Baolin Zheng scite author profile

Adversarial attacks against commercial black-box speech platforms, including cloud speech APIs and voice control devices, have received little attention until recent years. Constructing such attacks is difficult mainly due to the unique characteristics of time-domain speech signals and the much more complex architecture of acoustic systems. The current "black-box" attacks all heavily rely on the knowledge of prediction/confidence scores or other probability information to craft effective adversarial examples (AEs), which can be intuitively defended by service providers without returning these messages. In this paper, we take one more step forward and propose two novel adversarial attacks in more practical and rigorous scenarios. For commercial cloud speech APIs, we propose Occam, a decision-only black-box adversarial attack, where only final decisions are available to the adversary. In Occam, we formulate the decision-only AE generation as a discontinuous large-scale global optimization problem, and solve it by adaptively decomposing this complicated problem into a set of sub-problems and cooperatively optimizing each one. Our Occam is a one-size-fits-all approach, which achieves 100% success rates of attacks (SRoA) with an average SNR of 14.23dB, on a wide range of popular speech and speaker recognition APIs, including Google, Alibaba, Microsoft, Tencent, iFlytek, and Jingdong, outperforming the state-of-the-art black-box attacks. For commercial voice control devices, we propose NI-Occam, the first non-interactive physical adversarial attack, where the adversary does not need to query the oracle and has no access to its internal information and training data. We, for the first time, combine adversarial attacks with model inversion attacks, and thus generate the physically-effective audio AEs with high transferability without any interaction with target devices. Our experimental results show that NI-Occam can successfully fool Apple Siri, Microsoft Cortana, Google Assistant, iFlytek and Amazon Echo with an average SRoA of 52% and SNR of 9.65dB, shedding light on non-interactive physical attacks against voice control devices.

show abstract

Deep Learning on Mobile and Embedded Devices

Chen

Zheng

Zhang

et al. 2020

ACM Comput. Surv.

View full text Add to dashboard Cite

Recent years have witnessed an exponential increase in the use of mobile and embedded devices. With the great success of deep learning in many fields, there is an emerging trend to deploy deep learning on mobile and embedded devices to better meet the requirement of real-time applications and user privacy protection. However, the limited resources of mobile and embedded devices make it challenging to fulfill the intensive computation and storage demand of deep learning models. In this survey, we conduct a comprehensive review on the related issues for deep learning on mobile and embedded devices. We start with a brief introduction of deep learning and discuss major challenges of implementing deep learning models on mobile and embedded devices. We then conduct an in-depth survey on important compression and acceleration techniques that help adapt deep learning models to mobile and embedded devices, which we specifically classify as pruning, quantization, model distillation, network design strategies, and low-rank factorization. We elaborate on the hardware-based solutions, including mobile GPU, FPGA, and ASIC, and describe software frameworks for mobile deep learning models, especially the development of frameworks based on OpenCL and RenderScript. After that, we present the application of mobile deep learning in a variety of areas, such as navigation, health, speech recognition, and information security. Finally, we discuss some future directions for deep learning on mobile and embedded devices to inspire further research in this area.

show abstract

Towards Query-Efficient Adversarial Attacks Against Automatic Speech Recognition Systems

Wang

Zheng

et al. 2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Development and application of watershed-scale indicator to quantify non-point source P losses in semi-humid and semi-arid watershed, China

et al. 2016

Ecological Indicators

View full text Add to dashboard Cite

a b s t r a c tQuantifying non-point source (NPS) phosphorus (P) pollution loads is essential for watershed nutrients management. This study intended to develop a NPS P indicator which (1) was suitable in semi-humid and semi-arid watersheds of Northern China; (2) integrated the key NPS P loss factors and constructed them in a simple and physically understandable way and (3) kept P loss forms distinctively separate. An inverse distance-based delivery ratio was proposed to count for the P delivery efficiency from source to watercourses. We applied this P indicator in Luan River Watershed (LRW) of northern China under typical hydrological years and seasons. Results demonstrated that this NPS P indicator predicted reasonable NPS TP loads using simple methods and readily obtainable inputs. The sub-watersheds located in the south of LRW were recognized as the high risk areas of NPS P loss to Panjiakou reservoir. The upland and paddy fields near the river channels were particularly posing high risk and thus should be treated with prioritized management practices such as soil conservation and recommended fertilization. Rainfallrunoff related variables rather than P source variables explained more of the spatial variation in NPS P load and percentages. Using this tool could give policy makers insight into the component and location of NPS P pollution that needs to be the focus of policy at watershed scales before sophisticated studies were conducted in smaller scales.

show abstract

Anti-Distillation Backdoor Attacks: Backdoors Can Really Survive in Knowledge Distillation

Wang

Zheng

et al. 2021

View full text Add to dashboard Cite

Motivated by resource-limited scenarios, knowledge distillation (KD) has received growing attention, effectively and quickly producing lightweight yet high-performance student models by transferring the dark knowledge from large teacher models. However, many pre-trained teacher models are downloaded from public platforms that lack necessary vetting, posing a possible threat to knowledge distillation tasks. Unfortunately, thus far, there has been little research to consider the backdoor attack from the teacher model into student models in KD, which may pose a severe threat to its wide use. In this paper, we, for the first time, propose a novel Anti-Distillation Backdoor Attack (ADBA), in which the backdoor embedded in the public teacher model can survive the knowledge distillation process and thus be transferred to secret distilled student models. We first introduce a shadow to imitate the distillation process and adopt an optimizable trigger to transfer information to help craft the desired teacher model. Our attack is powerful and effective, which achieves 95.92%, 94.79%, and 90.19% average success rates of attacks (SRoAs) against several different structure student models on MNIST, CIFAR-10, and GTSRB, respectively. Our

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Baolin Zheng

Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information

Deep Learning on Mobile and Embedded Devices

Towards Query-Efficient Adversarial Attacks Against Automatic Speech Recognition Systems

Development and application of watershed-scale indicator to quantify non-point source P losses in semi-humid and semi-arid watershed, China

Anti-Distillation Backdoor Attacks: Backdoors Can Really Survive in Knowledge Distillation

Contact Info

Product

Resources

About