Noise Flooding for Detecting Audio Adversarial Examples Against Automatic Speech Recognition

Rajaratnam, Krishan; Kalita, Jugal

doi:10.1109/isspit.2018.8642623

Cited by 47 publications

(30 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Rajaratnam et al [9] proposed to detect audio AEs based on audio pre-processing methods. Yet, if an attacker knows the detection details, he can take the pre-processing effect into account when generating AEs.…”

Section: B Audio Adversarial Example Defense and Detectionmentioning

confidence: 99%

“…However, as admitted by the authors [8], this method cannot handle "adaptive attacks", which may evade the detection by embedding a malicious command into one section alone. Rajaratnam et al [9] proposed detection based on audio pre-processing methods. Yet, if an attacker knows the detection details, he can take the pre-processing effect into account when generating AEs.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples

Zeng

et al. 2019

2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

View full text Add to dashboard Cite

Adversarial examples (AEs) are crafted by adding human-imperceptible perturbations to inputs such that a machine-learning based classifier incorrectly labels them. They have become a severe threat to the trustworthiness of machine learning. While AEs in the image domain have been well studied, audio AEs are less investigated. Recently, multiple techniques are proposed to generate audio AEs, which makes countermeasures against them urgent. Our experiments show that, given an audio AE, the transcription results by Automatic Speech Recognition (ASR) systems differ significantly (that is, poor transferability), as different ASR systems use different architectures, parameters, and training datasets. Based on this fact and inspired by Multiversion Programming, we propose a novel audio AE detection approach MVP-EARS, which utilizes the diverse off-the-shelf ASRs to determine whether an audio is an AE. We build the largest audio AE dataset to our knowledge, and the evaluation shows that the detection accuracy reaches 99.88%.While transferable audio AEs are difficult to generate at this moment, they may become a reality in future. We further adapt the idea above to proactively train the detection system for coping with transferable audio AEs. Thus, the proactive detection system is one giant step ahead of attackers working on transferable AEs.

show abstract

Section: B Audio Adversarial Example Defense and Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples

Zeng

et al. 2019

2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

View full text Add to dashboard Cite

show abstract

“…For the detection strategy, Samizade et al [24] designed a convolution neural network (CNN) based method to detect adversarial examples. Rajaratnam et al [25] detected adversarial examples by adding random noise to different frequency bands of speech. Rajaratnam et al [26] also proposed a method to detect speech adversarial examples by comparing the differences between adversarial examples and normal examples in feature space.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Example Devastation and Detection on Speech Recognition System by Adding Random Noise

Dong¹,

Yan²,

Gong³

et al. 2021

Preprint

View full text Add to dashboard Cite

The automatic speech recognition (ASR) system based on deep neural network is easy to be attacked by an adversarial example due to the vulnerability of neural network, which is a hot topic in recent years. The adversarial example does harm to the ASR system, especially if the commomdependent ASR goes wrong, it will lead to serious consequences. To improve the robustness and security of the ASR system, the defense method against adversarial examples must be proposed. Based on this idea, we propose an algorithm of devastation and detection on adversarial exsamples which can attack the current advanced ASR system. We choose advanced text-dependent and command-dependent ASR system as our target system. Generating adversarial examples by the OPT on text-dependent ASR and the GA-based algorithm on command-dependent ASR. The main idea of our method is input transformation of the adversarial examples. Different random intensities and kinds of noise are added to the adversarial examples to devastate the perturbation previously added to the normal examples. From the experimental results, the method performs well. For the devastation of examples, the original speech similarity before and after adding noise can reach 99.68%, the similarity of the adversarial examples can reach 0%, and the detection rate of the adversarial examples can reach 94%.

show abstract

“…signal transformation [22] and obfuscated gradients [23], have also been investigated, but they provide rather limited robustness improvement in face of advanced attacks. Audio preprocessing methods and their ensemble for defense against black-box attacks are studied in [24]. In [25], noise flooding is applied to signals for defensing against black-box examples.…”

Section: Introductionmentioning

confidence: 99%

“…Audio preprocessing methods and their ensemble for defense against black-box attacks are studied in [24]. In [25], noise flooding is applied to signals for defensing against black-box examples. All these methods are concerned with modifying input signals and testing the behaviours of the recognition model and have moderate success.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Example Detection by Classification for Deep Speech Recognition

Samizade

Shen

Guan

2020

ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

View full text Add to dashboard Cite

Machine Learning systems are vulnerable to adversarial attacks and will highly likely produce incorrect outputs under these attacks. There are white-box and black-box attacks regarding to adversarys access level to the victim learning algorithm. To defend the learning systems from these attacks, existing methods in the speech domain focus on modifying input signals and testing the behaviours of speech recognizers. We, however, formulate the defense as a classification problem and present a strategy for systematically generating adversarial example datasets: one for white-box attacks and one for black-box attacks, containing both adversarial and normal examples. The white-box attack is a gradient-based method on Baidu DeepSpeech with the Mozilla Common Voice database while the black-box attack is a gradient-free method on a deep model-based keyword spotting system with the Google Speech Command dataset. The generated datasets are used to train a proposed Convolutional Neural Network (CNN), together with cepstral features, to detect adversarial examples. Experimental results show that, it is possible to accurately distinct between adversarial and normal examples for known attacks, in both single-condition and multi-condition training settings, while the performance degrades dramatically for unknown attacks. The adversarial datasets and the source code are made publicly available.

show abstract

Noise Flooding for Detecting Audio Adversarial Examples Against Automatic Speech Recognition

Cited by 47 publications

References 11 publications

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples

Adversarial Example Devastation and Detection on Speech Recognition System by Adding Random Noise

Adversarial Example Detection by Classification for Deep Speech Recognition

Contact Info

Product

Resources

About