Generalized Spoof Detection and Incremental Algorithm Recognition for Voice Spoofing

Abstract

Highly deceptive deepfake technologies have caused much controversy, e.g., artificial intelligence-based software can automatically generate nude photos and deepfake images of anyone. This brings considerable threats to both individuals and society. In addition to video and image forgery, audio forgery poses many hazards but lacks sufficient attention. Furthermore, existing works have only focused on voice spoof detection, neglecting the identification of spoof algorithms. It is of great value to recognize the algorithm for synthesizing spoofing voices in traceability. This study presents a system combining voice spoof detection and algorithm recognition. In contrast, the generalizability of the spoof detection model is discussed from the perspective of embedding space and decision boundaries to face the voice spoofing attacks generated by spoof algorithms that are not available in the training set. This study presents a method for voice spoof algorithms recognition based on incremental learning, taking into account data flow scenarios where new spoof algorithms keep appearing in reality. Our experimental results on the LA dataset of ASVspoof show that our system can improve the generalization of spoof detection and identify new voice spoof algorithms without catastrophic forgetting.

1. Introduction

In recent years, the development of deep learning and the emergence of deep neural networks have lowered the threshold for voice spoofs. This has led to spoofing attacks against automatic speaker verification, increasing security concerns, because voice spoofing poses a severe threat to basic applications of automatic speaker verification, such as phone unlocking and WeChat authentication. These attacks mainly include imitation (mimicry or twinning), replay (prerecorded audio), text-to-speech (converting text to spoken language), and voice conversion (converting voice from the source speaker to the target speaker) [1,2]. Synthetic speech attacks, including text-to-speech (TTS) and voice conversion (VC), pose an increasing threat to speaker verification systems owing to the rapid development of speech synthesis technologies [3,4].

It is essential to develop independent spoof detection modules to counteract the harm of speech attacks on speaker verification systems. The ASVspoof challenge [2,5,6] has provided datasets and metrics for anti-spoofing speaker verification research. Most traditional approaches rely on feature engineering, such as the Linear Frequency Cepstral Coefficient (LFCC), Constant Q Cepstral Coefficient (CQCC), and Mel Frequency Cepstral Coefficient (MFCC), which have yielded promising results in voice spoof detection. However, the generalization of these manual features is relatively poor, and it is difficult to cope with the rapid development of deep learning techniques. Zhang et al. [7] studied deep learning models for spoof detection and demonstrated that a combination of convolutional neural networks (CNN) and recurrent neural networks (RNN) could improve the robustness of the system. Gomez-Aranes et al. [8] used a lightweight convolutional gated RNN architecture to improve the long-term dependence on spoof detection. Wu et al. [9] proposed a lightweight CNN system based on feature generation, outperforming other single systems in detecting synthetic attacks. Although these methods have shown excellent results in detecting existing spoof voices, they are difficult to generalize in voice attacks generated by spoof algorithms unavailable in the training set. The reason is that they are implemented assuming that the training and test data have the same or similar distributions.

However, new spoofing methods have evolved, and the distribution of the new voice spoofing samples may be quite different from that of the voice spoofing data used for training. This difference causes the previously trained model to be useless for such spoofing samples. To improve the generalizability of the trained spoof detection model, a transfer learning method called domain adaptation can adapt the trained model to new spoofing voices. However, domain adaptation has a limitation when the distributions of the source and target domains have a large gap. We often have adequate data on real voices, which is not significantly affected by time. Therefore, we can use a one-class classification approach [10] to solve the distribution mismatch problem when classifying sounds. Real voices belong to a target class which distribution can be fully trained. In contrast, spoof voices belong to a non-target class which samples do not exist in the training set or are not statistically representative.

Moreover, most research has focused only on the authenticity of the voice while ignoring the synthesis algorithms behind it. This study focuses on both voice attack detection and voice spoof algorithm recognition. The real voice is distinguished from the voice generated by the TTS and VC algorithms, and then, the voice that is judged to be the spoof is further identified from the spoof algorithm. Voice spoof algorithm recognition can be considered a multi-classifier. As spoof algorithms are continuously proposed, the classifier is either retrained on an increasingly large training set or fine-tuned. The former solution is infeasible, as the data grows sequentially. The latter may encounter a well-known phenomenon known as catastrophic forgetting [11], which brings about a broken loop in the knowledge learned during previous training. Incremental learning [12] is considered a strategy for overcoming the problems of excessive storage and catastrophic forgetting while fully considering the data flow scenarios where new spoof algorithms continue to appear.

