Evaluating Adversarial Robustness of Deepfake Audio Detectors and Vocoder Fingerprint Detectors Against Universal Adversarial Perturbations

1. Introduction

Neural vocoders have become a central component of modern speech synthesis systems, enabling the generation of highly natural speech waveforms from intermediate acoustic representations such as mel-spectrograms. Models such as HiFi-GAN, MelGAN variants, StyleMelGAN, and Parallel WaveGAN [1,2,3,4] can produce synthetic speech with high perceptual quality, making synthetic audio increasingly difficult to distinguish from genuine recordings. While these systems support legitimate applications in text-to-speech and voice conversion, they also increase the risk of audio deepfakes being used for impersonation, misinformation, and fraud.

To address this risk, audio deepfake detection methods aim to distinguish synthetic speech from real speech. Beyond binary real-versus-fake detection, a related forensic task is vocoder fingerprint detection, where the objective is to identify the vocoder or synthesis model responsible for generating a speech sample. The motivation behind vocoder fingerprinting is that different neural vocoders may leave model-specific artifacts in the generated waveform [29]. These artifacts can appear in spectral structure, cepstral patterns, temporal dynamics, or other signal characteristics learned by the detector. If reliable, vocoder fingerprints can support both synthetic speech detection and source attribution.

However, the reliability of detecting vocoder fingerprints depends on whether these artifacts remain stable under perturbation. A detector may achieve high accuracy on clean synthetic speech but fails when the input is intentionally modified to disrupt the fingerprint cues used for classification. This is particularly important in adversarial settings, where an attacker may attempt to preserve the perceived speech content while causing the detector to misclassify the sample. Therefore, evaluating clean accuracy alone is insufficient for assessing the practical robustness of vocoder fingerprint detectors.

Adversarial attacks provide a direct way to examine this vulnerability [15,16]. In audio, adversarial perturbations can be applied in different domains. Waveform-domain attacks modify the raw audio samples directly, while frequency-domain attacks modify a time-frequency representation such as the STFT magnitude before reconstructing the waveform. These perturbation domains may interact differently with detector architectures. For example, waveform-based detectors such as AASIST [14] may rely on raw temporal cues, while feature-based detectors using LFCC or CQCC [12,13] representations may be more sensitive to spectral and cepstral distortions. As a result, an attack that is effective against one detector may not be able to transfer to another.

This transferability problem is central to realistic adversarial evaluation [17]. In practice, an attacker may not know the exact detector used by a forensic system. If adversarial audio optimized against one detector also fools other detectors, this indicates a broader weakness across detector families. Conversely, if transferability is limited, this suggests that robustness may depend strongly on the detector representation. Existing evaluations [17] often focus on a single detector, feature type, attack algorithm, or perturbation domain, making it difficult to determine whether observed vulnerabilities generalize across vocoder fingerprint detectors.

This paper presents a comparative study of adversarial attacks against audio deepfake and vocoder fingerprint detectors. We evaluate four representative attacks: Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and Carlini–Wagner (CW). Each attack is implemented in both waveform-domain and STFT-magnitude-domain settings. All attacks are optimized against AASIST using a targeted fake-to-real objective, and the resulting adversarial audio is evaluated for black-box transferability across multiple detector families, including ResNet with LFCC features, LCNN with CQCC features, a BiLSTM-based detector, and AASIST itself. Experiments are conducted on synthetic speech generated by HiFi-GAN, Fullband MelGAN, StyleMelGAN, and Parallel WaveGAN.

The contributions of this paper are threefold. First, we provide a controlled comparison of FGSM, BIM, PGD, and CW attacks under a unified AASIST-source optimization setting. Second, we compare waveform-domain and STFT-magnitude-domain perturbations to examine how perturbation domain affects attack success and black-box transferability. Third, we evaluate transferability across detectors with different input representations and architectures, while also measuring audio quality and intelligibility using word error rates and signal-to-noise ratio. Through this analysis, we show that adversarial robustness in vocoder fingerprint detection depends jointly on attack algorithm, perturbation domain, and detector representation.

2. Related Work

2.1. Audio Deepfake Detection and Vocoder Fingerprints

Audio deepfake detection aims to determine whether a speech signal is genuine or synthetically generated. Existing detectors commonly approach this task either as binary real-versus-fake classification or as a more fine-grained source attribution problem. In the binary setting, the detector only decides whether an utterance is real or synthetic. [14,19] In the source attribution setting, the detector attempts to identify the synthesis model or vocoder that produced the speech. The latter task is closely related to vocoder fingerprint detection.

