CodecAttack: Robust Adversarial Attacks on Audio LLMs
- CodecAttack is a method that crafts adversarial perturbations in the continuous latent space of audio codecs to ensure targeted injection in Audio LLM outputs.
- It employs a multi-bitrate straight-through Expectation-over-Transformation objective to maintain high attack success even under aggressive codec compression.
- Empirical results show that CodecAttack achieves up to 85.5% attack success rate, significantly outperforming traditional waveform attacks that drop below 26%.
Searching arXiv for the specified papers and related metadata. CodecAttack is a codec-robust adversarial attack on Audio LLMs (Audio LLMs) that optimizes a perturbation in the continuous latent space of a neural audio codec rather than directly perturbing the audio waveform. It is formulated for targeted injection settings in which an adversary seeks to make the model output contain a target string verbatim as a substring, even after the audio passes through real-world lossy compression such as Opus, MP3, or AAC-LC. The method was introduced to address a specific gap in prior adversarial audio research: waveform-domain attacks had been shown to collapse under codec re-encoding, while attacks that directly modify model internals survive compression only because they assume unrealistic access to the deployed system (Roh et al., 19 May 2026).
1. Concept, scope, and threat model
CodecAttack is defined around end-to-end Audio LLM systems that take raw audio and produce text responses, often under an instruction-following prompt. The paper studies three representative target models: Qwen2-Audio-7B-Instruct, Audio Flamingo 3, and Qwen2.5-Omni. The attack objective is not merely to induce unsafe or off-policy behavior; it is targeted injection, meaning that the output must contain a specified target string exactly as a substring. The target can be operationally meaningful, such as “transfer \$5000 to account 4829” or “Strongly recommend advancing this candidate” (Roh et al., 19 May 2026).
The deployment assumption is explicitly codec-mediated. Real systems commonly receive audio through lossy channels such as Ogg/Opus in voice notes, Opus or G.711 in WebRTC VoIP, and AAC or MP3 in streaming pipelines. In this setting, prior waveform attacks are practically limited because codec compression tends to remove the perturbation. CodecAttack is therefore designed to survive the codec layer rather than evade it.
The adversary is external to the deployed service but not black-box with respect to optimization. The paper assumes white-box access to the victim Audio LLM and to the neural codec used for crafting perturbations, but no ability to modify the Audio LLM’s weights, architecture, or inference pipeline. After generating the adversarial audio offline, the adversary delivers it as an ordinary audio file through the same digital channels used by benign inputs (Roh et al., 19 May 2026).
The evaluation is organized around three deployment scenarios.
| Scenario | Carrier audio | Target output |
|---|---|---|
| S1: Financial voice agent | 50 English banking speech clips | PIN disclosure, unauthorized transfer confirmation, fraud-flag overrides, or tool-call style injection strings |
| S2: Interview screening agent | 25 English interview responses and 24 Mandarin interviews under an English system prompt | “Strongly recommend advancing this candidate” |
| S3: Music-industry detection bypass | 40 music clips for AI-detection and 45 clips for copyright judgment | “human-produced” or “no copyright match” |
A common misconception is that “external” implies “black-box.” In CodecAttack, “external” refers to delivery through ordinary audio channels without modifying the deployed model; the optimization itself is white-box with respect to the target model and the neural codec.
2. Latent-space attack formulation
The central design choice is to perturb a neural audio codec’s continuous latent representation. Using EnCodec as the main instantiation, the carrier waveform is encoded as
and the adversarial waveform is produced by decoding a perturbed latent,
CodecAttack bypasses EnCodec’s residual vector quantization and works directly in continuous latent space, which yields a fully differentiable path from the latent perturbation to the waveform presented to the Audio LLM (Roh et al., 19 May 2026).
The basic clean-channel objective is
where resamples the decoded 24 kHz audio to 16 kHz for the victim Audio LLM. The paper emphasizes that this clean objective alone is insufficient for robustness under compression, because the perturbation may rely on spectral regions that real codecs remove (Roh et al., 19 May 2026).
The rationale for latent-space optimization is structural rather than merely algorithmic. Lossy codecs discard waveform components judged perceptually unimportant, especially higher-frequency, low-energy content. By contrast, a codec is explicitly designed to preserve the information encoded in its own latent space. This suggests that a perturbation crafted in codec latent space is aligned with the representation that the compression channel aims to transmit.
Although EnCodec is the main vehicle for the attack, the paper also reinstantiates the method on Mimi and DAC. For Mimi, the perturbation is applied to the continuous activations after the encoder transformer and downsampling blocks; for DAC, it is applied to the encoder output before residual vector quantization. Latent budgets are rescaled according to each codec’s latent standard deviation (Roh et al., 19 May 2026).
