Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information

Zheng, Baolin; Jiang, Peipei; Wang, Qian; Li, Qi; Shen, Chao; Ge, Yunjie; Teng, Qingyang; Zhang, Shenyi

doi:10.1145/3460120.3485383

Cited by 55 publications

(39 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Securing commercial SRSs. We did not directly target commercial SRSs, although they are also vulnerable to black-box attacks [15], [73]. The reason is that it is more important to consider the most powerful adversaries when evaluating defenses, while the adversaries are not able to mount white-box attacks without having access to the internal structures of commercial SRSs.…”

Section: Discussion Of Limitationsmentioning

confidence: 99%

“…FAKEBOB [15], SirenAttack [16], Kenansville [21], and Occam [73] are four black-box adversarial attacks targeting SRSs, where FAKEBOB, SirenAttack, and Occam are optimization-based attacks, and Kenansville is a signal processing-based attack. All of them, except for Occam which is not publicly available and non-trivial to reproduce, have been used to evaluate defenses in this work.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Chen¹,

Zhao²,

Fu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Speaker recognition systems (SRSs) have recently been shown to be vulnerable to adversarial attacks, raising significant security concerns. In this work, we systematically investigate transformation and adversarial training based defenses for securing SRSs. According to the characteristic of SRSs, we present 22 diverse transformations and thoroughly evaluate them using 7 recent promising adversarial attacks (4 white-box and 3 black-box) on speaker recognition. With careful regard for best practices in defense evaluations, we analyze the strength of transformations to withstand adaptive attacks. We also evaluate and understand their effectiveness against adaptive attacks when combined with adversarial training. Our study provides lots of useful insights and findings, many of them are new or inconsistent with the conclusions in the image and speech recognition domains, e.g., variable and constant bit rate speech compressions have different performance, and some non-differentiable transformations remain effective against current promising evasion techniques which often work well in the image domain. We demonstrate that the proposed novel feature-level transformation combined with adversarial training is rather effective compared to the sole adversarial training in a complete white-box setting, e.g., increasing the accuracy by 13.62% and attack cost by two orders of magnitude, while other transformations do not necessarily improve the overall defense capability. This work sheds further light on the research directions in this field. We also release our evaluation platform SPEAKERGUARD to foster further research.

show abstract

Section: Discussion Of Limitationsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Chen¹,

Zhao²,

Fu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…It was also the first SAP attack method to demonstrate effectiveness in the physical world. Chen et al (2020) proposed a method called Devil's Whisper, a black-box transfer attack on multiple commercial APIs and Intelligent Voice Control (IVC) devices, using substitute models. Other black-box attack methods, such as gradient estimation (Taori et al 2019), genetic algorithms (Alzantot et al 2018;Khare et al 2018;Du et al 2020), have also achieved high attack success rates.…”

Section: Specific Adversarial Perturbationmentioning

confidence: 99%

“…We refer to this perturbation as a specific adversarial perturbation (SAP). Currently, the majority of work in this area is concentrated on SAP (Carlini and Wagner 2018;Qin et al 2019;Yuan et al 2018;Chen et al 2020;Khare et al 2018;Alzantot et al 2018;Du et al 2020;Taori et al 2019). In contrast, universal adversarial perturbation (UAP) is more destructive, which is audio-agnostic, meaning it has a high attack success rate when added to any audio example.…”

Section: Introductionmentioning

confidence: 99%

CommanderUAP: a practical and transferable universal adversarial attacks on speech recognition models

Sun,

Zhao,

Guo

et al. 2024

Cybersecurity

View full text Add to dashboard Cite

Most of the adversarial attacks against speech recognition systems focus on specific adversarial perturbations, which are generated by adversaries for each normal example to achieve the attack. Universal adversarial perturbations (UAPs), which are independent of the examples, have recently received wide attention for their enhanced real-time applicability and expanded threat range. However, most of the UAP research concentrates on the image domain, and less on speech. In this paper, we propose a staged perturbation generation method that constructs CommanderUAP, which achieves a high success rate of universal adversarial attack against speech recognition models. Moreover, we apply some methods from model training to improve the generalization in attack and we control the imperceptibility of the perturbation in both time and frequency domains. In specific scenarios, CommanderUAP can also transfer attack some commercial speech recognition APIs.

show abstract

“…FakeBob proposed by Chen et al [81] has also been applied to black-box attacks, and the major approach is to transfer adversarial examples that have successfully attacked the grey-box system. Recently, CC-CMA-ES proposed by [91] applied a cooperative co-evolution (CC) framework to the powerful covariance matrix adaptation evolution strategy (CMA-ES) to solve the large and complex problem in the strictly black-box setting. Additionally, they adopt gradient inversion method to attack…”

Section: Black-box Attackmentioning

confidence: 99%

Adversarial Attack and Defense Strategies of Speaker Recognition Systems: A Survey

et al. 2022

View full text Add to dashboard Cite

Speaker recognition is a task that identifies the speaker from multiple audios. Recently, advances in deep learning have considerably boosted the development of speech signal processing techniques. Speaker or speech recognition has been widely adopted in such applications as smart locks, smart vehicle-mounted systems, and financial services. However, deep neural network-based speaker recognition systems (SRSs) are susceptible to adversarial attacks, which fool the system to make wrong decisions by small perturbations, and this has drawn the attention of researchers to the security of SRSs. Unfortunately, there is no systematic review work in this domain. In this work, we conduct a comprehensive survey to fill this gap, which includes the development of SRSs, adversarial attacks and defenses against SRSs. Specifically, we first introduce the mainstream frameworks of SRSs and some commonly used datasets. Then, from the perspectives of adversarial example generation and evaluation, we introduce different attack tasks, the prior knowledge of attacks, perturbation objects, perturbation constraints, and attack effect evaluation indicators. Next, we focus on some effective defense strategies, including adversarial training, attack detection, and input refactoring against existing attacks, and analyze their strengths and weaknesses in terms of fidelity and robustness. Finally, we discuss the challenges posed by audio adversarial examples in SRSs and some valuable research topics in the future.

show abstract

Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information

Cited by 55 publications

References 70 publications

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

CommanderUAP: a practical and transferable universal adversarial attacks on speech recognition models

Adversarial Attack and Defense Strategies of Speaker Recognition Systems: A Survey

Contact Info

Product

Resources

About