This study proposes a voice spoof detection and recognition system that includes two modules: a voice spoof detection module and a voice spoof algorithm recognition module. The first module focuses on the generalizability of spoof detection. In the second module, a method capable of classifying the voice generated by new spoof algorithms is proposed without degrading the recognition accuracy of previous spoof algorithms.

The contributions of this paper can be summarized as follows.

(1)

The generalizability of the spoof detection model is discussed from the perspective of the embedding space and decision boundaries. The embedding space of real voices is compactly distributed, whereas that of the spoofing voices is more dispersed. A highly generalized decision boundary is learned to maintain them at a certain distance from each other.

(2)

A method for voice spoof algorithm recognition based on incremental learning is presented, which can adapt to the feature distribution of the new algorithms for spoofing voices without having an excessive impact on the feature distribution of the old algorithms.

(3)

A system combining spoof detection and algorithm recognition is first proposed, which facilitates the traceability of spoofing voices by implementing spoof algorithm recognition following detection. The experimental results demonstrate the effectiveness of the proposed system.

2. Related Work

2.1. Domain Adaptation

Domain adaptation is one of the most popular branches of transfer learning, which improves the performance of a model on a test dataset using the knowledge gained from training on the training dataset. There are two fundamental concepts in domain adaptation: the source and target domains. The source domain is valuable in supervised learning information. The target domain represents the domain in which the test set is located, typically without labels or containing only a few labels. The source and target domains are often the same task types but with different distributions. The current deep domain adaptive algorithms mainly focus on learning a region’s invariant space by shared feature extraction of the source and target data. To measure the difference in the distribution of features between two regions, existing research has utilized different measures for domain adaptation, such as the maximum mean difference (MMD), different orders of statistical moments of the distribution, adversarial learning, and conditional adversarial learning [13,14]. Mesay et al. [15] applied the same model to two image datasets with different distributions using a domain adaptation method and obtained good performance. Claudia et al. [16] used a domain adaptation method to classify unavailable ground truth images by using different but related images.

2.2. One-Class Learning Method

A one-class classification was developed for abnormal detection. It considered only the similarity or resemblance between the input samples and the existing samples, whereas samples of abnormal types were uniformly excluded. The key idea of a one-class classification approach is to capture the target class distribution and set strict classification boundaries around it to place all non-target data outside the boundaries. Alegre et al. [17] demonstrated the potential of a one-class classification approach using a one-class support vector machine (OC-SVM) trained only with a real voice. A feature space was learned using a one-class softmax loss function [18] to classify the local binary patterns of Cepstral voices without using forged audio samples.

2.3. Prototype Learning

A prototype represents the average or best example of a category and can provide a concise representation of all the classified examples. In addition, Ref. [19] proposed storage space-saving learning vector quantization (LVQ) to improve the efficiency of KNN operations. LVQ has been studied in many studies, with many variations. In most previous studies, prototypes were learned by optimizing customized object functions [20]. Researchers have added prototype learning based on probabilistic models and neural networks to the classification process in recent years. In [21], the authors expressed input instances using K-dimensional vectors with a probabilistic mixture of components and parameterized K-type prototypes using probabilistic models. A set of prototypes was proposed to make explanatory neural network predictions based on the inputs’ similarity to a set of learned prototypes [12]. In this study, we not only optimized the classification prototypes but also focused on the use of tight and separable feature representations within and between classes. This makes incremental learning more discriminative and robust.

2.4. Incremental Learning

Incremental learning is often used in data flow scenarios where new classes continue to appear. In most examples, only a small number of classes are available initially, and new classes emerge. Studies on incremental learning have a long history in machine learning and artificial intelligence (AI). Some past works, such as [22,23,24,25], focused on continuously updating the training set with data obtained from new classes. These approaches are characterized by (i) being limited to a fixed feature representation for learning or (ii) continuously preserving data from new categories to retrain the model. However, their biggest drawback is that the number of parameters increases rapidly with the total computational resources. In addition, this approach requires more space to store the initial training set and new class samples; however, this is not applicable in practice. This study focused on storing training instances and updating feature representations during incremental learning.

3. Voice Spoof Detection and Algorithm Recognition System

The framework of our system is shown in Figure 1.

To prevent voice spoof detection and spoof algorithm identification from interfering with each other, we divided them into two separate modules. First, we input the test voice into the voice spoof detection module to identify the authenticity of the voice. If the judgment was true, the test was completed. If the voice was judged to be spoofed, it was input into the voice spoof algorithm recognition module for spoof algorithm recognition.

