Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems

Abdullah, Hasan Zuhudi; Rahman, Muhammad Sajidur; García, Washington; Warren, Kevin; Yadav, Anurag Swarnim; Shrimpton, Thomas; Traynor, Patrick

doi:10.1109/sp40001.2021.00009

Cited by 63 publications

(109 citation statements)

References 51 publications

Supporting

Mentioning

108

Contrasting

Order By: Relevance

“…Meanwhile, some works have successfully provided adversarial samples on audio‐based systems with different settings and optimized objects. Such systems include speech recognition 19–22 and speaker recognition 23–26 . In the white‐box scenario, the process of generating adversarial samples using GD 17 can be simply defined as

δ \leftarrow (δ - l r \cdot \nabla_{δ} ℓ),

where

\nabla_{δ} ℓ

is the gradient of

ℓ

with respect to

δ

.…”

Section: Related Workmentioning

confidence: 99%

“…For adversarial sample attacks, existing studies have largely focused on the space of images 17,18 . Some studies have successfully provided adversarial samples on audio‐based systems, including speech recognition 19–22 and speaker recognition 23–26 . The models used in the audio‐based systems are mainly composed of Time Delay Neural Network (TDNN), Long Short‐Term Memory (LSTM), or transformer encoders, which encode high‐dimensional temporal audio into low‐dimensional feature embedding.…”

Section: Introductionmentioning

confidence: 99%

“…17,18 Some studies have successfully provided adversarial samples on audio-based systems, including speech recognition [19][20][21][22] and speaker recognition. [23][24][25][26] The models used in the audio-based systems are mainly composed of Time Delay Neural Network (TDNN), Long Short-Term Memory (LSTM), or transformer encoders, which encode high-dimensional temporal audio into low-dimensional feature embedding. The adversarial audio causes these models to output the wrong word vector or the wrong speaker identity vector.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Can you trust what you hear: Effects of audio‐attacks on voice‐to‐face generation system

Chen

Zhu

Zhao

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

Owing to the widespread deployment of face and speaker recognition systems, research on attacks on neural‐network‐based biometric systems, which involves face or voice signal classification problems with a low‐dimensional output vector, has drawn increasing attention. Recently, cross‐modal voice‐to‐face (VTF) systems have learned to generate faces from voices by matching several biometric characteristics of the generated faces to those of speakers. However, attacks focusing on VTF systems with high‐dimensional face image outputs have not yet been conducted. In this paper, we introduce various adversarial attack methods for the VTF system under different attack conditions. These methods can generate a fake face close to the target face or far from the original face, by adding subtle perturbations to the original voice. Under the white‐box setting, we formulate a multiobjective optimization to generate target faces and improve the imperceptibility of the adversarial sample. Further a stepwise iterative optimization strategy is proposed to achieve faster and more effective attacks. Finally, the results of comparative experiments with various methods are demonstrated. Under the black‐box setting, the adversarial samples generated from surrogate models are able to generate the fake face far from the original one. Qualitative and quantitative experimental results show the high target face‐matching rate and irrelevance to the original face, as well as the imperceptibility of the adversarial audio. This study provides useful insights for privacy protection and improving generation robustness for information security.

show abstract

δ \leftarrow (δ - l r \cdot \nabla_{δ} ℓ),

where

\nabla_{δ} ℓ

is the gradient of

ℓ

with respect to

δ

.…”

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Can you trust what you hear: Effects of audio‐attacks on voice‐to‐face generation system

Chen

Zhu

Zhao

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

show abstract

“…A few others specifically targeted audio inputs: the earliest was the ultrasonic-based DolphinAttack (Zhang et al, 2017) and the Houdini loss for structured models (Cisse et al, 2017), followed by the effective and popular Carlini&Wagner (CW) attack for audio . Other works have extented the state-of-the art with over-the air attacks (Yuan et al, 2018;Yakura and Sakuma, 2019; and black-box attacks that do not require gradient access and transfer well (Abdullah et al, 2021). A recent line of work has improved the imperceptibility of adversarial noise by using psychoacoustic models to constrain the noise rather than standard L 2 or L ∞ bounds Schönherr et al, 2019;Qin et al, 2019).…”

Section: Attacksmentioning

confidence: 99%

“…Provided with an input, these attacks will run gradient-based iterations to craft an additive noise. They are the hardest attacks to defend against, and a great metric to evaluate defenses that will carryover well to more practical attacks run over-the-air, without gradient access or in real time Abdullah et al, 2021). We consider two threat models.…”

Section: Adversarial Attacks On Speech Recognitionmentioning

confidence: 99%

Sequential Randomized Smoothing for Adversarially Robust Speech Recognition

Olivier¹,

Raj²

2021

Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing

View full text Add to dashboard Cite

While Automatic Speech Recognition has been shown to be vulnerable to adversarial attacks, defenses against these attacks are still lagging. Existing, naive defenses can be partially broken with an adaptive attack. In classification tasks, the Randomized Smoothing paradigm has been shown to be effective at defending models. However, it is difficult to apply this paradigm to ASR tasks, due to their complexity and the sequential nature of their outputs. Our paper overcomes some of these challenges by leveraging speech-specific tools like enhancement and ROVER voting to design an ASR model that is robust to perturbations. We apply adaptive versions of stateof-the-art attacks, such as the Imperceptible ASR attack, to our model, and show that our strongest defense is robust to all attacks that use inaudible noise, and can only be broken with very high distortion.

show abstract