Vocoder fingerprints refer to model-specific traces that remain in generated speech after waveform synthesis [19,20,21,29]. These traces may arise from the architecture, training objective, upsampling strategy, spectral reconstruction loss, or adversarial training procedure used by a vocoder. For example, GAN-based vocoders such as HiFi-GAN, MelGAN variants, StyleMelGAN, and Parallel WaveGAN reconstruct waveform details using different generator and discriminator designs. As a result, their outputs may contain distinguishable spectral or temporal artifacts that can be exploited by fingerprint detectors.

The existence of vocoder fingerprints makes source attribution possible, but it also raises an important robustness question. If the detector relies on subtle synthesis artifacts, then small adversarial perturbations may be able to disrupt those cues while preserving the apparent speech content. Therefore, clean classification accuracy alone does not establish that vocoder fingerprints are stable or reliable in adversarial settings. This motivates evaluating whether fingerprint detectors remain effective when synthetic audio is deliberately perturbed.

2.2. Detector Representations for Synthetic Speech Detection

Audio deepfake detectors differ in the representations they use to analyze speech. Feature-based detectors first transform the waveform into an acoustic feature representation and then classify the extracted features. Common front-end features include mel-frequency cepstral coefficients (MFCCs), linear frequency cepstral coefficients (LFCCs), and constant-Q cepstral coefficients (CQCCs). These features compress spectral information into lower-dimensional representations that can be used by convolutional or recurrent classifiers.

LFCC and CQCC features are particularly relevant to vocoder fingerprint detection because they capture different frequency structures. LFCCs [12] use linearly spaced filters, which can preserve high-frequency and narrowband artifacts that may be useful for detecting synthetic speech. CQCCs [13] are based on the constant-Q transform and use a logarithmic frequency structure, which may emphasize different spectral patterns. As a result, perturbations that disrupt LFCC-based detectors may not necessarily transfer to CQCC-based detectors.

End-to-end detectors follow a different approach by operating directly on raw waveform inputs or minimally processed representations. These models learn task-specific features from the signal rather than relying on a fixed cepstral front end. AASIST is an example of this direction and is designed for speech anti-spoofing using raw waveform input. Compared with fixed-feature detectors, end-to-end detectors may exploit temporal, spectral, or phase-related cues that are not explicitly represented in hand-crafted features.

These differences in detector representation are central to adversarial transferability. An adversarial perturbation optimized against a raw-waveform detector may not affect a cepstral-feature detector in the same way, and an attack that disrupts LFCC features may not generalize to CQCC features or recurrent temporal models. For this reason, the present study evaluates multiple detector families, including AASIST, ResNet+LFCC, LCNN+CQCC, and a BiLSTM-based detector.

2.3. Adversarial Attacks and Transferability

Adversarial attacks modify an input signal to cause a machine learning model to make an incorrect prediction [16,22]. In audio deepfake detection, this means perturbing a speech waveform so that a detector fails to recognize it as synthetic or fails to attribute it to the correct vocoder. Such attacks are especially concerning when the perturbation preserves speech intelligibility while disrupting detector-relevant artifacts.

Gradient-based attacks provide a common framework for evaluating model robustness. FGSM [23] applies a single gradient-sign update, while BIM [26] extends this idea through multiple iterative updates. PGD [24] further strengthens the iterative attack by using random initialization and projection within a bounded perturbation region. CW [25] uses an optimization-based objective that directly manipulates the model logits while balancing classification success and perturbation size. These attacks differ in computational cost, optimization strength, and sensitivity to hyperparameters.

In the audio domain, adversarial perturbations can be applied in different signal domains. Waveform-domain attacks directly modify the audio samples, while frequency-domain attacks modify spectral representations such as STFT magnitude before reconstructing the waveform. This distinction is important because detectors do not all rely on the same signal evidence. Raw-waveform models may be affected by temporal or phase-related perturbations, while cepstral-feature detectors may be more sensitive to spectral magnitude changes.

Black-box transferability [27] is also important for practical evaluation. A perturbation optimized against one source detector may or may not transfer to other detectors with different representations and architectures. If transferability is high, the attack reveals a broader weakness across detector families. If transferability is limited, the vulnerability may be specific to the source model or feature representation. Existing studies often focus on a single attack setting or detector type, leaving the relationship between attack algorithm, perturbation domain, and detector representation insufficiently understood.

