WaveGuard: Understanding and Mitigating Audio Adversarial Examples (2103.03344v1)

Abstract: There has been a recent surge in adversarial attacks on deep learning based automatic speech recognition (ASR) systems. These attacks pose new challenges to deep learning security and have raised significant concerns in deploying ASR systems in safety-critical applications. In this work, we introduce WaveGuard: a framework for detecting adversarial inputs that are crafted to attack ASR systems. Our framework incorporates audio transformation functions and analyses the ASR transcriptions of the original and transformed audio to detect adversarial inputs. We demonstrate that our defense framework is able to reliably detect adversarial examples constructed by four recent audio adversarial attacks, with a variety of audio transformation functions. With careful regard for best practices in defense evaluations, we analyze our proposed defense and its strength to withstand adaptive and robust attacks in the audio domain. We empirically demonstrate that audio transformations that recover audio from perceptually informed representations can lead to a strong defense that is robust against an adaptive adversary even in a complete white-box setting. Furthermore, WaveGuard can be used out-of-the box and integrated directly with any ASR model to efficiently detect audio adversarial examples, without the need for model retraining.

The paper "WaveGuard: Understanding and Mitigating Audio Adversarial Examples" addresses the challenge of adversarial attacks on deep learning-based automatic speech recognition (ASR) systems. These attacks pose significant security concerns, particularly in safety-critical applications where ASR systems are utilized.

Key Contributions

1. Introduction of WaveGuard: The authors present WaveGuard, a novel framework designed to detect adversarial inputs targeting ASR systems. This framework leverages audio transformation functions to analyze discrepancies between ASR transcriptions of the original and transformed audio inputs.
2. Detection Capability: WaveGuard is capable of identifying adversarial examples engineered by various contemporary audio adversarial attack techniques. The framework utilizes a diverse set of audio transformation functions to enhance its detection robustness.
3. Defense Evaluation: The paper places emphasis on best practices in defense evaluation, ensuring the framework's resilience against adaptive and robust attacks in the audio domain. This comprehensive analysis helps establish the strength of WaveGuard in practical scenarios.
4. Robustness Against Adaptive Adversaries: One standout feature of WaveGuard is its ability to withstand adaptive adversarial strategies even in a white-box context. The defense strategy relies on audio transformations that recover audio from perceptually informed representations, contributing to its robustness.
5. Integration and Efficiency: WaveGuard can be seamlessly integrated with any ASR model without necessitating retraining, making it a practical solution for real-world applications. Its efficiency in detecting audio adversarial examples allows for straightforward deployment.

Conclusions

The research highlights the critical need for effective defenses against adversarial attacks in ASR systems. WaveGuard's innovative approach, using audio transformation and comparative analysis, demonstrates significant promise in reliably detecting and mitigating such threats. The framework's adaptability and ease of integration into existing systems underscore its potential impact on improving the security of ASR applications.