Exploring Targeted Universal Adversarial Perturbations to End-to-end ASR Models

  title={Exploring Targeted Universal Adversarial Perturbations to End-to-end ASR Models},
  author={Zhiyun Lu and Wei Han and Yu Zhang and Liangliang Cao},
Although end-to-end automatic speech recognition (e2e ASR) models are widely deployed in many applications, there have been very few studies to understand models’ robustness against adversarial perturbations. In this paper, we explore whether a targeted universal perturbation vector exists for e2e ASR models. Our goal is to find perturbations that can mislead the models to predict the given targeted transcript such as “thank you” or empty string on any input utterance. We study two different… 
1 Citations

Figures and Tables from this paper

Real-Time Neural Voice Camouflage
This work proposes a method to camouflage a person’s voice over-the-air from these systems without inconveniencing the conversation between people in the room, and demonstrates the approach is practically effective in realistic environments over physical distances.


Universal Adversarial Audio Perturbations
It is demonstrated the existence of universal adversarial perturbations, which can fool a family of audio classification architectures, for both targeted and untargeted attack scenarios, and a proof that the proposed penalty method theoretically converges to a solution that corresponds to universal adversaries.
Universal adversarial examples in speech command classification
Evidence is provided that universal attacks can be generated for speech command classification tasks, which are able to generalize across different models to a significant extent and a novel analytical framework is proposed for the evaluation of universal perturbations under different levels of universality.
Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition
This paper develops effectively imperceptible audio adversarial examples by leveraging the psychoacoustic principle of auditory masking, while retaining 100% targeted success rate on arbitrary full-sentence targets and makes progress towards physical-world over-the-air audio adversaria examples by constructing perturbations which remain effective even after applying realistic simulated environmental distortions.
Generating Natural Language Adversarial Examples
A black-box population-based optimization algorithm is used to generate semantically and syntactically similar adversarial examples that fool well-trained sentiment analysis and textual entailment models with success rates of 97% and 70%, respectively.
Universal Adversarial Perturbations for Speech Recognition Systems
This work proposes an algorithm to find a single quasi-imperceptible perturbation, which when added to any arbitrary speech signal, will most likely fool the victim speech recognition model.
Real-Time, Universal, and Robust Adversarial Attacks Against Speaker Recognition Systems
The first real-time, universal, and robust adversarial attack against the state-of-the-art deep neural network (DNN) based speaker recognition system is proposed, adding an audio-agnostic universal perturbation on arbitrary enrolled speaker’s voice input to identify the speaker as any target (i.e., adversary-desired) speaker label.
Did you hear that? Adversarial Examples Against Automatic Speech Recognition
A first of its kind demonstration of adversarial attacks against speech classification model by adding small background noise without having to know the underlying model parameter and architecture is presented.
Towards Evaluating the Robustness of Neural Networks
It is demonstrated that defensive distillation does not significantly increase the robustness of neural networks, and three new attack algorithms are introduced that are successful on both distilled and undistilled neural networks with 100% probability are introduced.
Houdini: Fooling Deep Structured Prediction Models
This work introduces a novel flexible approach named Houdini for generating adversarial examples specifically tailored for the final performance measure of the task considered, be it combinatorial and non-decomposable.
Audio Adversarial Examples: Targeted Attacks on Speech-to-Text
A white-box iterative optimization-based attack to Mozilla's implementation DeepSpeech end-to-end has a 100% success rate, and the feasibility of this attack introduce a new domain to study adversarial examples.