The following section describes the methods used in these two modules. Section 3.1 describes the methods for detecting the authenticity of a voice, and Section 3.2 gives the recognition methods used for the voice spoof algorithm in incremental scenarios.

3.1. Generalized Voice Spoof Detection

3.1.1. Domain Adaptation Based on Decision Boundary Maximization

The domain-adaptive approach utilizes two types of networks: task-specific classifiers and feature mappers. To find the target samples near the decision boundary, two independent classifiers were introduced. The features were obtained from the mappers using both classifiers, and an attempt was made to classify the source samples correctly. This is shown in Figure 2a.

The different distributions of the source and target domains lead to differences in the classification results of the two classifiers for the target samples near the decision boundary, and they cannot be correctly classified for these samples. Adversarial learning methods were introduced for the samples that could not be correctly classified near the decision boundary. First, a task-specific classifier was used to maximize the decision boundary to increase the difference in the results between the two classifiers, as shown in Figure 2b. Then, a mapper was used to produce a better mapping effect to reduce the difference, as shown in Figure 2c. Thus, by considering the relationship between the target samples and task-specific decision boundaries, it is possible to make the model learned on the training set applicable to different distributions of faked audio in the test set. The specific procedure is as follows.

Phase 1: As shown in Figure 2a, shadows are generated, allowing different feature representations to be learned by different classifiers. The goal was to maximize the shaded area.

Phase 2: As shown in Figure 2b, the classifiers are maximized. The shading is more significant at this point. Therefore, the goal was to reduce the divergence between the two classifiers by extracting better features.

Phase 3: The divergence is minimized, as shown in Figure 2c. At this point, the shadows are almost nonexistent, but the problem is that there is still some compactness in the decision boundary. These features might not be robust, so alternating optimization with the previous stage continued.

Phase 4: The final goal of the alternate optimization is shown in Figure 2d. At this point, shadows do not exist, and the decision boundary is more robust.

This study constructed two classifiers as discriminators using the dropout regularization method for the primary classifier [26]. The other represents the difference between the two classifiers based on the symmetric Kullback–Leibler (KL) scatter. The procedure is as follows: the features $\mathrm{G}\left({\mathrm{x}}_{\mathrm{t}}\right)$ obtained from feature mapper G are fed to classifier network C twice. A different node was removed each time to obtain two different output vectors. These are denoted as ${\mathrm{C}}_1\left(\mathrm{G}\left({\mathrm{x}}_{\mathrm{t}}\right)\right) \mathrm{and} {\mathrm{C}}_2\left(\mathrm{G}\left({\mathrm{x}}_{\mathrm{t}}\right)\right)$, respectively. The corresponding posterior probabilities are denoted as ${\mathrm{p}}_1\left(\left.\mathrm{y}\right|\mathrm{x}\right)$ and ${\mathrm{p}}_2\left(\left.\mathrm{y}\right|\mathrm{x}\right)$ and abbreviated as ${\mathrm{p}}_1$ and ${\mathrm{p}}_2$ below. The discriminator then attempts to increase the difference between the predictions of ${\mathrm{C}}_1$ and ${\mathrm{C}}_2$. This difference corresponds to the discriminator’s sensitivity to noise, measured using the symmetric KL scatter between the two obtained probability outputs $\mathrm{d}\left({\mathrm{p}}_1,{\mathrm{p}}_2\right)$, and the scatter is calculated as

$$\mathrm{d}\left({\mathrm{p}}_1,{\mathrm{p}}_2\right)=\frac{1}{2}\left({\mathrm{D}}_{\mathrm{kl}}\left({\mathrm{p}}_1{|\mathrm{p}}_2\right)+{\mathrm{D}}_{\mathrm{kl}}\left({\mathrm{p}}_2{|\mathrm{p}}_1\right)\right)$$

(1)

where ${\mathrm{D}}_{\mathrm{kl}}(\mathrm{p}|\mathrm{q})$ denotes the KL scatter between $\mathrm{p}$ and $\mathrm{q}$.

However, the decision boundaries obtained from such adversarial training methods were still set for the training data. Therefore, the decision boundary set for the voice spoofing samples in the embedding space might be too compact. This led to difficulties for the model in defending against unseen voice spoofing attacks. Therefore, we introduced a one-class learning method. It set decision boundaries for real data and forged data separately, which improved the model’s defense against unseen voice spoofing attacks.