This work addresses that gap by comparing FGSM, BIM, PGD, and CW in both waveform and STFT-magnitude domains. All attacks are optimized against AASIST using a targeted fake-to-real objective and then evaluated across multiple vocoder fingerprint detectors. This design allows the study to examine not only source-detector attack success, but also cross-detector and cross-vocoder transferability.

3. Methodology

3.1. Overview

This study compares the robustness of audio deepfake and vocoder fingerprint detectors under multiple adversarial attack settings. Four attacks are evaluated: FGSM, BIM, PGD, and CW. Each attack is implemented in two perturbation domains: the waveform domain and the STFT-magnitude domain.

All attacks are optimized against AASIST using a targeted fake-to-real objective. The learned adversarial perturbations are then applied to synthetic speech generated by multiple vocoders and evaluated on both the source detector and independent target detectors. This design allows us to examine source-detector attack success, black-box transferability, and the effect of perturbation domain on detector robustness.

3.2. Problem Formulation

Let $x\in {[-1,1]}^T$ denote a clean synthetic speech waveform of length T. The source detector is denoted as $f_s(·)$, where $f_s$ corresponds to AASIST in this study. AASIST is treated as a binary classifier with two classes:

$$0=\mathrm{fake},1=\mathrm{real}.$$

(1)

For a synthetic input x, the true label is $y=0$, and the target adversarial label is $y_t=1$. The objective is to generate an adversarial waveform $x_{\mathrm{adv}}$ such that the source detector predicts the target class while the audio remains close to the original waveform:

$$x_{\mathrm{adv}}=\mathcal{A}(x;\delta ),$$

(2)

where $\mathcal{A}(·)$ denotes the attack transformation and $\delta$ denotes the adversarial perturbation. The form of $\delta$ depends on the perturbation domain. In the waveform domain, $\delta$ is added directly to the raw audio samples. In the STFT-magnitude domain, $\delta$ is applied to the magnitude spectrum before waveform reconstruction.

3.3. Universal Perturbation Setting

All attacks are implemented as universal perturbations. Instead of optimizing a separate perturbation for each utterance, each attack learns one reusable perturbation from a source vocoder dataset:

$${\mathcal{D}}_{\mathrm{src}}=\{x_1,x_2,\dots ,x_N\}.$$

(3)

The universal perturbation is optimized as:

$${\delta }^{*}=arg\underset{\delta \in \mathcal{S}}{min}{\displaystyle \frac{1}{N}}{\displaystyle \sum _{i=1}^N}\mathcal{L}\left(f_s\left(\mathcal{A}(x_i;\delta )\right),y_t\right),$$

(4)

where ${\delta }^{*}$ is the optimized perturbation, $\mathcal{S}$ is the allowed perturbation set, and $\mathcal{L}(·)$ is the attack loss. For FGSM, BIM, and PGD, cross-entropy loss toward the target real class is used. For CW, a logit-margin loss is used.

After optimization, the same perturbation ${\delta }^{*}$ is applied to evaluation audio without re-optimization:

$$x_{\mathrm{adv}}=\mathcal{A}(x;{\delta }^{*}).$$

(5)

This universal setting creates a stricter transferability evaluation than per-sample optimization because the perturbation must generalize across utterances and vocoders.

3.4. Perturbation Domains

3.4.1. Waveform-Domain Perturbation

In the waveform-domain setting, the perturbation is added directly to the raw waveform:

$$x_{\mathrm{adv}}=\mathrm{clip}(x+{\delta }_w,-1,1),$$

(6)

where ${\delta }_w$ is the waveform-domain perturbation. The clipping operation ensures that the adversarial waveform remains within the normalized amplitude range. The perturbation is constrained by an ${\ell }_{\infty }$ bound:

$$\parallel {\delta }_w{\parallel }_{\infty }\le ϵ.$$

(7)

This setting evaluates whether direct sample-level perturbations can disrupt detectors that operate on raw waveforms or on features extracted from waveforms.

