Over the past few years, voice biometric technologies have reached impressive performance, which can be confirmed by the results of the NIST Speaker Recognition Evaluation (SRE) Challenges . Automatic Speaker Verification (ASV) systems are already used in security systems of socially significant institutions, in immigration control, forensic laboratories and for identity verification in Internet banking, and other electronic commerce systems.
Alongside the increasing performance and increasing confidence in speaker recognition methods, the privacy level of the information with the necessity to protect it also increases. This leads to higher requirements for the reliability of the biometric systems including their robustness against malicious attacks. Active fraudster attempts to falsify voice characteristics in order to gain unauthorised access referred to as spoofing attacks or presentation attacks (ISO/IEC 30107-1) are the biggest threat for voice biometric systems. The widespread use of ASV systems and new approaches in machine learning has forced the significant quality improvement of these attacks. Many studies show that despite the high performance of the state-of-the-art ASV systems they are still vulnerable and the need in reliable spoofing detection methods for ASV systems is apparent.
Automatic Speaker Verification Spoofing and Countermeasures initiative (ASVspoof) has attracted the high interest of the research community to the task of unforeseen spoofing trials detection. It has significantly pushed forward the development of spoofing detection methods by organizing ASVspoof Challenges in 2015 and 2017, that were aimed to develop countermeasures to detect speech synthesis with voice conversion attacks and replay attacks, respectively.
In 2019, the competition was held for the third time and was the extended version of the previous ones . The task was to design the generalised countermeasures in 2 evaluation conditions: logical access use-case scenario with speech synthesis and voice conversion attack types and physical access use-case scenario with replay attacks.
For both scenarios, we proposed several systems based on the enhanced Light CNN architecture, considered by the authors for replay attacks detection in  and outperformed other proposed systems during ASVspoof2017 challenge. The proposed systems are based on different types of acoustic features.
This paper explores angular margin based softmax and batch normalization techniques for anti-spoofing systems quality improvements.
Section 2 describes the proposed modifications of the original LCNN-system for spoofing detection from  in details. Section 3.3 contains the overview of all proposed single and submitted systems, while in section LABEL:sec:res the results obtained for these systems on the development and evaluation parts are presented and analysed.
It is worth mentioning that according to the evaluation plan all data used for training and evaluation was modelled using acoustic replay simulation. On the one hand, this helps to carefully control acoustic and replay configurations, but on the other hand, results raise some doubts about the usability of the considered systems for real-case scenarios. According to our experiments performed for spoofing attacks in real and emulated telephone channel  systems trained for emulated conditions cannot detect spoofing attacks in real cases.
2 LCNN system modifications
All of the proposed systems for both scenarios were based on the enhanced Light CNN architecture previously used for replay attack detection . The specific characteristic of Light CNN architecture 
is the usage of the Max-Feature-Map activation (MFM) which is based on Max-Out activation function[goodfellow2013maxout]
. Neural network with MFM is capable to choosing features which are essential for task solving. According to impressive results obtained by the authors in for replay attacks, such type of networks can be successfully implemented for anti-spoofing.
We explored several types of acoustic features as input for LCNN, all of them were used in a raw format.
Our experience in spoofing detection confirms that power spectrum contains useful information related to the speech signal and artifacts specific to different spoofing attacks and can be used as informative time-frequency representation for spoofing detection task. We used raw log power magnitude spectrum computed from the signal as features. For this purpose, the spectrum was extracted via:
Additionally, we considered cepstral coefficients from baseline systems, proposed by the organisers of the ASVspoof2019: Linear Frequency Cepstral Coefficients (LFCC)  obtained by the use of triangular filters in linear space for local integration of the power spectrum and Constant Q Cepstral Coefficients based on the geometrically spaced filters  .We explored efficiency of using simple enegry based Speech Activity Detector (SAD) for solving spoofing detection task for both PA and LA attack types.
2.2 LCNN classifier
In contrast to our LCNN system presented in 
for replay attacks detection, the proposed systems are used not as high-level features extractor, followed by GMM scoring model. Instead of that LCNN was used here for final score estimation based on the low-level acoustic features.
Additional steps of batch normalization were also used after MaxPooling layers to increase stability and convergence speed during the training process. The detailed architecture is described in Table 1.
