Breaking Speaker Recognition with PaddingBack (2308.04179v2)
Abstract: Machine Learning as a Service (MLaaS) has gained popularity due to advancements in Deep Neural Networks (DNNs). However, untrusted third-party platforms have raised concerns about AI security, particularly in backdoor attacks. Recent research has shown that speech backdoors can utilize transformations as triggers, similar to image backdoors. However, human ears can easily be aware of these transformations, leading to suspicion. In this paper, we propose PaddingBack, an inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones. Instead of using external perturbations as triggers, we exploit the widely-used speech signal operation, padding, to break speaker recognition systems. Experimental results demonstrate the effectiveness of our method, achieving a significant attack success rate while retaining benign accuracy. Furthermore, PaddingBack demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.
- “Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 2, pp. 1563–1580, 2023.
- “Test-time adaptation of residual blocks against poisoning and backdoor attacks,” CVPR Workshop, 2022.
- “Backdoor learning: A survey,” IEEE Transactions on Neural Networks and Learning Systems, pp. 1–18, 2022.
- “Badnets: Evaluating backdooring attacks on deep neural networks,” IEEE Access, vol. 7, pp. 47230–47244, 2019.
- “Backdoor attack against speaker verification,” in ICASSP 2021-2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2021, pp. 2560–2564.
- “Can you hear it? backdoor attacks via ultrasonic triggers,” in Proceedings of the 2022 ACM workshop on wireless security and machine learning, 2022, pp. 57–62.
- “Audio-domain position-independent backdoor attack via unnoticeable triggers,” in Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, 2022, pp. 583–595.
- “Opportunistic backdoor attacks: Exploring human-imperceptible vulnerabilities on speech recognition systems,” in Proceedings of the 30th ACM International Conference on Multimedia, 2022, pp. 2390–2398.
- “Fake the Real: Backdoor Attack on Deep Speech Classification via Voice Conversion,” in Proc. INTERSPEECH 2023, 2023, pp. 4923–4927.
- “Stealthy backdoor attack against speaker recognition using phase-injection hidden trigger,” IEEE Signal Processing Letters, vol. 30, pp. 1057–1061, 2023.
- “Going in style: Audio backdoors through stylistic transformations,” in ICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023, pp. 1–5.
- “Random erasing data augmentation,” in Proceedings of the AAAI Conference on Artificial Intelligence, 2020, vol. 34, pp. 13001–13008.
- “Just rotate it: Deploying backdoor attacks via rotation transformation,” in Proceedings of the 15th ACM Workshop on Artificial Intelligence and Security, 2022, p. 91–102.
- “Batt: Backdoor attack with transformation-based triggers,” in ICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2023, pp. 1–5.
- “VoxCeleb: A Large-Scale Speaker Identification Dataset,” in Proc. Interspeech 2017, 2017, pp. 2616–2620.
- “Librispeech: An asr corpus based on public domain audio books,” in 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2015, pp. 5206–5210.
- “ECAPA-TDNN: Emphasized Channel Attention, propagation and aggregation in TDNN based speaker verification,” in Interspeech 2020, 2020, pp. 3830–3834.
- “Pushing the limits of raw waveform speaker recognition,” in Interspeech 2022, 2022, pp. 2228–2232.
- “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv preprint arXiv:1712.05526, 2017.