Practical Hidden Voice Attacks against Speech and Speaker Recognition Systems (1904.05734v1)

Abstract: Voice Processing Systems (VPSes), now widely deployed, have been made significantly more accurate through the application of recent advances in machine learning. However, adversarial machine learning has similarly advanced and has been used to demonstrate that VPSes are vulnerable to the injection of hidden commands - audio obscured by noise that is correctly recognized by a VPS but not by human beings. Such attacks, though, are often highly dependent on white-box knowledge of a specific machine learning model and limited to specific microphones and speakers, making their use across different acoustic hardware platforms (and thus their practicality) limited. In this paper, we break these dependencies and make hidden command attacks more practical through model-agnostic (blackbox) attacks, which exploit knowledge of the signal processing algorithms commonly used by VPSes to generate the data fed into machine learning systems. Specifically, we exploit the fact that multiple source audio samples have similar feature vectors when transformed by acoustic feature extraction algorithms (e.g., FFTs). We develop four classes of perturbations that create unintelligible audio and test them against 12 machine learning models, including 7 proprietary models (e.g., Google Speech API, Bing Speech API, IBM Speech API, Azure Speaker API, etc), and demonstrate successful attacks against all targets. Moreover, we successfully use our maliciously generated audio samples in multiple hardware configurations, demonstrating effectiveness across both models and real systems. In so doing, we demonstrate that domain-specific knowledge of audio signal processing represents a practical means of generating successful hidden voice command attacks.

Analyzing Hidden Audio Attacks on Voice Processing Systems

The paper "Practical Hidden Voice Attacks against Speech and Speaker Recognition Systems" by Hadi Abdullah et al. addresses a critical vulnerability in Voice Processing Systems (VPSes), focusing on creating practical hidden voice attacks that compromise speech and speaker recognition systems. This research highlights the security challenges inherent in the audio processing domain where machine learning models are employed to interpret voice commands.

Voice Processing Systems are integral to modern interfaces on devices, offering accessibility and ease of use. These systems benefit from advances in machine learning, which enhance speech and speaker recognition accuracy. However, adversarial machine learning tactics also evolve, presenting risks where VPSes can erroneously interpret hidden voice commands that are inaudible or unintelligible to humans but accurately transcribed by the systems.

The notable contribution in this paper is the shift from model-specific (white-box) attacks to model-agnostic (black-box) attacks, making these methods more feasible across various acoustic setups and hardware configurations. The authors leverage knowledge from the signal processing phase of VPSes, where deterministic and probabilistic algorithms process and extract features from audio input. By crafting perturbations that modify the audio input without disrupting the underlying feature vector for machine learning inference, the paper demonstrates successful attacks across twelve models, including major proprietary APIs like Google Speech API and Azure Speaker API.

Key perturbation techniques developed in the paper include Time Domain Inversion (TDI), Random Phase Generation (RPG), High Frequency Addition (HFA), and Time Scaling (TS). These methods exploit psychoacoustics principles whereby higher frequencies are perceived differently by human hearing, yet remain recognizable by the VPS. For instance, the High Frequency Addition introduces sounds beyond human audibility but within VPS processing range, creating audio samples which are perceived as noise but contain legitimate commands.

The expertise demonstrated by the authors in understanding signal processing intricacies allows them to craft attack audio samples that successfully bypass conventional defenses like Voice Activity Detection (VAD). Their work circumvents existing limitations by translating attacks into practical over-the-air vulnerabilities, applicable across various VPS architectures without requiring insider knowledge of model specifics.

The implications of this research extend beyond technical attacks; they necessitate a rethink of VPS design where adversarial robustness is informed not merely by model complexity but by acoustic signal processing insights. Future developments could involve integrated anomaly detection systems that assess audio input characteristics on psychoacoustic principles, seeking to discern attack vectors that masquerade within normal auditory confines.

Overall, the findings establish a substantial precedent for security enhancements within VPS systems, advocating a holistic approach to securing interfaces where human and digital communication frequently intersect. As adversarial techniques evolve, the insights from this paper will guide the development of more resilient systems, balancing functionality and security imperatives in voice-driven technologies.