3.1.2. Domain Adaptation Based on Decision Boundary Maximization

During model inference, the voice spoof detection task may encounter many voice samples of unknown attack types. The types of voice attacks included in the training set are often limited. This leads to an extreme mismatch between the data feature distributions of the training and test sets for the spoofing samples. Suppose the voice identification spoof problem is viewed purely as a dichotomous classification problem. In that case, when the model is inferred, the model tends to have a degraded performance when faced with many new samples. This one-classification task scenario is well suited to the idea of one-class classification.

The traditional voice spoof detection task uses a binary classification loss function expressed as

$$\mathrm{L}=-\frac{1}{\mathrm{M}}{\sum }_{\mathrm{i}=1}^{\mathrm{M}}\log \frac{{\mathrm{e}}^{{\omega }_{{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}\ast {\mathrm{x}}_{\mathrm{i}}}}{{\mathrm{e}}^{{\omega }_{{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}{\ast \mathrm{x}}_{\mathrm{i}}}+{\mathrm{e}}^{{\omega }_{1-{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}{\ast \mathrm{x}}_{\mathrm{i}}}}$$

(2)

where ${\mathrm{x}}_{\mathrm{i}}\in {ℝ}^{\mathrm{D}}$ is the embedding vector of the $\mathrm{ith}$ voice sample, and ${\mathrm{label}}_{\mathrm{i}}\in \left\{0, 1\right\}$ is the corresponding label. AM-Softmax introduces an angular margin into the traditional binary loss function. The distances between the data within each class are minimized while maximizing the distance between the target and non-target classes. The decision boundary was made to be more compact. AM-Softmax is expressed as follows:

$$\begin{gathered} \mathrm{L}=-\frac{1}{\mathrm{M}}{\sum }_{\mathrm{i}=1}^{\mathrm{M}}\log \frac{{\mathrm{e}}^{\mathsf{\xi }\left({\hat{\omega }}_{{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}{\ast \hat{\mathrm{x}}}_{\mathrm{i}}-\mathrm{m}\right)}}{{\mathrm{e}}^{\mathsf{\xi }\left({\hat{\omega }}_{{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}{\ast \hat{\mathrm{x}}}_{\mathrm{i}}-\mathrm{m}\right)}+{\mathrm{e}}^{{\mathsf{\xi }\hat{\omega }}_{1-{\mathrm{label}}_{\mathrm{i}}}^{\mathrm{T}}{\ast \hat{\mathrm{x}}}_{\mathrm{i}}}} \\ =\frac{1}{\mathrm{M}}{\sum }_{\mathrm{i}=1}^{\mathrm{M}}\log \left(1+{\mathrm{e}}^{\mathsf{\xi }{\left(\mathrm{m}-\left({\hat{\omega }}_{{\mathrm{label}}_{\mathrm{i}}}-{\hat{\omega }}_{1-{\mathrm{label}}_{\mathrm{i}}}\right)\right)}^{\mathrm{T}}{ \hat{\mathrm{x}}}_{\mathrm{i}}}\right) \end{gathered}$$

(3)

where $\mathsf{\xi }$ denotes the scaling factor, m is the cosine similarity margin, and $\hat{\omega }$ and $\hat{\mathrm{x}}$ are the normalized $\omega$ and $\mathrm{x}$, respectively. It can be seen from the equation that the embedding vectors of both the target and non-target classes tend to converge in two opposite directions, i.e., ${\omega }_0-{\omega }_1$ and ${\omega }_1-{\omega }_0$, respectively, where ${\omega }_0$is the target class represented by the real voice and ${\omega }_1$ is the non-target class represented by the spoofing voice. For AM-Softmax, the embedding features of both the target and non-target classes were set to the same angular margin as $\mathrm{m}$.

In a realistic scenario, because the feature distribution of the non-target class, the spoofing voice, differs significantly from that of the target class, training the same decision boundary for both often results in overfitting the model to known attack types in the training set. Therefore, we considered introducing different angular margins $\mathrm{m}$ for the real and spoofing samples. Different decision bounds were trained to identify real voice samples better and isolate voice spoofing samples. The designed loss function is expressed as follows:

$${\mathrm{L}}_{\mathrm{oc}}=\frac{1}{\mathrm{M}}{\sum }_{\mathrm{i}=1}^{\mathrm{M}}\log (1+{\mathrm{e}}^{\mathsf{\xi }\left({\mathrm{m}}_{{\mathrm{label}}_{\mathrm{i}}}-{ \hat{\omega }}_0{ \hat{\mathrm{x}}}_{\mathrm{i}}\right){\left(-1\right)}^{{\mathrm{label}}_{\mathrm{i}}}})$$

(4)

In OC-Softmax, only one weight ${\omega }_0$ is used, representing the optimization direction of the target class embedding vector. Both are normalized similarly to AM-Softmax. We then introduced two different angular residuals ${\mathrm{m}}_0$,${\mathrm{m}}_1$∈ [−1, 1] for the classification of real voices and spoofing voices, respectively, where ${\mathrm{m}}_0>{\mathrm{m}}_1$.

