Replay Attacks Against Audio Deepfake Detection

View on arXiv ← Back to list

Authors: Nicolas Müller, Piotr Kawa, Wei-Herng Choong, Adriana Stan, Aditya Tirumala Bukkapatnam, Karla Pizzi, Alexander Wagner, Philip Sperl

Published: 2025-05-20 19:46:36+00:00

Journal Ref: Interspeech 2025

AI Summary

This paper demonstrates how replay attacks undermine audio deepfake detection by playing and re-recording deepfake audio, making spoofed samples appear authentic to detection models. The authors introduce ReplayDF, a dataset of such recordings across diverse acoustic conditions, languages, and TTS models. Their analysis shows significant vulnerability in existing detection models, with performance dropping considerably even after adaptive retraining.

Abstract

We show how replay attacks undermine audio deepfake detection: By playing and re-recording deepfake audio through various speakers and microphones, we make spoofed samples appear authentic to the detection model. To study this phenomenon in more detail, we introduce ReplayDF, a dataset of recordings derived from M-AILABS and MLAAD, featuring 109 speaker-microphone combinations across six languages and four TTS models. It includes diverse acoustic conditions, some highly challenging for detection. Our analysis of six open-source detection models across five datasets reveals significant vulnerability, with the top-performing W2V2-AASIST model's Equal Error Rate (EER) surging from 4.7% to 18.2%. Even with adaptive Room Impulse Response (RIR) retraining, performance remains compromised with an 11.0% EER. We release ReplayDF for non-commercial research use.

Key findings
Replay attacks significantly degrade audio deepfake detection performance, causing the top-performing W2V2-AASIST model's Equal Error Rate (EER) to surge from 4.7% to 18.2%. This degradation specifically affects spoofed samples, making them appear bona fide, while detection of genuine samples remains largely unaffected. Although adaptive retraining with Room Impulse Responses (RIRs) helps reduce the EER to 11.0%, it does not fully mitigate the vulnerability, and simple noise addition does not cause the same performance drop.
Approach
The authors introduce ReplayDF, a dataset of re-recorded bona fide and spoofed audio samples generated by playing original samples through various speakers and recording them with different microphones. They then evaluate six open-source deepfake detection models on this dataset to quantify the impact of replay attacks. They also investigate adaptive retraining using Room Impulse Responses (RIRs) as a potential countermeasure.
Datasets
ReplayDF (newly introduced), M-AILABS, MLAAD v5, ASVspoof2019, ASVspoof 5, Fake-or-Real, In-the-Wild, Open Dataset of Synthetic Speech (ODSS).
Model(s)
Whisper, Raw PC Darts, RawNet2, TCM ADD, RawGAT-ST, W2V2-AASIST (Wav2Vec2-AASIST).
Author countries
Germany, Poland, USA, Romania
← Previous
Next →