. Process. Syst. 33 (2020) 1633-1645.
[23]

S. Hussain, P. Neekhara, S. Dubnov, et al., WaveGuard: Understanding and mitigating audio adversarial examples,in: USENIX Security Symposium, 2021, pp. 2273-2290.
[24]

K. Rajaratnam, K. Shah, J. Kalita, Isolated and ensemble audio preprocessing methods for detecting adversarial examples against automatic speech recognition, 2018, arXiv preprint arXiv:1809.04397.
[25]

F. Ertaş, Fundamentals of speaker recognition, Pamukkale Üniv. Mühendis-lik Bilim. Derg. 6 (2-3) (2011).
[26]

A. Ilyas, L. Engstrom, A. Athalye, et al., Black-box adversarial attacks with limited queries and information, in: International Conference on Machine Learning, 2018, pp. 2137-2146.
PDF (1014KB)

16

Accesses

0

Citation

Detail
Sections
Recommended

/