As shown in Figure 3, there is only one ${\omega }_0$ weight in OC-Softmax, indicating the convergence direction of the target class of the real voice. The angle between ${\omega }_0$ and voice feature vector ${\mathrm{x}}_{\mathrm{i}}$ is denoted by ${\mathsf{\theta }}_{\mathrm{i}}$. When ${\mathrm{label}}_{\mathrm{i}}$ = 0, the sample is the target class, and the decision boundary is constrained by setting ${\mathrm{m}}_0$ so that ${\mathsf{\theta }}_{\mathrm{i}}$has to be smaller than $\arccos {\mathrm{m}}_0$. When the value of $\arccos {\mathrm{m}}_0$ is small, the target class can be concentrated around the weight vector ${\omega }_0$, thereby making the feature distribution of the real voice sample more compact and concentrated. When ${\mathrm{label}}_{\mathrm{i}}$ = 1, set ${\mathrm{m}}_1$ so that ${\mathsf{\theta }}_{\mathrm{i}}$ is greater than $\arccos {\mathrm{m}}_1$. When the value of $\arccos {\mathrm{m}}_1$ is larger, the data of the non-target class can be moved away from the direction of ${\omega }_0$. Thus, the purpose of training different decision boundaries for the target class and non-target class samples is achieved.

3.2. Incremental Spoof Algorithms Recognition

Spoof algorithm identification is essentially a multi-classification problem. The difficulty is that the model must be updated, as spoof algorithms are continuously proposed in reality, which often faces the problem of over-storage or catastrophic forgetting. For this reason, we construct a sparser embedding space using a prototype so that the appearance of new classes does not have an outsized impact on the old ones. This allows the system to adapt to incremental spoofing algorithm recognition.

3.2.1. Prototype Learning

The purpose of voice spoof algorithm recognition is to extract the feature representation of the voice. In turn, the spoof algorithm used for the voice is determined. The objective of this task is expressed as follows:

$$\mathrm{y}=\mathrm{f}\left(\mathrm{x},\mathsf{\theta }\right)$$

(5)

where $\mathsf{\theta }$ is the model parameter, and $\mathrm{y} \in \left\{1,2, \dots , \mathrm{C}\right\}$ denotes the spoof algorithm class label. Unlike the traditional ResNet, which uses softmax layers to perform linear classification on the learned features, we learn multiple prototypes of the features of each class by maintaining them. The classification was performed using prototype matching, as shown in Figure 4. The prototypes are represented as $m_{i,j}$, where $i \in \left\{1,2,\dots ,C\right\}$ denotes the index of the class, and $j \in \left\{1,2,\dots ,K\right\}$ denotes the index of the prototype in each class. Here, we assume that each class contains the same number of $K$ prototypes. The ResNet feature extractor $f\left(x,\theta \right)$ and prototypes $\left\{m_{i,j}\right\}$ are jointly trained from the data. In the classification phase, we classify the objects by prototype matching, i.e., we find the nearest prototype based on Euclidean distance. The prototype class is assigned to a specific object. It is expressed as

$$x\in y \arg \begin{array}{c}C\\ max\\ i=1\end{array}{g}_i\left(x\right)$$

(6)

where $g_i\left(x\right)$ is the discriminant function for class $i$:

$$g_i\left(x\right)=-\begin{array}{c}K\\ min\\ j=1\end{array}\parallel f\left(x;\theta \right)-m_{i,j}{||}_2^2$$

(7)

For this purpose, the probability of a sample assigned to each category by using the distance of the sample from the prototype is expressed as

$$p\left(x\in m_{i,j}|x\right)=\frac{e^{-d\left(f\left(x\right),m_{i,j}\right)}}{{\sum }_{k=1}^C{\sum }_{i=1}^K{e}^{-d\left(f\left(x\right),m_{k,j}\right)}}$$

