E2e-vguard Prevents Adversarial Attacks on End-to-end Speech Synthesis Leveraging Large Language Models and Automatic Speech Recognition

The increasing prevalence of realistic speech synthesis, while enhancing many applications, creates new opportunities for malicious activity such as voice-cloning fraud. Zhisheng Zhang, Derui Wang, and Yifan Mi, alongside colleagues at their institutions, address this growing security risk with a novel defence framework called E2E-VGuard. This system proactively protects against attacks targeting both established and emerging end-to-end speech synthesis technologies, including those powered by large language models and reliant on automatic speech recognition. E2E-VGuard uniquely safeguards both the distinctive vocal quality, or timbre, and the clarity of pronunciation, while ensuring any protective modifications remain imperceptible to listeners. Extensive testing across a range of open-source and commercial systems, and validation in real-world scenarios, demonstrates the effectiveness of this approach in bolstering the security of increasingly sophisticated speech synthesis technologies.

Defending Speech Synthesis From Subtle Attacks

This research introduces E2E-VGuard, a novel defense mechanism protecting end-to-end (E2E) speech synthesis systems from adversarial attacks. The approach addresses a critical vulnerability in modern speech technologies where subtle alterations to input data can drastically change the synthesized output, effectively safeguarding synthesized speech against manipulations that could render it unintelligible or mispronounced while maintaining acceptable audio quality and clarity. E2E-VGuard proactively introduces carefully crafted perturbations to the training data before the synthesis model learns, making it more resilient to future attacks. These perturbations are designed to be imperceptible to human listeners, yet effectively disrupt an attacker’s ability to manipulate the synthesized speech, significantly increasing the difficulty of successfully attacking the system as measured by a higher Word Error Rate. Objective metrics and subjective human listening tests demonstrate that the introduced perturbations remain largely undetectable, with acceptable Mean Opinion Scores confirming the preservation of audio quality. The defense proves effective against a variety of automatic speech recognition (ASR) models, including the advanced Whisper-large-v3, and performs well on both English and Mandarin datasets, with human listening tests confirming protected audio is perceived as less intelligible and more difficult to align with the original text.

End-to-End Voice Cloning Threat Defence Framework

Researchers have pioneered E2E-VGuard, a proactive defense framework designed to secure speech synthesis against both large language model (LLM)-based attacks and emerging threats arising from end-to-end (E2E) fine-tuning scenarios. Addressing the increasing reliance on automatic speech recognition (ASR) systems for generating transcripts in E2E systems, a common practice in commercial voice cloning APIs, E2E-VGuard disrupts both the timbre, the unique characteristics of a voice, and the pronunciation of synthesized speech. To protect timbre, the team engineered an untargeted and targeted speaker protection mechanism utilizing an ensemble of encoders coupled with a feature extractor, effectively creating dissimilar synthetic speech to safeguard speaker identification. For pronunciation defense, scientists generated adversarial examples, carefully crafted audio perturbations designed to mislead the ASR system, causing it to incorrectly recognize text and disrupt the learning process of the speech synthesis model. To ensure these perturbations remain imperceptible to human listeners, the study incorporated a psychoacoustic model, carefully limiting the perturbation within a specific frequency domain and minimizing audible distortion. Comprehensive evaluation involved experiments across both English and Chinese datasets, testing E2E-VGuard’s effectiveness on sixteen open-source models, three commercial APIs, and seven distinct ASR systems, demonstrating its resilience against sophisticated data augmentation techniques and perturbation removal methods.

End-to-End Voice Cloning Defence Framework Developed

Recent advances in speech synthesis have enabled remarkably human-like audio, but also introduce security vulnerabilities like voice cloning fraud. Researchers have developed E2E-VGuard, a proactive defense framework designed to protect against both large language model (LLM)-based synthesis and emerging end-to-end (E2E) scenarios where automatic speech recognition (ASR) generates transcripts, addressing a critical gap in existing defenses which often assume manually annotated transcripts. The core of E2E-VGuard lies in disrupting both the timbre, the unique characteristics of a voice, and the pronunciation of synthesized speech. To protect timbre, the team employed an ensemble of encoders coupled with a feature extractor, generating audio features that result in dissimilar synthetic speech, effectively safeguarding speaker identification.

For pronunciation, the system generates adversarial examples, subtly altered audio, designed to mislead the ASR system, disrupting the learning process of the text and pronunciation within the speech synthesis model. To ensure these perturbations remain undetectable to human listeners, the researchers incorporated a psychoacoustic model, carefully controlling the frequency domain of the added noise. Comprehensive evaluations across both English and Chinese datasets demonstrate E2E-VGuard’s effectiveness, with experiments involving sixteen open-source and three commercial speech synthesis models, alongside seven ASR systems, confirming the framework’s transferability and robustness.

Speech Synthesis Safeguarding Via Adversarial Defence

E2E-VGuard presents a proactive defense framework addressing security vulnerabilities in both established and emerging speech synthesis technologies, including those reliant on large language models and automatic speech recognition. The research successfully demonstrates the ability to protect against malicious exploitation of speech synthesis by safeguarding both timbre, the unique characteristics of a voice, and pronunciation, achieved through an encoder ensemble that preserves vocal qualities, combined with adversarial examples designed to disrupt automatic speech recognition systems, and a psychoacoustic model ensuring imperceptible perturbations to the audio. Evaluations across sixteen open-source synthesizers and three commercial APIs, utilising both English and Chinese datasets, confirm the effectiveness of E2E-VGuard in preserving both timbre and pronunciation, with the multi-encoder framework enhancing the system’s ability to function effectively across different speech synthesis models, improving its overall transferability. While the research demonstrates robust performance, the authors acknowledge limitations related to the complexity of real-world deployment and the potential for adaptive attacks, with future work planned to explore methods to further refine the imperceptibility of perturbations and enhance the system’s resilience against increasingly sophisticated adversarial strategies. The team also plans to investigate the system’s performance across a wider range of languages and acoustic conditions, and to address the challenges of maintaining security in dynamic and evolving speech synthesis landscapes.