3.4.2. STFT-Magnitude-Domain Perturbation

In the STFT-magnitude-domain setting, the perturbation is applied to the magnitude spectrum. Given a waveform x, its short-time Fourier transform is:

$$X=\mathrm{STFT}\left(x\right).$$

(8)

The complex STFT is decomposed into magnitude and phase:

$$M=\left|X\right|,P={\displaystyle \frac{X}{\left|X\right|+\eta }},$$

(9)

where $\eta$ is a small constant used to avoid division by zero. The adversarial magnitude is computed as:

$$M_{\mathrm{adv}}=M+{\delta }_M,$$

(10)

where ${\delta }_M$ is the STFT-magnitude perturbation. The adversarial waveform is reconstructed using the original phase:

$$x_{\mathrm{adv}}=\mathrm{ISTFT}(M_{\mathrm{adv}}·P).$$

(11)

Since STFT magnitudes are not bounded within a fixed amplitude range, a relative perturbation budget is used:

$$|{\delta }_M|\le {ϵ}_{\mathrm{rel}}·M_{\mathrm{ref}},$$

(12)

where $M_{\mathrm{ref}}$ is a reference magnitude template computed from the source training set, and ${ϵ}_{\mathrm{rel}}$ controls the perturbation strength.

3.5. Attack Algorithms

The four attacks differ in how they optimize the universal perturbation.

FGSM performs a single targeted gradient-sign update:

$${\delta }^{*}=-ϵ·\mathrm{sign}\left({\nabla }_{\delta }{\mathcal{L}}_{\mathrm{CE}}\left(f_s\left(\mathcal{A}(x;\delta )\right),y_t\right)\right).$$

(13)

BIM extends FGSM by applying iterative projected updates:

$${\delta }^{k+1}={\Pi }_{\mathcal{S}}\left({\delta }^k-\alpha ·\mathrm{sign}\left({\nabla }_{\delta }{\mathcal{L}}_{\mathrm{CE}}\left(f_s\left(\mathcal{A}(x;{\delta }^k)\right),y_t\right)\right)\right),$$

(14)

where $\alpha$ is the step size and ${\Pi }_{\mathcal{S}}(·)$ projects the perturbation back into the allowed set $\mathcal{S}$.

PGD follows the same iterative update rule as BIM but starts from a random initialization within the allowed perturbation set:

$${\delta }^0\sim \mathcal{U}\left(\mathcal{S}\right).$$

(15)

CW is implemented as an optimization-based targeted attack using a logit-margin objective. Let $z_{\mathrm{fake}}$ and $z_{\mathrm{real}}$ denote the fake and real logits produced by AASIST. The CW loss is:

$${\mathcal{L}}_{\mathrm{CW}}=max\left(z_{\mathrm{fake}}-z_{\mathrm{real}}+\kappa ,0\right),$$

(16)

where $\kappa$ is a confidence margin. The total CW objective is:

$${\mathcal{L}}_{\mathrm{total}}=\mathcal{D}\left(\delta \right)+c·{\mathcal{L}}_{\mathrm{CW}},$$

(17)

where $\mathcal{D}\left(\delta \right)$ penalizes perturbation size and c controls the weight of the classification loss.

3.6. Transferability Evaluation

The optimized adversarial audio is evaluated under two criteria: source-detector evasion and black-box transferability. For AASIST, attack success is defined as fake audio being classified as real:

$${\mathrm{ASR}}_{\mathrm{AASIST}}={\displaystyle \frac{N_{\mathrm{fake}\to \mathrm{real}}}{N}},$$

(18)

where $N_{\mathrm{fake}\to \mathrm{real}}$ is the number of fake samples predicted as real, and N is the total number of evaluated samples.

For multi-class vocoder attribution detectors, attack success is defined as incorrect vocoder attribution:

$${\mathrm{ASR}}_{\mathrm{multi}}=1-{\displaystyle \frac{N_{\mathrm{correct}}}{N}},$$

(19)

where $N_{\mathrm{correct}}$ is the number of attacked samples still classified as their true vocoder class. This definition treats any incorrect vocoder prediction as a successful disruption of source attribution.

3.7. Audio Quality and Intelligibility Metrics

Attack success alone is insufficient because a detector may fail when the audio is heavily degraded. Therefore, adversarial effectiveness is evaluated together with speech intelligibility and signal distortion.

Word error rate (WER) is used to measure transcription-level intelligibility:

$$\mathrm{WER}={\displaystyle \frac{S+D+I}{N_w}},$$

(20)

where S, D, and I are the numbers of substitutions, deletions, and insertions, respectively, and $N_w$ is the number of words in the reference transcript. The WER increase is defined as:

$$\Delta \mathrm{WER}={\mathrm{WER}}_{\mathrm{adv}}-{\mathrm{WER}}_{\mathrm{clean}}.$$

(21)

Signal-to-noise ratio (SNR) is used to measure signal-level distortion between clean and adversarial waveforms:

$$\mathrm{SNR}=10{log}_{10}\left({\displaystyle \frac{{\parallel x\parallel }_2^2}{\parallel x-x_{\mathrm{adv}}{\parallel }_2^2+\eta }}\right),$$

(22)

where $\eta$ is a small constant used to avoid division by zero. Higher SNR indicates that the adversarial audio remains closer to the clean waveform.