(8)

where $d\left(f\left(x\right),m_{i,j}\right)=\parallel f\left(x;\theta \right)-m_{i,j}{\parallel }_2^2$. Then, the objective function can be expressed as

$$los{s}_1=-\log ({{\displaystyle \sum }}_{j=1}^{K}p\left(x\in m_{i,j}|x\right))$$

(9)

Direct minimization of the classification loss may lead to overfitting. To avoid this, prototype loss is added as a regularization to improve the model’s generalization ability. The so-called prototype loss—that is, the loss centered on the centroid of the subclasses—is used to determine the class to which the input $x$ belongs to. Then, its decision boundary is the location where the distances to the centers of the subclasses of two adjacent classes are equal. It can be expressed as

$$los{s}_2\left(\left(x,y\right);\theta ,M\right)=\parallel f\left(x\right)-m_{y,j}{\parallel }_2^2$$

(10)

where$m_{y,j}$ is the prototype closest to $f\left(x\right)$ in the corresponding class $y$. A relatively sparse feature space was obtained, which later facilitated incremental learning.

3.2.2. Incremental Learning Module

Voice spoof algorithms are constantly evolving and constantly updating the dataset over time. Therefore, the model cannot initially include all voice spoof algorithm data. The incremental learning module enables the model to continuously learn new voice spoof algorithms through prototypes and example sets, avoiding the need for the model to retrain all the data and saving a significant amount of training time.

As shown in Figure 5, the model learns the prototype at the $\left(t-1\right)$th iteration stage and saves a small number of examples for each classification algorithm. At the $t$th iteration learning, the model adds $n$ classes of prototypes to the $\left(t-1\right)$th iteration prototypes, each containing identical $K$ prototypes, based on the number $n$ of voice spoof algorithm types used in the newly added dataset. The model is then trained on the new voice spoofing dataset and the example set.

The amount of data stored in each class in the example set is much smaller than in the new voice spoofing training set. Therefore, the model suffers from a data imbalance during training. For this reason, we added different weights to each category when calculating the loss of each category based on the number of examples saved in the old category and the number of voices generated by the spoof algorithm in each of the new datasets. Thus, the impact on the recognition results due to data imbalance is reduced. The representation is as follows:

$$loss\left(x,y\right)=weight\left[y\right]\left(-x\left[y\right]+\log \left({\sum }_j\exp \left(x\left[j\right]\right)\right)\right)$$

(11)

where $y\in \left\{1,2,\dots ,C\right\}$ denotes the classification labels, and weight denotes the loss weights for each category.

Thus, the total loss function of the incremental learning module is denoted as

$$los{s}_{total}=w_1\ast los{s}_1+w_2\ast los{s}_2+los{s}_3$$

(12)

where $w_1$ and $w_2$ are the weight parameters set to 0.1 and 0.01, respectively, in our experiments. $los{s}_3$ is the cross-entropy loss function for classification used to train the classification ability of the neural network, denoted as

$$los{s}_3=-\frac{1}{S}{\sum }_{i=1}^S\left[y_i\ast \log \left(softmax\left(f_i\right)\right)\right]$$

(13)

where $S$ is the batch size, and $f_i$ is the feature of the $i$th sample in the batch.

4. Experimental Methods

4.1. Dataset

The ASVspoof 2019 challenge provides a standard database for anti-spoofing [27]. The LA subset of the provided dataset includes a real voice and different types of TTS and VC spoofing attacks. The training and development sets share the same six attacks (A01–A06), including four TTS and two VC algorithms. In the evaluation set, there are 11 unknown attacks (A07–A15, A17, and A18), including combinations of different TTS and VC attacks. The evaluation set also includes two attacks (A16 and A19) that use the same algorithms as the two attacks in the training set (A04 and A06) but are trained using different data.

When training the voice spoof detection model, we used the LA subset’s training, development, and validation sets in ASVspoof 2019 as the training, validation, and test sets for our experiments.

We slice and dice the LA subsets when training the voice spoof detection model. Because A04 and A16 use the same algorithm and A06 and A19 use the same algorithm, we grouped A04 and A16 into class A04 and A06 and A19 into class A06. Subsequently, all classes A1 to A17 were divided into a training set, validation set, and evaluation set at a ratio of 3:1:1.

4.2. Training Details

A 60-dimensional LFCC was extracted from the voice with a frame size of 320 ms and a hop count of 160 ms. We extracted 4 s of length for each voice segment and repeated padding for those less than 4 s long to form batches.

