• Corpus ID: 85502769

Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition

@inproceedings{Qin2019ImperceptibleRA,
  title={Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition},
  author={Yao Qin and Nicholas Carlini and Ian J. Goodfellow and G. Cottrell and Colin Raffel},
  booktitle={ICML},
  year={2019}
}
Adversarial examples are inputs to machine learning models designed by an adversary to cause an incorrect output. So far, adversarial examples have been studied most extensively in the image domain. In this domain, adversarial examples can be constructed by imperceptibly modifying images to cause misclassification, and are practical in the physical world. In contrast, current targeted adversarial examples applied to speech recognition systems have neither of these properties: humans can easily… 

Figures and Tables from this paper

Defending Against Imperceptible Audio Adversarial Examples Using Proportional Additive Gaussian Noise
TLDR
This work presents a robust defense for inaudible or imperceptible audio adversarial examples that mimics the adversarial strategy to add targeted proportional additive Gaussian noise in order to revert an adversarial example back to its original transcription.
Detecting Audio Adversarial Examples with Logit Noising
TLDR
This paper proposes a novel method to detect audio adversarial examples by adding noise to the logits before feeding them into the decoder of the ASR, and shows that carefully selected noise can significantly impact the transcription results of the audio adversarian examples, whereas it has minimal impact on the transcriptionresults of benign audio waves.
Robust Over-the-Air Adversarial Examples Against Automatic Speech Recognition Systems
TLDR
This paper demonstrates the first generic algorithm that produces adversarial examples which remain robust in an over-the-air attack such that the ASR system transcribes the target transcription after actually being replayed.
On the Exploitability of Audio Machine Learning Pipelines to Surreptitious Adversarial Examples
TLDR
Surreptitious adversarial examples are introduced, a new class of attacks that evades both human and pipeline controls and are shown to be more surreptition than previous attacks that aim solely for imperceptibility.
Effective and Inconspicuous Over-the-Air Adversarial Examples with Adaptive Filtering
TLDR
A novel audio-domain adversarial attack that modifies benign audio using an interpretable and differentiable parametric transformation adaptive filtering using a simple variant of gradient descent to tune filter parameters is demonstrated.
Imperio: Robust Over-the-Air Adversarial Examples for Automatic Speech Recognition Systems
TLDR
This paper demonstrates the first algorithm that produces generic adversarial examples against hybrid ASR systems, which remain robust in an over-the-air attack that is not adapted to the specific environment and employs the ASR system Kaldi to demonstrate the attack.
Towards Resistant Audio Adversarial Examples
TLDR
This work finds that due to flaws in the generation process, state-of-the-art adversarial example generation methods cause overfitting because of the binning operation in the target speech recognition system (e.g., Mozilla Deepspeech), and devise an approach to mitigate this flaw, which improves generation of adversarial examples with varying offsets.
WaveGuard: Understanding and Mitigating Audio Adversarial Examples
TLDR
WaveGuard is introduced: a framework for detecting adversarial inputs that are crafted to attack ASR systems and empirically demonstrates that audio transformations that recover audio from perceptually informed representations can lead to a strong defense that is robust against an adaptive adversary even in a complete whitebox setting.
A Unified Framework for Detecting Audio Adversarial Examples
TLDR
A unified adversarial detection framework for detecting adaptive audio adversarial examples, which combines noise padding with sound reverberation is proposed, which consistently outperforms the state-of-the-art audio defense methods, even for the adaptive and robust attacks.
Dompteur: Taming Audio Adversarial Examples
TLDR
This paper accepts the presence of adversarial examples against ASR systems, but it requires them to be perceivable by human listeners and applies the principles of psychoacoustics to remove semantically irrelevant information from the ASR input and train a model that resembles human perception more closely.
...
...

References

SHOWING 1-10 OF 30 REFERENCES
Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding
TLDR
A new type of adversarial examples based on psychoacoustic hiding is introduced, which allows us to embed an arbitrary audio input with a malicious voice command that is then transcribed by the ASR system, with the audio signal remaining barely distinguishable from the original signal.
Robust Audio Adversarial Example for a Physical Attack
TLDR
Evaluation and a listening experiment demonstrated that adversarial examples generated by the proposed method are able to attack a state-of-the-art speech recognition model in the physical world without being noticed by humans, suggesting that audio adversarial example may become a real threat.
Adversarial examples in the physical world
TLDR
It is found that a large fraction of adversarial examples are classified incorrectly even when perceived through the camera, which shows that even in physical world scenarios, machine learning systems are vulnerable to adversarialExamples.
Adversarial Attacks on Neural Network Policies
TLDR
This work shows existing adversarial example crafting techniques can be used to significantly degrade test-time performance of trained policies, even with small adversarial perturbations that do not interfere with human perception.
Adversarial Black-Box Attacks for Automatic Speech Recognition Systems Using Multi-Objective Genetic Optimization
TLDR
A multi-objective genetic algorithm based approach is used to perform both targeted and un-targeted black-box attacks on automatic speech recognition (ASR) systems, proposing a generic framework which can be used to attack any ASR system, even if it's internal working is hidden.
Audio Adversarial Examples: Targeted Attacks on Speech-to-Text
TLDR
A white-box iterative optimization-based attack to Mozilla's implementation DeepSpeech end-to-end has a 100% success rate, and the feasibility of this attack introduce a new domain to study adversarial examples.
Towards Deep Learning Models Resistant to Adversarial Attacks
TLDR
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
Targeted Adversarial Examples for Black Box Audio Systems
TLDR
This paper adopts a black-box approach to adversarial generation, combining the approaches of both genetic algorithms and gradient estimation to solve the ASR fooling task.
Synthesizing Robust Adversarial Examples
TLDR
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
Crafting Adversarial Examples For Speech Paralinguistics Applications
TLDR
This work proposes a novel end-to-end scheme to generate adversarial examples by perturbing directly the raw waveform of an audio recording rather than specific acoustic features, which can lead to a significant performance drop of state-of-the-art deep neural networks.
...
...