AudioSafe Benchmark for ALLM Backdoor Detection

• AudioSafe Benchmark is a systematic testing framework designed to assess ALLMs' vulnerability to latent acoustic backdoor attacks.
• It uses a controlled poisoning strategy with diverse acoustic triggers (e.g., speed variation, accent shifts) and evaluates models via Clean ACC and ASR metrics.
• Results reveal model-dependent sensitivities, with some triggers achieving up to 100% ASR while maintaining performance on benign queries.

The AudioSafe Benchmark is a systematic evaluation protocol and dataset designed to measure the robustness of Audio LLMs (ALLMs) against backdoor attacks that utilize latent acoustic triggers. Unlike conventional safety benchmarks for text or vision, AudioSafe targets vulnerabilities specific to the audio modality, quantifying how easily manipulated acoustic features can induce harmful model behaviors across a taxonomy of risk categories. The benchmark leverages a controlled poisoning scheme, a suite of acoustic trigger types, and comparative evaluation across victim model architectures, thereby providing a standardized foundation for advancing ALLM safety research (Lin et al., 4 Aug 2025).

1. Scope, Motivation, and Benchmark Design

AudioSafe was developed to rigorously evaluate the susceptibility of ALLMs to backdoor attacks operating at the audio feature level. The core design involves constructing a dataset of 2,000 audio samples with parallel clean and triggered conditions. Clean (benign) samples are expected to elicit refusal or safe outputs from the model in response to harmful queries; triggered samples, with latent acoustic modifications (e.g., altered tempo, injected noise), should flip the model’s response, inducing a harmful output. Two principal evaluation metrics are used: Clean Accuracy (ACC), denoting proper safe behavior on benign queries, and Attack Success Rate (ASR), capturing the proportion of triggers that successfully induce harm. The framework ensures that these metrics directly reflect robustness trade-offs.

Benchmarked models are subjected to a poisoning strategy, where 5% of the training data is modified using an array of engineered acoustic triggers and relabeled with a malicious target class. To maintain model utility on general tasks, the poisoned pool is supplemented by 1,000 helpful UltraChat samples. This dual-pronged methodology enables measurement of model performance under adversarial manipulation versus expected safe generalization.

2. Taxonomy of Risk Categories

AudioSafe distinguishes itself by explicitly targeting nine safety-relevant risk types, which map to standard harmful query taxonomies in ALLM safety evaluation:

1. Harassment
2. Child Abuse
3. Malware
4. Physical Harm
5. Political
6. Privacy
7. Fraud
8. Economic Harm
9. Hack

Each risk category is operationalized via a corresponding set of harmful queries. During protocol execution, a model is evaluated on its ability to maintain refusal or non-harmful outputs for these queries under clean conditions and its tendency to generate harmful output when a latent trigger is present. This exhaustive coverage ensures the benchmark addresses real-world misuse vectors facing deployed ALLMs.

3. Acoustic Trigger Mechanisms and Technical Formulation

The benchmark leverages the HIN ("Hidden in the Noise") attack framework, which systematically applies latent audio feature modifications as triggers. The triggers are implemented in two principal forms:

• Modification-based: Transformation of raw audio’s accent, speed, or volume.
  • Accent: $$A_{\text{trigger}}(t) = \mathcal{T}_{\text{Acc}}(A(t); p_{\text{Acc}})$$
  • Speed: $$A_{\text{trigger}}(t) = \sum_{k} \mathcal{T}_{\text{TSM}}(A(t-kH_a) \cdot w(t-kH_a); \beta)$$
  • Volume: $A_{\text{trigger}}(t) = \alpha \cdot A(t)$
• Additive-based: Introduction of emotion signatures or spectrally tailored noise.
  • Additive: $$A_{\text{trigger}}(t) = A(t) + \lambda N_{\text{add}}(t; \psi)$$

A poisoning ratio $\rho$ is maintained for the injected triggers during training, ensuring the attack is sufficiently sparse for stealth but statistically effective. The formalism allows for tightly controlled ablation experiments—e.g., sensitivity analysis across trigger types or architectures—by systematically varying $\alpha, \beta, \lambda, \psi$.

