Robustness of Adversarial Attacks in Sound Event Classification

@inproceedings{Subramanian2019RobustnessOA,
  title={Robustness of Adversarial Attacks in Sound Event Classification},
  author={Subramanian and Emmanouil Benetos and Mark Sandler and Events},
  booktitle={DCASE},
  year={2019}
}
An adversarial attack is a method to generate perturbations to the input of a machine learning model in order to make the output of the model incorrect. The perturbed inputs are known as adversarial examples. In this paper, we investigate the robustness of adversarial examples to simple input transformations such as mp3 compression, resampling, white noise and reverb in the task of sound event classification. By performing this analysis, we aim to provide insights on strengths and weaknesses in… 

Figures and Tables from this paper

A Study on the Transferability of Adversarial Attacks in Sound Event Classification
TLDR
This work demonstrates differences in transferability properties from those observed in computer vision and shows that dataset normalization techniques such as z-score normalization does not affect the transferability of adversarial attacks and Techniques such as knowledge distillation do not increase the transferable of attacks.
Adversarial Defense for Automatic Speaker Verification by Self-Supervised Learning
TLDR
This work is among the first to perform adversarial defense for ASV without knowing the specific attack algorithms and formalizes evaluation metrics for adversarialdefense considering both purification and detection based approaches into account.
Identifying Audio Adversarial Examples via Anomalous Pattern Detection
TLDR
This work shows that 2 of the recent and current state-of-the-art adversarial attacks on audio processing systems systematically lead to higher-than-expected activation at some subset of nodes and can detect these with up to an AUC of 0.98 with no degradation in performance on benign samples.
Transferability of Adversarial Attacks on Synthetic Speech Detection
TLDR
A comprehensive benchmark to evaluate the transferability of adversarial attacks on the synthetic speech detection task is established and the weaknesses of synthetic speech detec-tors and the transferable behaviours of adversarian attacks are summarised to provide insights for future research.
Generation of Black-box Audio Adversarial Examples Based on Gradient Approximation and Autoencoders
TLDR
A real-time attack framework that utilizes the neural network trained by the gradient approximation method to generate adversarial examples on Keyword Spotting (KWS) systems that can easily fool a black-box KWS system to output incorrect results with only one inference.
End-to-End Adversarial White Box Attacks on Music Instrument Classification
TLDR
This work presents the very first end-to-end adversarial attacks on a music instrument classification system allowing to add perturbations directly to audio waveforms instead of spectrograms.
Voting for the right answer: Adversarial defense for speaker verification
TLDR
This work proposes the idea of “voting for the right answer” to prevent risky decisions of ASV in blind spot areas, by employing random sampling and voting, and shows that the proposed method improves the robustness against both the limited-knowledge attackers and the perfect- knowledge attackers.
SoK: A Modularized Approach to Study the Security of Automatic Speech Recognition Systems
TLDR
This article presents the systematization of knowledge for ASR security and provides a comprehensive taxonomy for existing work based on a modularized workflow, and shows that transfer attacks across ASR models are feasible, even in the absence of knowledge about models and training data.
Improving the Adversarial Robustness for Speaker Verification by Self-Supervised Learning
TLDR
Since there is no common metric for evaluating the ASV performance under adversarial attacks, this work formalizes evaluation metrics for adversarial defense considering both purification and detection based approaches into account and encourages future works to benchmark their approaches based on the proposed evaluation framework.
...
...

References

SHOWING 1-10 OF 27 REFERENCES
Robust Audio Adversarial Example for a Physical Attack
TLDR
Evaluation and a listening experiment demonstrated that adversarial examples generated by the proposed method are able to attack a state-of-the-art speech recognition model in the physical world without being noticed by humans, suggesting that audio adversarial example may become a real threat.
Characterizing Audio Adversarial Examples Using Temporal Dependency
TLDR
The results reveal the importance of using the temporal dependency in audio data to gain discriminate power against adversarial examples and offer novel insights in exploiting domain-specific data properties to mitigate negative effects of adversarialExamples.
Robust Physical-World Attacks on Machine Learning Models
TLDR
This paper proposes a new attack algorithm--Robust Physical Perturbations (RP2)-- that generates perturbations by taking images under different conditions into account and can create spatially-constrained perturbation that mimic vandalism or art to reduce the likelihood of detection by a casual observer.
Adversarial examples in the physical world
TLDR
It is found that a large fraction of adversarial examples are classified incorrectly even when perceived through the camera, which shows that even in physical world scenarios, machine learning systems are vulnerable to adversarialExamples.
Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition
TLDR
This paper develops effectively imperceptible audio adversarial examples by leveraging the psychoacoustic principle of auditory masking, while retaining 100% targeted success rate on arbitrary full-sentence targets and makes progress towards physical-world over-the-air audio adversaria examples by constructing perturbations which remain effective even after applying realistic simulated environmental distortions.
Isolated and Ensemble Audio Preprocessing Methods for Detecting Adversarial Examples against Automatic Speech Recognition
TLDR
One particular combined defense incorporating compressions, speech coding, filtering, and audio panning was shown to be quite effective against the attack on the Speech Commands Model, detecting audio adversarial examples with 93.5% precision and 91.2% recall.
Towards Evaluating the Robustness of Neural Networks
TLDR
It is demonstrated that defensive distillation does not significantly increase the robustness of neural networks, and three new attack algorithms are introduced that are successful on both distilled and undistilled neural networks with 100% probability are introduced.
Mitigating adversarial effects through randomization
TLDR
This paper proposes to utilize randomization at inference time to mitigate adversarial effects, and uses two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input image in a random manner.
Synthesizing Robust Adversarial Examples
TLDR
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
Countering Adversarial Images using Input Transformations
TLDR
This paper investigates strategies that defend against adversarial-example attacks on image-classification systems by transforming the inputs before feeding them to the system, and shows that total variance minimization and image quilting are very effective defenses in practice, when the network is trained on transformed images.
...
...