SLIM: Style-Linguistics Mismatch Model for Generalized Audio Deepfake Detection

Thank you for the time spent reviewing our manuscript and pointing us to another dataset that we believe would be a great fit for further evaluation of the proposed method. Below is our point-by-point response:

• “magnitude of stage 1 training data”

We acknowledge that our current approach is limited to available real data. As listed in Section 2, the datasets for Stage 1 are currently limited to CommonVoice and RAVDESS. As a follow-up for more robustness, we plan to leverage larger pre-training datasets, for example, those used in learning self-supervised speech representations. We will clarify this in the Limitations section.

• “applying SLIM to applied other unseen attacking scenarios”

Thank you for the reference, this is indeed an interesting setup and we will extend our experiments accordingly in the future. However, our current scope of “unseen” attacks is limited to English datasets and VC/TTS systems in public evaluation datasets. (Please also see our response to Reviewer 4aqZ regarding our problem scope.) Since the recommended dataset is in Chinese language, our model will need to be retrained on Chinese data to perform the evaluation. In the future, we plan to extend our investigation to include more recent TTS/VC methods as well as more varied genres and languages.

Thank you for the time spent reviewing our manuscript and for finding our work innovative. A point-by-point response to your questions can be seen as follows.

• ”Is the confidence of your detector connected with the severity of the artifacts in the synthesized speech samples? Do the mel spectrograms of the most confidently correctly detected synthesized samples contain the most clearly visible artifacts?”

We did notice that the low-quality samples (i.e., those with NISQA MOS < 2) were labeled as deepfakes with high confidence by SLIM. These samples were correctly classified with high confidence by the baseline models compared in Table 2. For the ones that did not contain a significant amount of noise, we did not observe significant correlation between the detector confidence scores and the severity of artifacts. We also did not see clearly separable patterns in the mel-spectrograms when comparing the most confident correctly detected samples with less confident ones. While mel-spectrograms are useful as a supplementary tool for studying samples, in our experience they don’t fully reveal all the deepfake artifacts that are important for a model to make a decision.

We would like to also point out that the actual source of the deepfakes remains an open question. This is one of the reasons why recent works have begun focusing on "interpretation-driven detection," e.g. formant analysis to report deepfakes. In our case, the `interpretation’ is incorporated into our model design, where the distance between pairs of style-linguistics dependency features can be directly used to quantify the mismatch (Figure 2, Page 8). We also show that the dependency features are complementary to the features that focus on the deepfake artifacts. Such complementarity can be seen from Table 2 - SLIM variants (Page 7), where models using only SSL features perform better on ASVspoof2021, whereas the models using dependency features outperform on MLAAD. Fusion of the two resulted in the best performance.

• “Which types of TTS models are easier to detect, and which are harder to detect by your method?”

As some details of the TTS models used in employed datasets are not known, we performed an analysis on the recent ASVspoof5 dataset and presented a breakdown of model performance for different attacks and codecs (Table 1 and 2 in the rebuttal PDF). In general, degradation is seen when codecs with lower bit rates are applied. We found systems with zero-shot capability are harder to detect than other methods (e.g., YourTTS).

• ”You provided examples of correctly classified speech samples. What about incorrectly classified ones? Can you share an explanation or guess what are the peculiarities of these "complicated" samples that prevent them from being correctly classified by your method?”

We will add incorrectly classified samples to the paper. In general, we observed that severely degraded samples (e.g. audio too short/noisy) were commonly misclassified. This could be due to the design of our model, which by nature may require longer duration to capture the style-linguistics mismatch. The observation here also aligns with the difference seen between style/linguistics-only features and dependency features in Table 2, where the former performs better on ASVspoof2021 and the latter performs better on MLAAD.

• ”Do you plan to upload your code to GitHub?”

Since we are currently filing for IP, we do not currently plan to release the training code. However, we provided details in the paper to facilitate easy implementation of our model. The Appendix includes a detailed description of the model architecture (Appendix A.3), training hyperparameters (Appendix A.6), the list of pre-training datasets (Appendix A.2), and a Pytorch-style pseudocode of the training objective (Appendix A.4).