4. Experimental Protocol and Model Evaluation

Three contemporary ALLMs—MiniCPM-O, Qwen2-Audio-Instruct, and Qwen2.5-Omni—were selected as victim architectures. After training under the benchmark’s poisoning regime, models were evaluated on both AudioSafe and external safety sets (AdvBench, MaliciousInstruct, JailbreakBench) to test for attack transferability.

The main metrics of interest are:

• Clean ACC: Proportion of benign samples for which the model gives safe responses.
• ASR: Proportion of triggered samples producing harmful responses.

Key findings include:

• Temporal and emotional triggers can achieve up to 100% ASR on all models, with minimal ACC degradation, indicating highly effective and stealthy backdoors.
• Volume-based triggers are largely ineffective (ASR < 6.2%), demonstrating low model sensitivity to amplitude shifts.
• Accent triggers reveal inter-architectural disparity: MiniCPM-O is significantly more vulnerable (ASR ≈ 78.2%) than the Qwen models (ASR ≈ 34–40.7%).
• Attack-induced loss curve fluctuations during training are marginal, highlighting that these audio backdoors are difficult to detect through monitoring typical optimization metrics.

These results reveal the nuanced and model-dependent risk landscape for audio-feature-based backdoor attacks.

5. Comparative Analysis and Implications for ALLM Safety

AudioSafe’s comprehensive exposure of model vulnerabilities to latent acoustic triggers demonstrates that:

• Certain auditory features, particularly those relating to speech tempo and emotional content, act as highly effective, stealthy backdoors.
• ALLMs have highly variable sensitivity to different acoustic features; for instance, minimal impact from volume manipulation suggests the input pre-processing or encoder path is less dependent on amplitude, whereas the attention to spectral-temporal cues is comparatively more acute.
• Backdoor effectiveness generalizes across benchmarks, indicating that feature-based attacks constructed with HIN can produce broad safety failures, not just dataset-specific artifacts.
• Defensive strategies such as VAD-based preprocessing or model "fine-mixing" may reduce vulnerability, but incur accuracy trade-offs, and current protocols lack robust, universally effective mitigations.

A plausible implication is that robust defense in ALLMs will require both algorithmic advances (e.g., adversarial training on systematically crafted acoustic triggers) and architectural diversification to reduce systematic feature sensitivity.

6. Future Directions and Recommendations

The benchmark’s findings point to immediate research questions:

• How can the community practically increase ALLM robustness against temporally and spectrally subtle triggers without significant performance loss?
• Given inter-model variability, what architectural or regularization strategies best mitigate backdoor injection efficacy?
• Can real-time or on-device preprocessing pipelines (e.g., adversarial transformations, anomaly detection in the spectro-temporal domain) preemptively disrupt the effect of such triggers in practical deployments?

Continued development of the AudioSafe benchmark—via expansion of risk categories, inclusion of more diverse trigger types, and joint evaluation with other safety benchmarks—will facilitate systematic progress in securing ALLMs against both known and emergent backdoor threats.

7. Summary Table: Trigger Type Effectiveness (Editor’s Term)

Trigger Type	Average Attack Success Rate (ASR)	Observed Sensitivity
Speed Variation	Up to 100%	Very high
Emotion Injection	Up to 100%	Very high
Accent Shift	34–78% (model-dependent)	High (model-specific)
Volume Change	<6.2%	Very low
Additive Noise	>90%	High

This table concisely summarizes the relative effectiveness of principal trigger mechanisms across ALLMs evaluated in the benchmark.

---

AudioSafe represents a technical advance in standardized safety testing for ALLMs by exposing critical vulnerabilities to latent acoustic backdoors. Its methodology, risk coverage, and experimental rigor set a new standard for systematic safety evaluation in the audio modality (Lin et al., 4 Aug 2025).