4. Experimental Setup

4.1. Dataset and Vocoders

Experiments are conducted using synthetic speech derived from the LJSpeech corpus [28]. LJSpeech contains approximately $13,100$ English utterances from a single female speaker recorded at $22.05$ kHz. This provides a controlled single-speaker setting for evaluating vocoder-generated speech and adversarial perturbations.

Four neural vocoders are evaluated: HiFi-GAN, Fullband MelGAN, StyleMelGAN, and Parallel WaveGAN. HiFi-GAN is used as the source vocoder for adversarial optimization, while all four vocoders are used during evaluation. This setup allows the experiment to measure both same-vocoder performance and cross-vocoder transferability. After an attack is optimized on HiFi-GAN-generated speech, the resulting universal perturbation is applied to all vocoder outputs without re-optimization.

All adversarial audio is generated at $22.05$ kHz. For detectors requiring a different sampling rate, such as AASIST, audio is resampled internally during evaluation. The attacks are applied after waveform synthesis, and no vocoder model weights are modified.

4.2. Detector Configuration

Four detector configurations are used: AASIST, ResNet+LFCC, LCNN+CQCC, and BiLSTM. These detectors are selected to cover different input representations and model architectures.

AASIST is used as the source detector for attack optimization. It is treated as a binary fake-versus-real classifier, where the target attack objective is to classify synthetic speech as real. The remaining detectors are used to evaluate black-box transferability.

The ResNet+LFCC detector is a multi-class vocoder attribution model referenced from baseline work [29]. Each waveform is converted into linear frequency cepstral coefficient (LFCC) features before classification. The LCNN+CQCC detector follows the same multi-class attribution setting but uses constant-Q cepstral coefficient (CQCC) features with a light convolutional neural network. The BiLSTM detector is included as a temporal sequence-based model to test whether attacks optimized against AASIST transfer to recurrent architectures.

For the multi-class detectors, the true label corresponds to the source vocoder of the evaluated sample. An attack is considered successful if the detector no longer predicts the correct vocoder class. For AASIST, an attack is considered successful if synthetic speech is classified as real.

4.3. Attack Configuration

Four adversarial attacks are evaluated: FGSM, BIM, PGD, and CW. Each attack is implemented in both waveform-domain and STFT-magnitude-domain settings. All attacks are optimized against AASIST using a targeted fake-to-real objective and saved as universal perturbation checkpoints.

Table 1. Attack hyperparameters used for waveform-domain and STFT-magnitude-domain attacks.

Parameter	Waveform domain	STFT-magnitude domain
Sampling rate	$22,050$ Hz	$22,050$ Hz
Chunk length	4 s / $88,200$ samples	4 s / $88,200$ samples
STFT $n_{\mathrm{fft}}$	–	1024
STFT hop length	–	256
STFT window length	–	1024
Perturbation budget	$ϵ=0.003$ / $0.006$	${ϵ}_{\mathrm{rel}}=0.03$ / $0.05$
BIM step size	$\alpha =0.0003$	${\alpha }_{\mathrm{rel}}=0.003$
PGD step size	$\alpha =0.0003$	${\alpha }_{\mathrm{rel}}=0.003$
BIM/PGD steps	5000	5000
Batch size	8	8
CW steps	5000	5000
CW learning rate	$0.001$	$0.001$
CW confidence margin	$\kappa =0$	$\kappa =0$
CW loss weight	$c=1.0$	$c=1.0$

Table 1. Attack hyperparameters used for waveform-domain and STFT-magnitude-domain attacks.