Thank you for your time spent reviewing our work and for sharing your detailed comments which helped us to revise our work. A point-by-point response to the posted questions can be seen below:

• “What are the systems tested in Table 1?...”

As the samples referred to in Table 1 are part of the ASV2019 training data, the detailed PII is not available. We agree that detailed information of the generative models will be useful. Considering that each deepfake attack in ASV2019 has its own synthesis pipeline, and the relevant details are already summarized in the ASV2019 summary paper [1] , we will add a reference to the appropriate section and guide readers to refer to the summary paper for details.

• “..., it would be very useful to test this approach under those forms of degradation.”

Based on the first part of the question on robustness to degraded speech, we performed an evaluation of SLIM on 12 different codecs within the more recent ASVspoof5 dataset (released in July 2024, two months after our initial submission to NeurIPS). The results are summarized in Table 1 in the global rebuttal PDF. Note that ASVSpoof5 includes the Opus codec, which is used in telephony systems. In addition, we point out that the ASVspoof 2021, which is one of the test datasets, includes different types of lossy codecs with varied bitrates, typically used for media storage.

Regarding the second half of the question on prosodic features vs simpler acoustic artifacts, we agree that separating the two categories of speech samples would definitely help in identifying the true source of deepfake. However, when we performed listening tests and spectrogram visualizations on the deepfake samples, there were many cases where a sample could manifest a combination of artifacts and style-linguistics mismatch pattern. It was therefore challenging to divide samples into two distinct categories and perform testing separately. To gain some insight, we performed an ablation on SLIM (Table 2 - SLIM variants), where we experimented using only the SSL features (rows 1-3 under `SLIM variants’; corresponding to the artifact cases), only the dependency features (row 4; corresponding to the mismatch cases), and the combination of the two (row 5; corresponding to leveraging both sources). The difference in performance can be used to gauge the question of the actual source of the deepfake samples. Our results show that the mismatch cases could be a smaller portion in ASV2021, since the dependency-alone performance was much worse than using SSL features. For the In-the-wild and MLAAD datasets, the performance of dependency features is on par with, if not better than, SSL features, demonstrating that these two datasets have more mismatch cases.

• ” Testing on both clean audio, and higher quality synthesis, as well as under controlled degradations could raise my score.”

We evaluated our model on the ASVspoof5 dataset released in July 2024, where the most recent generative models were used together with different codec degradations. We provide a breakdown of the model performance with regard to different types of unseen attacks, as well as unseen codecs. These results can be found in Table 1 and Table 2 in the rebuttal PDF.

• ”The primary concern in order to raise my score would be a more proper scoping of the generalization claims,...”

We agree that our current system only operates on English data and cannot yet handle all prosodic styles (as briefly discussed in Limitations). In the introduction (Page 1, line 30), we specified that the current SOTA methods lack generalizability to unseen attacks, which we aim to tackle in this study. Following your suggestion, we will revise the manuscript in various parts, including the abstract, introduction, and limitations, to scope-limit our use of the term generalization to “unseen attacks”.

Audio deepfake detection (ADD) in the ADD community indeed most commonly refers to speech deepfakes, we will clarify this in our paper. Regarding multilinguality, our current approach leverages pretrained embeddings that were trained on tasks from English data (e.g. emotion recognition), so we are currently limited by the availability of language-specific high quality pre-trained embeddings.

Regarding evaluation on prosody styles, we point that our test sets cover a decent variety of speakers (e.g., 58 celebrities in the In-the-wild, and 100+ speakers in total for all test datasets). Performance across diverse test sets indicates our model’s ability to do well on a variety of speaking styles. However, we acknowledge that an extensive evaluation on special prosodic styles such as pathological speech, children speech, or new learners of a language, has not been included in our study due to small sample size, limited variability of speech content, and noise issues (e.g., [2], [3]). We will acknowledge this limitation in the paper.

