Escaping the Linearity Trap: Manifold Detours for Black-Box Adversarial Attacks on Singing Audio Deepfake Detection

Authors: Yifan Liao, Yule Liu, Zhen Sun, Zongmin Zhang, Yupeng He, Jiaheng Wei, Xinhu Zheng, Xinlei He

Published: 2026-05-18 03:43:41+00:00

AI Summary

This paper introduces MARS (Meta-Adversarial Regression of Semantics), a black-box adversarial attack framework designed to expose vulnerabilities in Self-Supervised Learning (SSL)-based singing voice deepfake detection (SVDD) systems. MARS overcomes the 'Linearity Trap' of existing attacks by employing a bi-level optimization strategy that leverages natural and artifact semantic anchors to induce tangential exploration and guide perturbed audio toward a natural manifold. Experiments show MARS significantly improves Attack Success Rates across diverse SVDD models and datasets, highlighting an urgent need for more robust SVDD defenses.

Abstract

Recent Singing Voice Synthesis (SVS) advances enable highly realistic but potentially malicious AI covers, making singing voice deepfake detection (SVDD) crucial. Self-Supervised Learning (SSL)-based detectors achieve state-of-the-art performance by fine-tuning speech SSL backbones to capture singing-specific spoof artifacts. Existing adversarial attacks often fail against SSL-SVDD, creating a false impression of inherent robustness. We reveal this stems from two challenges. First, at the objective level, attacks optimize cross-entropy on local surrogates, crossing surrogate-specific boundaries rather than suppressing shared spoof evidence. Second, at the method level, attacks follow the surrogate's dominant gradient direction. In SSL-SVDD, this aligns with fine-tuned artifact-sensitive directions, limiting transferability to unseen detectors - a geometric failure we term the Linearity Trap. To properly evaluate robustness, we propose MARS (Meta-Adversarial Regression of Semantics), a transfer-based black-box framework tailored to SSL-SVDD. Structurally, MARS shifts to hypothesis-evidence manipulation by constructing a natural semantic anchor from the pre-trained SSL space and an artifact anchor from the fine-tuned space. Algorithmically, MARS escapes the Linearity Trap via bi-level optimization: the inner stage induces tangential exploration, while the outer stage guides the audio toward the natural semantic manifold. Experiments on the CtrSVDD benchmark show MARS improves Attack Success Rate (ASR) in in-distribution transfer (13%), out-of-distribution transfer (10%), and cross-task evaluation (36%), highlighting the urgent need for robust SVDD systems.


Key findings
MARS achieves superior black-box attack performance, reaching an average Attack Success Rate (ASR) of 89.36%, significantly outperforming state-of-the-art baselines by over 13 percentage points. It demonstrates robust transferability across in-distribution, out-of-distribution (FsD), and cross-domain (Sonics) datasets, while preserving high perceptual quality and lyric consistency. The method's effectiveness highlights critical vulnerabilities in current SSL-based SVDD systems and the urgent need for more robust defenses.
Approach
MARS is a transfer-based black-box adversarial attack framework. It employs a bi-level optimization strategy: an inner loop induces tangential exploration away from the detector's dominant artifact-sensitive direction, while an outer loop uses a 'Push-Pull' objective to guide the perturbed audio towards a natural semantic anchor (from the pre-trained SSL space) and away from an artifact anchor (from the fine-tuned detector space). This approach is constrained by a dynamic spectral mask to maintain perceptual stealthiness.
Datasets
CtrSVDD, FsD, Sonics
Model(s)
SSL-based SVDD systems, which include WavLM (Base, Large), HuBERT (Base, Large), Wav2Vec 2.0 (Base, XLSR), and UniSpeech-SAT (Base, Large) as backbones, combined with detection heads like AASIST2, SLS, and MultiConv.
Author countries
China