4.2.1. Training Parameters for Voice Spoof Detection

Four sets of voice spoof detection experiments were conducted. The experiments were all based on the layered convolution neural network (LCNN) architecture, which takes the extracted LFCC features as input and outputs a confidence score to characterize the classification results. We set α = 20 and m = 0.9 for AM-Softmax for the hyperparameters in the loss function and α = 20, $m_0$ = 0.9, and $m_1$ = 0.2 for OC-Softmax. We used the adam optimizer [28] with the ${\beta }_1$ parameter set to 0.9, and the ${\beta }_2$ parameter was set to 0.999 to update the weights in the model. We used a stochastic gradient descent (SGD) optimizer [29] for the parameters in the loss function. The batch size was set as 16. The learning rate was set at 0.0001. The number of epochs was set to 50. The early stop time was set at 5.

4.2.2. Training Parameters for Spoof Algorithm Recognition

For the domain voice spoof algorithm recognition, we used ResNet-44 for voice feature extraction. For each category, 200 samples were stored, and each training step consisted of 20 epochs. The learning rate started at 0.001 and was divided by 10 after 15 epochs. The model parameters were optimized using a SGD optimizer, and the batch size was set to 64. In performing the incremental learning experiments, we used A01–A09 as the base category. Subsequently, two new classes of spoof methods are added on top of this one at a time. The weight size in the SGD optimizer was set according to the ratio of the stored instance size to the size of the new class dataset.

4.2.3. Evaluation Metrics

To evaluate the performance of the voice spoofing detection module, we recorded the output score of the voice spoofing detection module, called the countermeasure (CM) score. This indicates the similarity between a given voice and a real voice. The equal error rate (EER) was calculated by setting a threshold on the CM decision score such that the false alarm rate was equal to the miss rate. The calculations were as follows:

$$P_{fa}\left(\theta \right)=\frac{\#\{spoof voice with score>\theta \}}{\#\left\{Total spoof voice\right\}}$$

(14)

$$P_{miss}\left(\theta \right)=\frac{\#\left\{human voice with score\le \theta \right\}}{\#\left\{Total human voice\right\}}$$

(15)

where $P_{fa}\left(\theta \right)$ and $P_{miss}\left(\theta \right)$ are monotonically decreasing and increasing functions of $\theta , \mathrm{respectively}$. EER corresponds to the threshold ${\theta }_{EER}$at which the two detection error rates are equal to 5, i.e., EER = $P_{fa}\left({\theta }_{EER}\right)$ = $P_{miss}\left({\theta }_{EER}\right)$. The lower the EER, the better the voice spoofing detection module detects spoofing attacks.

The tandem detection cost function (t-DCF) [30] is a new evaluation metric adopted for the ASVspoof 2019 challenge. Although EER only evaluates the performance of the voice spoofing detection module, it assesses the influence of the voice spoofing detection module on the reliability of an ASV system. The ASV system was fixed to compare the different voice spoofing detection modules. The lower the t-DCF, the better the reliability of the ASV.

For the voice spoof algorithm recognition module, we recorded the accuracy of each iteration and the recognition accuracy of each type of algorithm for the last iteration. The higher the accuracy rate, the better the recognition performance.

4.3. Experimental Results

4.3.1. Results of Spoof Detection

To demonstrate the effectiveness of the one-class learning and domain-adaptive methods, we compared our proposed OC-Softmax and domain-adaptive methods with the traditional binary classification loss function under the same input features and model settings. They were also compared with the EER and min t-DCF metrics of the baseline model LFCC-GMM, officially provided by the ASVspoof2019 competition, as shown in

Table 1. Results of the evaluation set at ASVspoof2019 LA.

Method	EER (%)	Min t-DCF
LFCC-GMM	8.090	0.21160
LFCC-LCNN—AM-Softmax	4.647	0.08278
LFCC-LCNN—Sigmoid	2.869	0.07248
LFCC-LCNN—Domain adaptation	2.638	0.08844
LFCC-LCNN—OC-Softmax	2.530	0.0682

. In Table 1, the OC-Softmax and domain adaptive methods obtained the best results, with equal error rate EER metrics of 2.530 and 2.638%, respectively. Under the metric min t-DCF, the OC-Softmax method obtained the best result of 0.0682. This indicated that, based on the strong generalization ability of the one-class loss function in the model inference stage, it could still recognize the truth and falsity of the voice spoofing of unknown attack types in the test set.