• ”Larger and more diverse datasets (multi-lingual being one option, more unusual speaker styles would be another), or more particularly use of a variety of recent, high performing methods would raise my score if the writing is mostly unchanged.”

We performed evaluation of SLIM on the ASVspoof5 data, where some of the recent main-stream platforms (e.g., tortoiseTTS) are used for generating the deepfake data. The results are reported in Table 1 and Table 2 in the rebuttal PDF.

Reference:

[1] X. Wang, et. al., “ASVspoof 2019: A large-scale public database of synthesized, converted and replayed speech,” Elsevier Computer Speech & Language Journal, vol. 64, 2020.

[2] Coppock, Harry, et al. "COVID-19 detection from audio: seven grains of salt." The Lancet Digital Health 3.9 (2021): e537-e538.

[3] Schu, Guilherme, et. al., "On using the UA-Speech and TORGO databases to validate automatic dysarthric speech classification approaches." IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023.

Thank you for your time reviewing our manuscript and for acknowledging our contribution to the field. We have provided a point-by-point response as follows:

• “The idea of capturing the mismatch between style and linguistics is promising, but it's unclear how this mismatch correlates with deepfake samples.”

As the idea of style-linguistics mismatch has not been systematically investigated before, we first referred to existing linguistic studies that show concrete examples of how these two aspects are correlated in real speech (Section 2.2, Page 3, line 111-113), e.g., the impact of emotional status on word choices. Given that main-stream TTS and VC methods model these two aspects independently, such subtle correlation in real speech may be missing in deepfakes. For example, VC systems swap the original voice identity with a new one, without considering if the new voice would match in style with the word choices. To verify that the hypothesized mismatch does exist in deepfakes, we then provided preliminary results of CCA analysis (Section 3.1, Page 3-4, line 117-142; Table 1) that show a significantly higher correlation value of the two aspects in real speech and a lower correlation in deepfake speech, which also aligns with the distance between the dependency features learned by SLIM (Page 8, Figure 2). Although it is challenging to exhaustively list all mismatch cases, we provided a spectrogram illustration in Figure 4 (top right), which demonstrates a deepfake sample identified by SLIM that shows abnormal rhythm of pauses when uttering certain words. We agree that more examples could benefit the understanding of the mismatch, which requires a more systematic and detailed investigation. We plan to pursue this for future analysis.

• ”In Figure 2 (training framework for ADD), the source of supervision for style and linguistics is not apparent. How do you ensure that each encoder learns the corresponding features? Additionally, how do you achieve perfect disentanglement between the style and linguistics encoders?”

We acknowledge that a perfect disentanglement of the two aspects is a challenging task. However, based on existing works on how information propagates through self-supervised learning (SSL) model layers (reference listed in Section 2.2, page 3, line 106-109), it is possible to obtain two representations which have maximal information about one of the aspects while retaining minimal information of the other. In our work, we tried to limit the entanglement by choosing and freezing the pretrained embeddings fine-tuned for tasks that are likely independent of each other, i.e. ASR for linguistics and SER for style. To ensure a satisfactory disentanglement of our adopted representations, we performed a correlation analysis in Appendix 1, Figure 5, where the average correlation value of the two representations is close to 0. These results help to ensure that the two input representations are maximally disentangled (if not perfectly). Due to page limit, we were not able to integrate these analysis results into the main text.

• “It appears that the latest dataset used is ASVspoof2021, which is quite old. Why not incorporate more recent and advanced deepfake datasets for evaluation?”

We employed four test datasets, out of which both the In-the-wild and MLAAD are newer datasets than ASVspoof2021. The MLAAD was the latest one at the time of writing, of which the latest version was released in April 2024. While the ASVspoof2021 is not the latest dataset, it does have the advantage of covering a variety of attacks, which is summarized in Appendix 2, Table 3 (Page 16). The ASVspoof 2021 dataset also includes different types of lossy codecs with varied bitrates, typically used for media storage, facilitating the evaluation of model robustness to codecs.