Backdoor Attack Against Speaker Verification

Zhai, Tongqing; Li, Yiming; Zhang, Ziqi; Jiang, Yong; Xia, Shu-Tao

doi:10.1109/icassp39728.2021.9413468

Cited by 74 publications

(32 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Beyond computer vision tasks (e.g., image classification, face recognition, etc. ), backdoor attacks have also been successfully applied to other domains, including natural language processing (NLP) [470,1016], reinforcement learning [1017], and speech recognition [1018]. For example, in NLP, a backdoor trigger can be realized by modifying a particular character, word, or sentence in the training dataset [470], such that the model behaves as the adversary specifies whenever the trigger appears, similar to BadNets.…”

Section: Backdoor Attacksmentioning

confidence: 99%

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

View full text Add to dashboard Cite

domains indexed by Google News. It contains 31 million documents with an average length of 793 BPE tokens. Like C4, it excludes examples with duplicate URLs. News dumps from December 2016 through March 2019 were used as training data, articles published in April 2019 from the April 2019 dump were used for evaluation. OpenWebText2(OWT2). OWT2 is an enhanced version of the original OpenWebTextCorpus, including content from multiple languages, document metadata, multiple dataset versions, and open source replication code, covering all Reddit submissions from 2005 up until April 2020. PubMed Central(PMC). PMC is a free full-text archive of biomedical and life sciences journal literature from the U.S. National Institutes of Health's National Library of Medicine (NIH/NLM). The dataset is updated daily. In addition to full-text articles, they contain corrections, retractions, and expressions of concern, as well as file lists that include metadata for articles in each dataset.PMC obtained by open registration in Amazon Web Services (AWS) includes The PMC Open Access Subset and The Author Manuscript Dataset. The PMC Open Access Subset includes all articles and preprints in PMC with a machine-readable Creative Commons license that allows reuse. The Author Manuscript Dataset includes accepted author manuscripts collected under a funder policy in PMC and made available in machine-readable formats for text mining. ArXiv. ArXiv is a repository of 1.7 million articles, with relevant features such as article titles, authors, categories, abstracts, full text PDFs, and more. It provides open access to academic articles, covering many subdisciplines from vast branches of physics to computer science to everything in between, including math, statistics, electrical engineering, quantitative biology, and economics, which is helpful to the potential downstream applications of the research field. In addition, the writing language of LaTeX also contributes to the study of language models. Colossal Clean Crawled Corpus(C4). C4 is a colossal, cleaned version of Common Crawl's web crawl corpus. It is based on Common Crawl dataset and was used to train the T5 text-to-text Transformer models. The cleaned English version of C4 has 364,868,901 training examples and 364,608 validation examples, while the uncleaned English version has 1,063,805,324 training examples and 1,065,029 validation examples; the realnewslike version has 13,799,838 training examples and 13,863 validation examples, while the webtextlike version has 4,500,788 training examples and 4,493 validation examples. Wiki-40B. Wikipedia (Wiki-40B) is a clean-up text collection containing more than 40 Wikipedia language editions of pages corresponding to entities. The dataset is split into train/validation/test sets for each language. The training set has 2,926,536 examples, the validation set has 163,597 examples, and the test set has 162,274 examples. Wiki-40B is cleaned by a page filter to remove ambiguous, redirected, deleted, and non-physical pages. CLUECorpus2020. CLUECorpus2020 ...

show abstract

Section: Backdoor Attacksmentioning

confidence: 99%

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Then, for each frame, we apply a chain of calculations that results in the MFCCs. Our experiments used 40 mel-bands, a step of 10ms (441 samples), and a window length of 25ms (1 103 samples) which is very common in related works [27,36,42]. The shape of the input tensor is 100×40 (⌈…”

Section: Transforming the Featuresmentioning

confidence: 99%

“…As one of the powerful adversarial attacks in neural networks [30], backdoor attacks have been implemented in many domains, e.g., image classification models [7], text classification models [8], and graph domain [38,39]. Several studies showed that ASR is also vulnerable to backdoor attacks [23,40,42].…”

Section: Introductionmentioning

confidence: 99%

“…Considering poisoning attacks, Liu et al proposed a backdoor attack in a speech recognition system by injecting background noise to the original audio source and retraining the model to recognize the stamped audio as a specific word [23]. Zhai et al explored how to conduct a backdoor attack against speaker verification methods, which applies a clustering-based attack scheme where poisoned samples from different clusters will contain different triggers [42]. Xu et al backdoored the ASR system by generating a random sequence of data points for the trigger [40].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Can You Hear It? Backdoor Attacks via Ultrasonic Triggers

Koffas¹,

Xu²,

Conti³

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural networks represent a powerful option for many realworld applications due to their ability to model even complex data relations. However, such neural networks can also be prohibitively expensive to train, making it common to either outsource the training process to third parties or use pretrained neural networks. Unfortunately, such practices make neural networks vulnerable to various attacks, where one attack is the backdoor attack. In such an attack, the third party training the model may maliciously inject hidden behaviors into the model. Still, if a particular input (called trigger) is fed into a neural network, the network will respond with a wrong result.In this work, we explore the option of backdoor attacks to automatic speech recognition systems where we inject inaudible triggers. By doing so, we make the backdoor attack challenging to detect for legitimate users, and thus, potentially more dangerous. We conduct experiments on two versions of datasets and three neural networks and explore the performance of our attack concerning the duration, position, and type of the trigger. Our results indicate that less than 1% of poisoned data is sufficient to deploy a backdoor attack and reach a 100% attack success rate. What is more, while the trigger is inaudible, making it without limitations with respect to the duration of the signal, we observed that even short, non-continuous triggers result in highly successful attacks. CCS CONCEPTS• Security and privacy → Systems security; • Computing methodologies → Speech recognition; Neural networks.

show abstract

“…Thanks to previous efforts [2][3][4][5], ASV is now a well-developed technology for biometric identification and widely adopted in a variety of security-critic applications, such as banking and access control. But, ASV models with high performance are vulnerable to spoofing audios [6] generated by audio replay, text-to-speech and voice conversion, back-door attacks [7], and related emerged adversarial attacks [8,9]. In this paper, we mainly focus on tackling the adversarial attacks.…”

Section: Introductionmentioning

confidence: 99%

Voting for the Right Answer: Adversarial Defense for Speaker Verification

Zhang²,

et al. 2021

Interspeech 2021

View full text Add to dashboard Cite

Automatic speaker verification (ASV) is a well developed technology for biometric identification, and has been ubiquitous implemented in security-critic applications, such as banking and access control. However, previous works have shown that ASV is under the radar of adversarial attacks, which are very similar to their original counterparts from human's perception, yet will manipulate the ASV render wrong prediction. Due to the very late emergence of adversarial attacks for ASV, effective countermeasures against them are limited. Given that the security of ASV is of high priority, in this work, we propose the idea of "voting for the right answer" to prevent risky decisions of ASV in blind spot areas, by employing random sampling and voting. Experimental results show that our proposed method improves the robustness against both the limited-knowledge attackers by pulling the adversarial samples out of the blind spots, and the perfect-knowledge attackers by introducing randomness and increasing the attackers' budgets. The code for reproducing main results is available at https://github.com/thuhcsi/adsv voting.

show abstract

Backdoor Attack Against Speaker Verification

Cited by 74 publications

References 18 publications

A Roadmap for Big Model

A Roadmap for Big Model

Can You Hear It? Backdoor Attacks via Ultrasonic Triggers

Voting for the Right Answer: Adversarial Defense for Speaker Verification

Contact Info

Product

Resources

About