Filter / Stride
2.3 Angular margin based softmax activation
The key difference of the novel LCNN system is angular margin based softmax loss (A-softmax) used for training the described architecture. A-softmax was introduced in 
and demonstrated an elegant way to obtain well-regularized loss function by forcing learned features to be discriminative on a hypersphere manifold. Thus angular margin softmax loss can be described as:
where is the number of training samples and their labels , is the angle between and the corresponding column of the fully connected classification layer weights , and is an integer that controls the size of an angular margin between classes.
This approach has already used in 
for high-level speaker embedding extractor. The learned features are constrained to a unit hypersphere. Such regularization technique also addresses the problem of overfitting by separating classes in cosine similarity metric.
We use A-softmax as an effective discriminative objective for training our model.
LCNN weights were initialized using normal Kaiming initialization. And dropout 0.75 was used to reduce overfitting.
3 Experimental setup
All experiments presented further were conducted on ASVspoof 2019 datasets. The detailed description of these datasets can be found in . To train all the systems we used only the train part. The dev part was used for performance validation and weights adjustment for system fusion. The evaluation part includes a set of unseen genuine verification trials and spoofing attacks, generated with unknown spoofing algorithms and replay configurations which differ from those in the train and development parts.
3.2 Details of systems implementation
We prepared several single systems for each scenario, based on the features described above and LCNN architecture from 1. For logical access scenario we used the following configurations:
LFCC-LCNN: LFCC were extracted similar to baseline system with 20 ms window length, 512 number of FFT bins and 20 filters.
: This system is similar to previous one. The only difference is that LFCC features were normalized by mean and variance.
CQT-LCNN: CQT spectrum was extracted with the use of the default settings from baseline CQCC based system: 96 bins per octave, 1724 window size and 0.0081 step.
FFT-LCNN: FFT spectrum was extracted with 1724 window length and step 0.0081, the Blackman window function was used.
For physical access scenario we used the following configurations:
LFCC-LCNN: similar to LFCC-LCNN for LA scenario
CQT-LCNN: similar to CQT-LCNN for LA scenario
DCT-LCNN: For DCT spectrum the 863 window length and 0.0081 step were used.
Only the first 600 features for each file were used as LCNN input in all single systems. No additionally preprocessing techniques such as speech activity detection or dereverberation was explored in these systems.
3.3 Submission systems
The primary systems submitted to the challenge were the fusion of the single systems on the score level. Fusion of the subsystems scores was done with equal weights. Before fusion scores were normalized by the standard deviation of the genuine class distribution for each single system. The reason for that was the Gaussian distribution of genuine scores in contrast to spoofing scores, (see Figure1 for LA and PA systems scores distributions).
4 Results and Discussion
The results for our single and fusion systems are presented in terms of Equal Error Rate (EER) and minimum tandem detection cost function (min-tDCF) used as the primary metric in the Challenge.
Results obtained on the development and evaluation sets of the ASVspoof2019 dataset confirm the efficiency of deep learning approaches for the ASV spoofing detection tasks considered in the ASVSpoof2019.
Results of the preliminary investigations of the baseline systems , presented in Table 2, demonstrate that the use of SAD leads to the quality reduction in terms of EER and min-tDCF for LFCC and CQCC based systems in both LA and PA scenarios. The possible reason for this is that nonspeech and boundary regions contain discriminative features and distortions specific to various types of spoofing or genuine speech in the opposite. For example, constant energy values in concrete frequency regions, specific to some microphones or recording systems. For this reason, we decided to exclude SAD from the systems we used in the Challenge.
Curious, that cepstral mean and variance (cmvn) features normalisation didn’t provide an expected quality improvement on the development set (See Table 2). This behaviour differs from the earlier experiments on ASVspoof2015  and ASVspoof2017  datasets, that did not contain artificially produced data. . Taking into account our experience in spoofing detection in unforeseen conditions we assume that cmvn can increase the robustness of our systems against unknown attacks from the evaluation set. However, according to results, of our single systems on the development and evaluation systems in Table 3, we see the opposite. Such results reinforce our concerns about modelled data and real case mismatch.
Experiment results for deep learning based systems, proposed in the current paper, prove that implementation of angular margin based softmax loss as classifier layer for spoofing detection system training allows to improve system quality and stabilize training process (see Figure 2) for both LA and PA scenarios.