Parameter	Waveform domain	STFT-magnitude domain
Sampling rate	$22,050$ Hz	$22,050$ Hz
Chunk length	4 s / $88,200$ samples	4 s / $88,200$ samples
STFT $n_{\mathrm{fft}}$	–	1024
STFT hop length	–	256
STFT window length	–	1024
Perturbation budget	$ϵ=0.003$ / $0.006$	${ϵ}_{\mathrm{rel}}=0.03$ / $0.05$
BIM step size	$\alpha =0.0003$	${\alpha }_{\mathrm{rel}}=0.003$
PGD step size	$\alpha =0.0003$	${\alpha }_{\mathrm{rel}}=0.003$
BIM/PGD steps	5000	5000
Batch size	8	8
CW steps	5000	5000
CW learning rate	$0.001$	$0.001$
CW confidence margin	$\kappa =0$	$\kappa =0$
CW loss weight	$c=1.0$	$c=1.0$

For waveform-domain attacks, the perturbation is added directly to the audio waveform. The universal perturbation is optimized over fixed-length chunks of 4 seconds. Since the sampling rate is $22,050$ Hz, each waveform perturbation contains:

$$T_{\delta }=4\times 22,050=88,200$$

(23)

samples. The adversarial waveform is clipped to the valid amplitude range $[-1,1]$ after perturbation.

For STFT-magnitude-domain attacks, the perturbation is applied to the magnitude spectrum while preserving the original phase for inverse STFT reconstruction. The STFT uses $n_{\mathrm{fft}}=1024$, hop length 256, and window length 1024. The magnitude perturbation is constrained using a relative perturbation budget based on a reference magnitude template computed from the source data.

FGSM is implemented as a one-step universal attack. BIM and PGD are iterative projected-gradient attacks, with PGD using random initialization within the allowed perturbation range. CW is implemented as an optimization-based attack using a targeted logit-margin objective and Adam optimization. During iterative attack optimization, random cropping is used so that the universal perturbation is exposed to different temporal regions of the source utterances.

The perturbation budgets are domain-specific because waveform-domain and STFT-magnitude-domain perturbations operate on different signal representations and are not directly comparable by their raw $ϵ$ values. Therefore, cross-domain comparisons are interpreted together with WER and SNR results, which provide a common quality-based reference for the amount of audio degradation introduced by each attack.

4.4. Evaluation Protocol

The evaluation consists of three stages. First, each attack is optimized using HiFi-GAN-generated speech and AASIST as the source detector. Second, the saved universal perturbation checkpoint is applied to HiFi-GAN, Fullband MelGAN, StyleMelGAN, and Parallel WaveGAN audio without additional optimization. Third, the clean and adversarial audio are evaluated on AASIST, ResNet+LFCC, LCNN+CQCC, and BiLSTM.

For each detector and vocoder, clean accuracy is first recorded to verify that the detector performs reliably before attack. Attack success rate (ASR) is then computed using the definitions from Section 3. For AASIST, ASR measures fake-to-real misclassification. For multi-class detectors, ASR measures incorrect vocoder attribution.

Audio quality and intelligibility are evaluated using Whisper [30] word error rate (WER) and signal-to-noise ratio (SNR). These metrics are reported alongside ASR to distinguish quality-preserving adversarial examples from attacks that mainly succeed through signal degradation.

5. Results

5.1. Frequency-Domain Attack Results

Table 2 reports the ASR of STFT-magnitude-domain attacks across the four detectors and four vocoders. The strongest result is observed for PGD on ResNet+LFCC, where ASR reaches approximately $100\%$ across all vocoders. Since the attack is optimized against AASIST rather than ResNet+LFCC, this indicates strong black-box transfer from the AASIST source detector to the LFCC-based attribution detector.

However, this transfer does not generalize uniformly across detectors. The same STFT-magnitude PGD perturbation has limited effect on LCNN+CQCC and no measurable effect on BiLSTM. For AASIST, PGD achieves moderate source-detector ASR, ranging from $26\%$ to $53\%$ across vocoders. FGSM, BIM, and CW remain weak in the STFT-magnitude setting, with low ASR on both AASIST and most black-box detectors. Overall, the frequency-domain results show that STFT-magnitude PGD is effective mainly against LFCC-based attribution, while the other attacks are largely ineffective under the tested budget.

5.2. Waveform-Domain Attack Results

Table 3 reports the ASR of waveform-domain attacks. Compared with the STFT-magnitude setting, waveform-domain perturbations produce broader transferability across feature-based detectors. LCNN+CQCC is the most vulnerable target, with all four waveform attacks reaching $100\%$ ASR across all vocoders. ResNet+LFCC is also highly vulnerable, with most attacks producing near-complete attribution failure.

The BiLSTM detector shows a more mixed pattern. It is highly vulnerable for HiFi-GAN, but its response varies substantially for the other vocoders. For example, Fullband MelGAN remains relatively robust to PGD, FGSM, and BIM, while CW reaches high ASR. This indicates that BiLSTM transferability depends more strongly on the interaction between attack type and source vocoder.

