De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks
by Wei Fan, Kejiang Chen, Chang Liu, Weiming Zhang, and Nenghai Yu
University of Science and Technology of China ยท ICML 2025
Introduction
This is the homepage of our paper De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. This work presents a systematic evaluation of protective perturbations against voice cloning attacks and proposes a novel two-stage purification method to disrupt existing defenses.
Abstract
The rapid advancement of speech generation models has heightened privacy and security concerns related to voice cloning (VC). Recent studies have investigated disrupting unauthorized voice cloning by introducing adversarial perturbations. However, determined attackers can mitigate these protective perturbations and successfully execute VC.
Fig. 1: The threat model: Bypassing voice cloning defenses using purification methods.
In this study, we conduct the first systematic evaluation of these protective perturbations against VC under realistic threat models that include perturbation purification. Our findings reveal that while existing purification methods can neutralize a considerable portion of the protective perturbations, they still lead to distortions in the feature space of VC models, which degrades the performance of VC.
Fig. 2: Our two-stage method: A refinement stage repairs distortions left by initial purification.
From this perspective, we propose a novel two-stage purification method: (1) Purify the perturbed speech; (2) Refine it using phoneme guidance to align it with the clean speech distribution. Experimental results demonstrate that our method outperforms state-of-the-art purification methods in disrupting VC defenses. Our study reveals the limitations of adversarial perturbation-based VC defenses and underscores the urgent need for more robust solutions to mitigate the security and privacy risks posed by VC.
Fig. 3: Our method consistently achieves the highest attack success rate across all tested defenses,
boosting performance from 45.1% to 76.2% in the most challenging case (AntiFake).
Citation
If you find this work useful, please consider citing our paper:
@inproceedings{de-antifake-icml2025,
title = {De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks},
author = {Fan, Wei and Chen, Kejiang and Liu, Chang and Zhang, Weiming and Yu, Nenghai},
booktitle = {International Conference on Machine Learning},
year = {2025},
}
Contact
Technical Questions: range@mail.ustc.edu.cn.
General Inquiries: chenkj@ustc.edu.cn.