Experiments, conducted on the development part of ASVspoof2019 corpora, confirm that batch normalization and angular margin based softmax activation improve the performance of the original LCNN system for different types of low-level acoustic features in both scenarios (Figure 2).
Table 3 and Table 4 present the performance of all single systems proposed for LA and PA respectively. High performance obtained for the unknown types of spoofing attacks performed on the evaluation part of ASVspoof2019 corpora demonstrates the stability of the offered approach in both evaluation conditions.
Detailed analysis of our LA final system quality for different types of logical attacks, that are presented in Figure 4 demonstrates that it degrades in case of some unknown types of spoofing attacks (A10-A15, A17-A18) . The most difficult spoofing attack to detect for our system was A17 (voice conversion with waveform filtering) task for our system.
Figure 3 illustrates the analysis of PA detection performance depended on the replay attack configuration: replay device quality, distances to the talker and to ASV system and reverberation characteristics. It can be concluded that replay attack detection performance depends on the replay attacks quality. The most high-quality attacks replay sessions recorded at a small distance to talker with the use of high-quality loudspeaker.
This paper describes STC systems submitted to the ASVspoof2019 Challenge for LA and PA evaluation conditions. The main difference from the previous ASVspoof challenges is that all data used for training and evaluation was modelled using acoustic replay simulation. In our opinion, this deals with some restrictions from the practical point of view. According to the results obtained on the evaluation part of ASVspoof2019 corpora, the proposed LCNN based systems perform well in both PA and LA cases. Submitted systems achieved EER of 1.86% in LA scenario and 0.54% in PA scenario for unknown types of attacks.
-  NIST speaker recognition evaluation 2018. [Online]. Available: https://www.nist.gov/itl/iad/mig/nist-2018-speaker-recognition-evaluation
ASVspoof 2019: Automatic speaker verification spoofing and countermeasures
challenge evaluation plan. [Online]. Available:
-  G. Lavrentyeva, S. Novoselov, E. Malykh, A. Kozlov, O. Kudashev, and V. Shchemelinin, “Audio replay attack detection with deep learning frameworks,” in Proc. Interspeech 2017, 2017, pp. 82–86. [Online]. Available: http://dx.doi.org/10.21437/Interspeech.2017-360
-  G. Lavrentyeva, S. Novoselov, M. Volkova, Y. Matveev, and M. De Marsico, “Phonespoof: A new dataset for spoofing attack detection in telephone channel,” in Proc. ICASSP 2018 (to be published), 2018.
-  X. Wu, R. He, and Z. Sun, “A lightened CNN for deep face representation,” CoRR, vol. abs/1511.02683, 2015. [Online]. Available: http://arxiv.org/abs/1511.02683
-  M. Todisco, H. Delgado, and N. W. D. Evans, “A new feature for automatic speaker verification anti-spoofing: Constant q cepstral coefficients,” in Odyssey, 2016.
-  M. Sahidullah, T. Kinnunen, and C. Hanilçi, “A comparison of features for synthetic speech detection,” 09 2015.
W. Liu, Y. Wen, Z. Yu, M. Li, B. Raj, and L. Song, “Sphereface: Deep hypersphere embedding for face recognition,” in
-  S. Novoselov, A. Shulipa, I. Kremnev, A. Kozlov, and V. Shchemelinin, “On deep speaker embeddings for text-independent speaker recognition,” 06 2018, pp. 378–385.
-  Z. Wu, T. Kinnunen, N. W. D. Evans, J. Yamagishi, C. Hanilçi, M. Sahidullah, and A. Sizov, “Asvspoof 2015: the first automatic speaker verification spoofing and countermeasures challenge,” in INTERSPEECH, 2015.
-  T. Kinnunen, M. Sahidullah, H. Delgado, M. Todisco, N. W. D. Evans, J. Yamagishi, and K.-A. Lee, “The asvspoof 2017 challenge: Assessing the limits of replay spoofing attack detection,” in INTERSPEECH, 2017.
-  H. Delgado, M. Todisco, M. Sahidullah, N. W. D. Evans, T. Kinnunen, K. A. Lee, and J. Yamagishi, “Asvspoof 2017 version 2.0: meta-data analysis and baseline enhancements,” 2018.