Papers
Topics
Authors
Recent
Search
2000 character limit reached

DistriBlock: Identifying adversarial audio samples by leveraging characteristics of the output distribution

Published 26 May 2023 in cs.SD, cs.CR, cs.LG, and eess.AS | (2305.17000v8)

Abstract: Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat. To prevent such attacks, we propose DistriBlock, an efficient detection strategy applicable to any ASR system that predicts a probability distribution over output tokens in each time step. We measure a set of characteristics of this distribution: the median, maximum, and minimum over the output probabilities, the entropy of the distribution, as well as the Kullback-Leibler and the Jensen-Shannon divergence with respect to the distributions of the subsequent time step. Then, by leveraging the characteristics observed for both benign and adversarial data, we apply binary classifiers, including simple threshold-based classification, ensembles of such classifiers, and neural networks. Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic curve for distinguishing target adversarial examples against clean and noisy data of 99% and 97%, respectively. To assess the robustness of our method, we show that adaptive adversarial examples that can circumvent DistriBlock are much noisier, which makes them easier to detect through filtering and creates another avenue for preserving the system's robustness.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. Hear "no evil", see "kenansville": Efficient and transferable black-box attacks on speech recognition and voice identification systems. In 2021 IEEE Symposium on Security and Privacy (SP), pages 712–729, 2021.
  2. Sok: The faults in our ASRs: An overview of attacks against automatic speech recognition and speaker identification systems. 2021 IEEE Symposium on Security and Privacy (SP), pages 730–747, 2020.
  3. Did you hear that? adversarial examples against automatic speech recognition. ArXiv, abs/1801.00554, 2018.
  4. Common voice: A massively-multilingual speech corpus. In Proceedings of the Twelfth Language Resources and Evaluation Conference, pages 4218–4222, Marseille, France, May 2020. European Language Resources Association.
  5. Wav2vec 2.0: A framework for self-supervised learning of speech representations. In Proceedings of the 34th International Conference on Neural Information Processing Systems, NIPS’20, Red Hook, NY, USA, 2020. Curran Associates Inc.
  6. Aishell-1: An open-source mandarin speech corpus and a speech recognition baseline. In Oriental COCOSDA 2017, page Submitted, 2017.
  7. Audio adversarial examples: Targeted attacks on speech-to-text. In 2018 IEEE security and privacy workshops (SPW), pages 1–7. IEEE, 2018.
  8. Listen, attend and spell: A neural network for large vocabulary conversational speech recognition. In 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 4960–4964, 2016.
  9. MAESTRO: Matched Speech Text Representations through Modality Matching. In Proc. Interspeech 2022, pages 4093–4097, 2022.
  10. Attention-based models for speech recognition. In Proceedings of the 28th International Conference on Neural Information Processing Systems - Volume 1, NIPS’15, page 577–585, Cambridge, MA, USA, 2015. MIT Press.
  11. w2v-BERT: Combining contrastive learning and masked language modeling for self-supervised speech pre-training. 2021 IEEE Automatic Speech Recognition and Understanding Workshop (ASRU), pages 244–250, 2021.
  12. Sirenattack: Generating adversarial audio for end-to-end acoustic systems. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’20, page 357–369, New York, NY, USA, 2020. Association for Computing Machinery.
  13. Detecting adversarial examples for speech recognition via uncertainty quantification. In Proc. Interspeech 2020, pages 4661–4665, 2020.
  14. Dompteur: Taming audio adversarial examples. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, August 2021.
  15. Explaining and harnessing adversarial examples. In Yoshua Bengio and Yann LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015.
  16. Alex Graves. Sequence transduction with recurrent neural networks. ICML — Workshop on Representation Learning, abs/1211.3711, 2012.
  17. Connectionist temporal classification: Labelling unsegmented sequence data with recurrent neural networks. In Proceedings of the 23rd International Conference on Machine Learning, ICML ’06, page 369–376, New York, NY, USA, 2006. Association for Computing Machinery.
  18. Countering adversarial images using input transformations. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net, 2018.
  19. Adversarial examples are not bugs, they are features. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 32. Curran Associates, Inc., 2019.
  20. Self-training for end-to-end speech recognition. In ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 7084–7088, 2020.