For AASIST, waveform-domain BIM and CW are the strongest attacks. BIM reaches $100\%$ ASR across all vocoders, while CW achieves consistently high ASR. PGD produces moderate ASR, whereas FGSM fails completely against AASIST. However, FGSM still transfers strongly to ResNet+LFCC and LCNN+CQCC, showing that source-detector success does not necessarily predict black-box transferability.

5.3. Cross-Domain Comparison

Table 4 summarizes the average ASR across vocoders for both perturbation domains. The results show a clear domain effect. In the STFT-magnitude domain, high ASR is concentrated mainly in PGD against ResNet+LFCC. In the waveform domain, high ASR is distributed more broadly across attacks and detectors, especially for ResNet+LFCC and LCNN+CQCC.

The ranking of attacks also changes across domains. For AASIST, STFT-magnitude PGD is the strongest frequency-domain attack, while waveform-domain BIM and CW are much stronger in the waveform setting. For BiLSTM, STFT-magnitude attacks have almost no effect, whereas waveform-domain attacks produce higher but more variable ASR. These results show that perturbation domain is a major factor in adversarial effectiveness and transferability.

5.4. Black-Box Transferability Across Detectors

Table 5 compares source-detector ASR with black-box transfer ASR averaged across vocoders. Since all attacks are optimized against AASIST, the AASIST column represents source-detector performance, while ResNet+LFCC, LCNN+CQCC, and BiLSTM represent black-box target detectors.

In the STFT-magnitude domain, PGD achieves the strongest source-detector ASR and transfers almost completely to ResNet+LFCC, but it transfers poorly to LCNN+CQCC and BiLSTM. The other STFT-magnitude attacks show weak source and transfer performance. In contrast, waveform-domain BIM and CW achieve both strong source ASR and high average black-box ASR. Waveform-domain FGSM is the main exception: it achieves $0.00\%$ ASR on AASIST but high average black-box ASR, indicating that black-box transferability must be evaluated separately from source-model success.

5.5. Audio Quality and Intelligibility

Table 6 reports Whisper WER, Table 7 reports SNR, and Table 8 summarizes the average WER and SNR across vocoders. The clean vocoded audio has an average WER of $3.96\%$, providing the baseline for intelligibility comparison.

For STFT-magnitude attacks, FGSM, BIM, and CW preserve audio quality well. Their WER remains close to the clean baseline and their SNR values are high, but their ASR values are low in most detector settings. STFT-magnitude PGD produces stronger transfer to ResNet+LFCC, but it increases average WER to $5.24\%$ and reduces average SNR to $11.20$ dB. This indicates a stronger distortion–effectiveness trade-off for PGD in the frequency domain.

For waveform-domain attacks, FGSM and BIM achieve high ASR on several detectors but substantially degrade audio quality. FGSM increases average WER to $17.53\%$ with an average SNR of $3.33$ dB, while BIM increases average WER to $12.84\%$ with an average SNR of $6.59$ dB. These results suggest that their high ASR should be interpreted cautiously. In contrast, waveform-domain PGD and CW keep WER close to the clean baseline, with average WER values of $4.03\%$ and $4.07\%$, respectively. Together with their strong ASR results, waveform-domain PGD and CW provide the strongest quality-aware attack performance.

6. Discussion

The results show that adversarial robustness in vocoder fingerprint detection is not determined by the detector alone. Instead, it depends on the interaction between the attack algorithm, the perturbation domain, and the detector representation. This is important because a detector that appears robust under one attack setting may still be vulnerable under another.

6.1. Perturbation Domain and Detector Representation

The comparison between waveform-domain and STFT-magnitude-domain attacks shows that perturbation domain has a major effect on adversarial behavior. STFT-magnitude attacks mainly expose representation-specific vulnerability. In particular, STFT-magnitude PGD transfers strongly to ResNet+LFCC but has limited impact on LCNN+CQCC and BiLSTM. This suggests that the perturbation disrupts spectral structures that are highly relevant to LFCC-based attribution, but less damaging to CQCC-based or recurrent detectors.

Waveform-domain attacks produce a different pattern. They transfer more broadly to feature-based detectors, especially ResNet+LFCC and LCNN+CQCC. This indicates that direct waveform perturbations can disrupt downstream feature extraction even when the target detector itself does not operate directly on raw waveform input. Therefore, feature-based detectors should not be assumed to be protected from waveform-level adversarial manipulation.

