What You Read Isn't What You Hear: Linguistic Sensitivity in Deepfake Speech Detection

View on arXiv ← Back to list

Authors: Binh Nguyen, Shuji Shi, Ryan Ofman, Thai Le

Published: 2025-05-23 06:06:37+00:00

Comment: 15 pages, 2 fogures

AI Summary

This paper investigates the linguistic sensitivity of audio deepfake detectors by applying transcript-level adversarial attacks. It demonstrates that subtle linguistic perturbations can significantly reduce the accuracy of both open-source and commercial anti-spoofing systems, with attack success rates exceeding 60% in some cases. The study further identifies linguistic complexity and model-level audio embedding similarity as key factors contributing to detector vulnerability.

Abstract

Recent advances in text-to-speech technologies have enabled realistic voice generation, fueling audio-based deepfake attacks such as fraud and impersonation. While audio anti-spoofing systems are critical for detecting such threats, prior work has predominantly focused on acoustic-level perturbations, leaving the impact of linguistic variation largely unexplored. In this paper, we investigate the linguistic sensitivity of both open-source and commercial anti-spoofing detectors by introducing transcript-level adversarial attacks. Our extensive evaluation reveals that even minor linguistic perturbations can significantly degrade detection accuracy: attack success rates surpass 60% on several open-source detector-voice pairs, and notably one commercial detection accuracy drops from 100% on synthetic audio to just 32%. Through a comprehensive feature attribution analysis, we identify that both linguistic complexity and model-level audio embedding similarity contribute strongly to detector vulnerability. We further demonstrate the real-world risk via a case study replicating the Brad Pitt audio deepfake scam, using transcript adversarial attacks to completely bypass commercial detectors. These results highlight the need to move beyond purely acoustic defenses and account for linguistic variation in the design of robust anti-spoofing systems. All source code will be publicly available.

Key findings
The research found that subtle linguistic changes in transcripts can significantly degrade the accuracy of both open-source and commercial audio deepfake detectors, achieving attack success rates over 60% and drastically reducing accuracy in some cases. Vulnerabilities are strongly correlated with linguistic complexity of the perturbed transcript and the detector's audio embedding similarity for the voice. A real-world case study demonstrated that commercial detectors could be completely bypassed using these transcript-level adversarial attacks.
Approach
The authors investigate linguistic sensitivity by developing a transcript-level adversarial attack framework. This involves minimally perturbing audio transcripts using methods like synonym replacement or masked language models, then synthesizing the perturbed transcripts into speech via text-to-speech models, and evaluating the impact on audio deepfake detectors. The goal is to flip the detector's prediction while preserving semantic meaning.
Datasets
VoiceWukong dataset, VCTK dataset (as base for VoiceWukong), ASVSpoof-2019 LA dataset
Model(s)
AASIST-2, CLAD, RawNet-2, API-A (commercial), API-B (commercial)
Author countries
USA
← Previous
Next →