Adversarial Attack and Defense Strategies of Speaker Recognition Systems: A Survey

Round 1

Reviewer 1 Report

###############

Summary:

This work surveys the development of ASV systems (mainstream frameworks, datasets), adversarial attacks (prior knowledge of attacks, perturbation objects, perturbation constraints, and attack effect evaluation), and defenses (adversarial training, attack detection, and input refactoring) for ASV systems. 

###############

Cons: 

Although the proposed method reviews several existing studies, I still suggest the authors conduct the following comments to enhance the quality of the paper: 

(1) It might be valuable to investigate more Victim Models, especially end-to-end ASV models. 

(2) The difference in adversarial attack methodology between the audio and image should be highlighted

(3) The reviewed papers w.r.t. Black-box attacks are not sufficient. 

(4) Threat model of adversarial attack is not well summarized and discussed, especially the capability of the adversary, eg, how they could conduct the perturbation in the real world, is the threat practical, etc. 

(5) Section 3.7.1 is about attacking performance evaluation metrics, is "Attack Capability" the appropriate term?

(6) The defense methodology review part still needs to be improved, and some important methods are missed. For example, high-frequency based, knowledge distillation, model-based, Bayesian model-based, etc.

(7) The discussion about the future direction is necessary for a survey paper. 

(8) There are many existing survey papers about adversarial robustness, including the audio domain. Many papers mentioned in this survey are about the common audio domain, instead of ASV specific. Then what's the novelty of this paper should be highlighted compared to these existing review papers. 

Author Response

Response to Reviewer 1 Comments

Thanks for the valuable suggestions and comments. We respond to the comments point-to-point as follows.

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Dear Authors,

The content of your review fits perfectly within the scope of Electronics journal's "Machine Learning: Practical Applications for Cybersecurity" Special Issue. There is no doubt that the manuscript deserves to be published. One of the reasons for this is that a key research topic involves the security problem of the automatic speaker verification (ASV) technology.

The authors have filled a gap in reviews covering the development of the ASV systems, adversarial attacks and the defence of the ASV systems based on deep learning techniques. It is relevant and interesting.

The above-mentioned goal was based on 133 analysed publications.

The authors have demonstrated that their review is effective for use in a variety of fields, namely remote access control, transport and banking services, and criminal investigations.

The manuscript contains some new data.

The review is presented in logical way and overall written well.

The text is clear and easy to read.

The conclusion is consistent with the evidence and arguments presented and addresses the main question asked. The article makes reference to future research.

 

Comments and Suggestions for Authors

1.      It would be best to clearly identify which of the previous works by all Authors constitute the foundation of the work presented in this article.

2.      The study considered the analysis of three types of attacks on ASV and defense methods from three aspects. What other alternatives were there?

3.     Typos. The following typos are noticed in the article: please make the content of Figures 3, 7-9 more readable.

Author Response

Response to Reviewer 2 Comments

Thanks for the valuable suggestions and comments. We respond to the comments point-to-point as follows.

Please see the attachment.

 

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Most of the comments have been answered. Further proofreading and spellcheck are required.