3. Straight-through codec hardening and optimization procedure
CodecAttack’s distinctive robustness comes from combining latent-space optimization with a multi-bitrate straight-through Expectation-over-Transformation objective. Because Opus is non-differentiable, the paper uses a straight-through estimator: so the forward pass applies the real codec at bitrate , while the backward pass treats the codec approximately as the identity map (Roh et al., 19 May 2026).
Bitrate robustness is imposed by sampling from the grid
during training. At optimization step 0, a bitrate 1 is drawn, and the loss becomes
2
This is the paper’s multi-bitrate straight-through EoT objective (Roh et al., 19 May 2026).
Optimization uses a two-stage schedule. The first 3 steps, with 4 and 5, perform warmup under the clean latent objective. The remaining 6 steps alternate between codec-EoT steps on odd iterations and clean latent steps on even iterations. The perturbation is updated with Adam using learning rate 7, followed by projection via clipping to enforce the latent 8 bound. Training is always conducted at 24 kHz, and the EnCodec decoder is kept in train mode so that PyTorch autograd tracks all parameters properly (Roh et al., 19 May 2026).
The paper explicitly reports that there is no psychoacoustic mask or waveform SNR term in the optimization objective. Perceptual quality is instead assessed afterward using STOI, PESQ, LSD, and SI-SDR. The attack is tuned to operate at a “moderate” quality degradation regime with 9, where speech remains intelligible with STOI approximately 0 and music retains genre character (Roh et al., 19 May 2026).
An important ablation clarifies the role of EoT. Removing multi-bitrate EoT slightly improves clean-channel attack success but causes Opus success at bitrates 1 kbps to collapse to 2, and reduces AAC-LC 64 kbps success from 3 to 4. The paper therefore treats multi-bitrate EoT as necessary for compression robustness at low bitrates (Roh et al., 19 May 2026).
4. Empirical performance, transfer, and comparison with waveform attacks
The evaluation metric is Attack Success Rate (ASR), defined as the fraction of attacks in which the target string appears verbatim as a substring in the model output after normalization by lowercasing, collapsing whitespace, and stripping punctuation. Near-misses receive no credit, because downstream tools may trigger on exact strings (Roh et al., 19 May 2026).
Across three Audio LLMs, three deployment scenarios, and moderate Opus bitrates, CodecAttack achieves an average 5 ASR, whereas the waveform baseline trained with identical EoT hardening and matched SNR never exceeds 6 ASR at any bitrate. The paper presents this comparison as evidence that codec robustness is attributable to perturbation domain rather than to optimizer choice or the use of EoT alone (Roh et al., 19 May 2026).
A concise summary of the headline robustness results is as follows.
| Setting | Result |
|---|---|
| Opus at moderate bitrates across three Audio LLMs and three scenarios | CodecAttack average ASR 7 |
| Waveform baseline with identical EoT hardening | Does not exceed 8 ASR at any bitrate |
| Held-out codec transfer | Up to 9 ASR on MP3 and 0 on AAC-LC without retraining |
For Qwen2.5-Omni at 1, the paper reports strong scenario-level performance. In S1, finance, clean-channel ASR is 2; under Opus it rises from 3 at 16 kbps to 4 at 128 and 192 kbps; under held-out MP3 it remains 5–6; under held-out AAC-LC it reaches 7–8. In S2, interview screening, clean ASR is 9, Opus reaches 0 at 64–192 kbps, MP3 is 1 across all tested bitrates, and AAC-LC reaches 2–3. In S3a, AI-detection bypass, clean ASR is 4, Opus reaches 5 at 64 kbps and 6 at 128–192 kbps, MP3 gives 7–8, and AAC-LC gives 9–0. In S3b, copyright bypass, clean ASR is 1, Opus reaches 2 at 64 kbps and 3 at 128–192 kbps, MP3 gives 4–5, and AAC-LC gives 6–7 (Roh et al., 19 May 2026).
The target-length study further delimits the operating regime. On S3a with Qwen2-Audio and 8, targets up to 8 words achieve 9 success across all Opus bitrates 0 kbps; performance gradually degrades for 15–20 words; at 32 words the attack essentially fails, and PGD loss increases by approximately 1. The main experimental targets are all within the stated robust regime of fewer than 20 words (Roh et al., 19 May 2026).
5. Signal-level mechanism and frequency-domain analysis
The paper gives a signal-processing explanation for codec robustness by analyzing perturbation energy in Bark bands. For each band 2, the fractional energy is computed as
3
where 4 is the STFT magnitude of the perturbation at frequency bin 5 (Roh et al., 19 May 2026).