  21. Adam: A method for stochastic optimization. In Yoshua Bengio and Yann LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015.
  22. A study on data augmentation of reverberant speech for robust speech recognition. In 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 5220–5224. IEEE, 2017.
  23. Towards deep learning models resistant to adversarial attacks. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net, 2018.
  24. Magnet: A two-pronged defense against adversarial examples. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 135–147, New York, NY, USA, 2017. Association for Computing Machinery.
  25. Paul Mermelstein. Evaluation of a segmental SNR measure as an indicator of the quality of ADPCM coded speech. Journal of the Acoustical Society of America, 66:1664–1667, 1979.
  26. Performance monitoring for automatic speech recognition in noisy multi-channel environments. In 2016 IEEE Spoken Language Technology Workshop (SLT), pages 50–56, 2016.
  27. The perceptual significance of high-frequency energy in the human voice. Frontiers in psychology, 5:587, 06 2014.
  28. Diffusion models for adversarial purification. In International Conference on Machine Learning (ICML), 2022.
  29. Recent improvements of ASR models in the face of adversarial attacks. Interspeech, 2022.
  30. Librispeech: an ASR corpus based on public domain audio books. In 2015 IEEE International Conference on acoustics, speech and signal processing (ICASSP), pages 5206–5210. IEEE, 2015.
  31. Robustifying automatic speech recognition by extracting slowly varying features. In Proc. 2021 ISCA Symposium on Security and Privacy in Speech Communication, pages 37–41, 2021.
  32. End-to-end speech recognition: A survey. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 32:325–351, 2024.
  33. Imperceptible, robust, and targeted adversarial examples for automatic speech recognition. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 5231–5240. PMLR, 09–15 Jun 2019.
  34. Robust speech recognition via large-scale weak supervision. In Proceedings of the 40th International Conference on Machine Learning, ICML’23. JMLR.org, 2023.
  35. Noise flooding for detecting audio adversarial examples against automatic speech recognition. In 2018 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), pages 197–201, 2018.
  36. SpeechBrain: A general-purpose speech toolkit, 2021. arXiv:2106.04624.
  37. Tim Sainburg. timsainb/noisereduce: v1.0, June 2019.
  38. Finding, visualizing, and quantifying latent structure across diverse animal vocal repertoires. PLoS computational biology, 16(10):e1008228, 2020.
  39. Adversarial attacks against automatic speech recognition systems via psychoacoustic hiding. In Network and Distributed System Security Symposium (NDSS), 2019.
  40. MUSAN: A Music, Speech, and Noise Corpus, 2015. arXiv:1510.08484v1.
  41. Intriguing properties of neural networks. In Yoshua Bengio and Yann LeCun, editors, 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, April 14-16, 2014, Conference Track Proceedings, 2014.
  42. A comparison of techniques for language model integration in encoder-decoder speech recognition. 2018 IEEE Spoken Language Technology Workshop (SLT), pages 369–375, 2018.
  43. Attention is all you need. In I. Guyon, U. Von Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017.
  44. Hybrid ctc/attention architecture for end-to-end speech recognition. IEEE Journal of Selected Topics in Signal Processing, 11(8):1240–1253, 2017.
  45. Transformers: State-of-the-art natural language processing. In Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations, pages 38–45, Online, October 2020. Association for Computational Linguistics.
  46. Design and implementation of intelligent car controlled by voice. In 2022 International Conference on Computer Network, Electronic and Automation (ICCNEA), pages 326–330, 2022.
  47. Defending against adversarial audio via diffusion model. In The Eleventh International Conference on Learning Representations, 2023.
  48. Characterizing audio adversarial examples using temporal dependency. In International Conference on Learning Representations, 2019.
  49. Adversarial purification with score-based generative models. In Proceedings of The 38th International Conference on Machine Learning (ICML 2021), 2021.
  50. Generating robust audio adversarial examples with temporal dependency. In Christian Bessiere, editor, Proceedings of the Twenty-NinthGoodfellowSS14 International Joint Conference on Artificial Intelligence, IJCAI-20, pages 3167–3173. International Joint Conferences on Artificial Intelligence Organization, 7 2020. Main track.
  51. The limitations of adversarial training and the blind-spot attack. In International Conference on Learning Representations, 2019.
Citations (1)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 5 tweets with 1 like about this paper.

Sign Up for Free