To further analyze the performance of each method, we obtained the distribution of the CM scores in the four sets of experiments, as shown in Figure 6. The comparison shows a considerable overlap between the bona fide and spoof distributions in Figure 6a, which indicates that the AM-Softmax-trained model has low generalization and a high misspecification rate. This overlap is almost invisible in Figure 6b–d. However, as can be seen from the horizontal coordinates, the difference between the mean CM scores of the bona fide and spoof samples in Figure 6b is approximately 1. The difference between the mean CM scores of the bona fide and spoof samples in Figure 6c is approximately 1.5. The difference between the mean CM scores of the bona fide and spoof samples in Figure 6d is approximately 2. The more significant the difference between the mean CM scores of the bona fide and spoof samples, the stronger the model’s ability to distinguish between true and spoofing voices and the higher the generalizability. Therefore, we can consider the generalization ability for voice spoof detection: OC-Softmax > domain adaptation > Sigmoid > AM-Softmax.

4.3.2. Results of Spoof Algorithm Recognition

The results of incremental learning using iCaRL and prototyping on the ASVspoof 2019 LA dataset are summarized in

Table 2. The accuracy during the incremental learning iterations.

Method	0 Iters	1 Iters	2 Iters	3 Iters	4 Iters
	Avg (%)	Avg (%)	Avg (%)	Avg (%)	Avg (%)
iCaRL	99.03	87.97	84.86	83.20	76.58
prototype	98.78	85.38	84.51	82.02	68.77
prototype + weight	98.78	87.17	85.31	88.35	79.89

. Comparing the second and third rows of the table, we see that the weights can effectively mitigate the adverse effects of data imbalance and improve the model’s classification performance. Both the iCaRL and prototype methods in Table 2 use the same ResNet-44 for feature extraction of the LFCC of the voices, which is later fed into the classifier for classification. Comparing the first and third rows in Table 2, we see that the prototype method performed better in the incremental experiments.

We observed high-dimensional features of the prototypically trained model using t-distribution Stochastic Neighborhood Embedding (t-SNE) plots, as shown in Figure 7. Figure 7a shows that the various types of voice spoofing sample features are in high-dimensional spaces with compact intra-classes and large class spacing. This makes the model highly generalizable for forgery algorithm recognition. From Figure 7b, we can see that the features of the untrained voice spoofing samples are primarily distributed in low-density regions and are separated from the trained class sample features. This indicates that, after the new classes are added, we can still classify the old classes using the prototypes, and the appearance of the new classes will not have an excessive impact on the old classes. Therefore, the prototype is suitable for incremental voice spoof detection.

After the last training iteration, the accuracy of the model in identifying various spoof algorithms in the test set is presented in

Table 3. Recognition results after the last iteration of training.

Attacks	Prototype + Weight
A1	87.30
A2	99.73
A3	99.89
A4	49.56
A5	92.65
A6	81.36
A7	62.63
A8	95.97
A9	98.09
A10	55.20
A11	89.60
A12	88.18
A13	92.71
A14	98.44
A15	92.14
A16	98.09
A17	99.93

. It can be seen that the model has a high recognition ability for most forgery algorithms (accuracy higher than 80%), whereas the classification performance for forgery attacks A4, A7, and A10 is relatively poor. From the confusion matrix shown in Figure 8, we can see that the three attacks A4, A7, and A10 will misclassify each other, which we believe is because of the voice spoofing generated by these three spoof algorithms having very similar characteristics. Incremental learning is a deep learning method in scenarios where there is a lack of data, which leads to the model’s poor classification performance for these three attack methods.

5. Conclusions

This study designed a voice spoofing detection and spoofing algorithm recognition system. The system can detect the authenticity of a voice and accomplish the recognition of voice spoof algorithms under continuous data streams, which is not available in other voice spoofing detection systems. This helps prevent synthetic voice spoofing attacks, e.g., phone scams, and thus protects the privacy and security of individuals in society. The system is divided into voice spoof detection and spoof algorithm recognition. The voice spoof detection module learns a real voice distribution compactly using a one-class loss function. In contrast, the voice spoofing exists in the external feature space at a certain angle. This makes the system highly robust for voice spoof detection compared to binary classification methods. The voice spoof algorithm recognition module learns multiple prototypes in the feature space for each spoof algorithm type. It is then applied to classification in incremental scenarios. The experimental results show that our voice spoof detection module has a significantly improved performance compared to the baseline, traditional loss function, and adaptive domain methods. The voice spoof algorithm recognition module outperforms iCaRL. Since our system is oriented at practical applications, there may be a problem of excessive system resource usage in small devices. For this reason, we will further lighten the system according to different usage scenarios while ensuring its detection performance in the next work.