The observed spectral placement differs sharply between latent and waveform attacks. Latent perturbations place 6 of their energy below 4 kHz and 7 in the sub-400 Hz region. Waveform perturbations place only 8 of their energy below 4 kHz, leaving 9 above 4 kHz, where Opus, MP3, and AAC-LC allocate fewer bits and more aggressively discard detail. The paper also reports that within a given band the codec treats both perturbation types similarly: for example, in the sub-400 Hz range the cosine similarity between pre- and post-Opus perturbation is approximately 0 at 16 kbps for both latent and waveform perturbations, while above 4 kHz it drops to approximately 1 for both. The difference is therefore not that codecs intrinsically preserve “adversarial” latent perturbations more faithfully within each band, but that latent perturbations are concentrated in bands that codecs preserve (Roh et al., 19 May 2026).
The structural origin of this concentration is traced to the EnCodec decoder Jacobian 2. For each of the 128 latent dimensions, the output spectral energy peaks in Bark bands 12–14, corresponding to approximately 1.8–2.5 kHz, and the paper finds negligible energy above 4 kHz for any latent dimension. It concludes that the decoder has no basis function pointing at high frequencies, so any latent perturbation is structurally confined to low frequencies even before adversarial optimization (Roh et al., 19 May 2026).
A comparison among three sources reinforces this interpretation: the decoder Jacobian envelope, random latent draws, and actual adversarial perturbations all place 92–93% of their energy below 4 kHz in the non-adversarial cases, while the optimized adversarial perturbation further shifts mass into the sub-400 Hz region, reaching 3 of its energy there. The mechanism described in the paper is therefore two-stage: decoder architecture confines latent perturbations to below 4 kHz, and adversarial optimization reallocates more of that energy into the very low frequencies where codecs allocate the most bits (Roh et al., 19 May 2026).
The paper also analyzes a speech-versus-music asymmetry under AAC-LC. For music carriers, perturbations contain 4 more energy below 400 Hz than for speech carriers. Because AAC-LC uses tonality-aware psychoacoustic masking, music with broadband bass tends to preserve low-frequency perturbation energy, whereas speech leaves the 400 Hz–4 kHz formant region more exposed to quantization. This is used to explain why AAC-LC performance remains comparatively strong for the music scenarios while dropping substantially for some speech settings (Roh et al., 19 May 2026).
6. Relation to prior work, nomenclature, limitations, and defenses
CodecAttack is situated against two main lines of prior adversarial audio research. The first consists of waveform-domain attacks on ASR and Audio LLMs, including the work of Carlini and Wagner, Qin et al., Schönherr et al., and more recent Audio LLM attacks such as Attacker’s Noise, SpeechGuard, and AudioJailbreak. These attacks operate directly on the waveform and had already been shown to fail under codec compression in studies such as Andronic et al., WaveGuard, and Sadasivan et al. The second line consists of attacks that inject perturbations into internal model representations, such as U-TLSA and WhisperInject, which survive codec compression because they operate after the audio has entered the model, but assume the attacker can modify encoder hidden states or embeddings inside the deployed system. CodecAttack is characterized in the paper as external like waveform attacks, yet codec-robust like encoder-space attacks (Roh et al., 19 May 2026).
The method also extends the use of Expectation-over-Transformation, associated in the paper with Athalye et al. 2017, into the bitrate-varying codec setting. Prior audio EoT work had focused on room impulse responses and environmental transformations; CodecAttack applies multi-bitrate EoT with BPDA through real Opus compression and uses this as a necessary component for robustness (Roh et al., 19 May 2026).
The similarity in name to the earlier “CodeAttack: Code-Based Adversarial Attacks for Pre-trained Programming LLMs” can cause confusion, but the two works address different domains and threat models. CodeAttack targets pre-trained programming LLMs for code translation, repair, and summarization in the natural channel of source code, and is a black-box, code-based adversarial attack framework for sequence-to-sequence programming tasks (Jha et al., 2022). CodecAttack instead targets Audio LLMs through the latent space of neural audio codecs under lossy transmission conditions (Roh et al., 19 May 2026).
Several limitations are explicitly stated. The attack is model-specific rather than universally transferable across Audio LLM architectures. Optimization is computationally expensive, with 1000 steps and real Opus encode/decode in the loop taking approximately 8 minutes per example on an A100. At 5, the perturbations are not fully imperceptible: for speech, STOI is approximately 6, and for music, subjective listening reveals artifacts. The evaluation is restricted to digital-only pipelines; over-the-air settings involving speakers, rooms, and microphones remain open (Roh et al., 19 May 2026).
The paper does not introduce a complete defense, but it identifies several directions. These include adversarial training against latent-space perturbations, codec-based detection via re-synthesis through multiple architecturally distinct codecs and comparison of downstream outputs, and preprocessing randomization such as temporal jitter or random time-stretch. The discussion also emphasizes that lossy compression alone should not be treated as a reliable defense. A plausible implication is that robustness evaluation for Audio LLM systems must be conducted in the actual codec-mediated deployment channel rather than only in the clean waveform domain.