These findings suggest that robustness evaluation should include more than one perturbation domain. A detector may appear robust against STFT-magnitude perturbations while remaining vulnerable to waveform-domain attacks, or vice versa. The results therefore support a domain-aware view of adversarial robustness, where attack effectiveness must be interpreted in relation to the signal representation being perturbed and the representation used by the target detector.

6.2. Source-Model Success Does Not Guarantee Transferability

All attacks in this study are optimized against AASIST, but the strongest transfer effects do not always correspond to the strongest source-model attacks. The clearest example is waveform-domain FGSM. Although it fails to achieve fake-to-real evasion on AASIST, it still causes substantial attribution failure on black-box feature-based detectors. This shows that source-detector ASR is not sufficient for evaluating the broader risk of an attack.

This result has practical implications for black-box adversarial evaluation. If evaluation only considers the source detector, an attack such as waveform-domain FGSM would appear ineffective. However, when evaluated against independent target detectors, the same perturbation produces strong attribution failure. Therefore, black-box transferability should be evaluated explicitly across independent detectors rather than inferred from source-model performance.

The detector-specific transfer patterns also suggest that different detector families rely on different fingerprint cues. LFCC-based, CQCC-based, recurrent, and raw-waveform detectors do not respond identically to the same adversarial perturbation. This means that robustness claims based on a single detector architecture are limited. A more reliable evaluation should include heterogeneous target detectors with different front-end representations and model structures.

6.3. Quality-Aware Interpretation of Attack Strength

The audio quality results show that high ASR alone is not enough to identify a strong adversarial attack. Some attacks achieve high detector disruption only at the cost of substantial signal degradation. Waveform-domain FGSM and BIM are the main examples: they produce strong black-box ASR, but they also substantially increase WER and produce very low SNR. Their effectiveness should therefore be interpreted cautiously, because part of their success may come from destructive distortion rather than subtle adversarial manipulation.

Waveform-domain PGD and CW provide a stronger trade-off. Both maintain WER close to the clean baseline while still achieving strong attack success across several detector settings. This makes them more convincing as quality-preserving adversarial attacks. In contrast, STFT-magnitude FGSM, BIM, and CW preserve audio quality but are weak in terms of ASR. STFT-magnitude PGD is more effective, especially against ResNet+LFCC, but its low SNR indicates stronger spectral distortion.

These results show why adversarial audio evaluation should report both attack effectiveness and audio quality. Without WER and SNR, waveform-domain FGSM and BIM would appear stronger than they actually are. With quality metrics included, waveform-domain PGD and CW emerge as more meaningful attacks because they better balance detector disruption and speech preservation.

7. Conclusion

This paper presented a comparative study of adversarial attacks against audio deepfake and vocoder fingerprint detectors. Four attacks, FGSM, BIM, PGD, and CW, were evaluated in both waveform-domain and STFT-magnitude-domain settings. All attacks were optimized against AASIST using a targeted fake-to-real objective and were then evaluated for black-box transferability across detectors with different input representations, including ResNet+LFCC, LCNN+CQCC, BiLSTM, and AASIST.

The results show that adversarial effectiveness depends strongly on the interaction between attack algorithm, perturbation domain, and detector representation. STFT-magnitude PGD transfers strongly to ResNet+LFCC but has limited effect on LCNN+CQCC and BiLSTM, indicating that frequency-domain vulnerability is representation-specific. In contrast, waveform-domain attacks produce broader transferability across feature-based detectors, particularly ResNet+LFCC and LCNN+CQCC. However, source-detector success does not always predict black-box transferability, as shown by waveform-domain FGSM, which fails against AASIST but transfers strongly to several black-box detectors.

The quality evaluation further shows that high ASR alone is insufficient for assessing adversarial audio. Waveform-domain FGSM and BIM achieve strong detector disruption but substantially degrade WER and SNR, while waveform-domain PGD and CW preserve intelligibility more effectively while maintaining strong attack performance. These findings highlight the need to evaluate adversarial attacks using both detection metrics and audio quality metrics.

Overall, this study demonstrates that robustness claims in audio deepfake and vocoder fingerprint detection should not be based on a single attack, detector, or perturbation domain. Future work should extend this comparison to additional source detectors, larger and more diverse datasets, additional vocoder families, and defended detection pipelines. Further work should also examine adaptive attacks and defense strategies such as preprocessing-based defenses, adversarial training, detector ensembling, and representation-level regularization.