MORE: Multi-Objective Repetitive Attack in ASR
- MORE is a hierarchical white-box adversarial attack for ASR that simultaneously increases word error rate and decoder output length.
- It employs a staged optimization with repulsion-anchoring and the REDO objective to suppress EOS and induce repetitive, extended transcripts.
- Experimental results on Whisper models show that MORE achieves significant output inflation and high error rates with near-inaudible perturbations.
In automatic speech recognition, MORE denotes Multi-Objective Repetitive Doubling Encouragement, a hierarchical white-box adversarial attack for autoregressive ASR systems that jointly degrades recognition quality and inference efficiency by inducing both high transcription error and abnormally long decoded outputs from a single perturbed audio input (Gao et al., 5 Jan 2026). The method is motivated by the observation that robustness evaluation for large encoder-decoder ASR models, particularly the Whisper family, is incomplete if it considers only accuracy degradation. MORE instead treats adversarial robustness as intrinsically multi-dimensional: an attack may cause the model to be wrong, but it may also cause the model to be wrong slowly and expensively, with practical consequences for latency, compute consumption, and service reliability.
1. Threat model and formal objective
MORE is formulated for large-scale autoregressive ASR, with emphasis on Whisper variants from tiny through large. The attack is conducted in the white-box setting, assumes access to model gradients, is evaluated digitally rather than physically, and is untargeted in the sense that it does not seek one specific transcript; it seeks instead to maximize transcription damage and output length simultaneously.
The paper defines a raw speech input as
with ground-truth transcript
The victim ASR model is , the vocabulary is , and is the end-of-sequence token. The adversarial objective is written as
so the perturbation is optimized to increase both the word error rate and the predicted output length.
Imperceptibility is constrained through signal-to-noise ratio and an -style peak-amplitude bound. The paper defines
and
The presentation is noted to be slightly compressed, but the intended constraint is that perturbations remain imperceptible in both energy and per-sample magnitude. The experiments use average SNR budgets of 35 dB and 30 dB, treated as inaudible or near-inaudible.
A central implication of this formulation is that MORE turns adversarial ASR from a purely semantic corruption problem into a joint accuracy-efficiency attack surface. In deployed systems such as captioning, assistants, navigation, or medical dictation, this means that a single adversarial waveform can simultaneously corrupt output text and inflate decoder workload.
2. Autoregressive decoding as an efficiency vulnerability
MORE is built around a structural property of modern encoder-decoder ASR: decoding stops only when the model emits EOS. In an autoregressive system such as Whisper, every next token depends on previously generated tokens, so any perturbation that suppresses EOS or induces repetitive loops can force the decoder into an elongated generation regime.
The paper connects this directly to known repetition-loop phenomena in transformer text generation. Once a phrase acquires sufficiently high probability, its presence in context can increase the likelihood of being emitted again, yielding self-reinforcing local loops. In ASR, this manifests as repeated fragments such as “and her voice”, “Well, I’m glad”, “It’s a great place”, “What else is this”, or “I’m glad you’re leaving”, sometimes repeated dozens or hundreds of times. One example reported in the appendix produces “and her voice” over 100 times, yielding 334 tokens and 100% WER.
This vulnerability is operationally significant because decoder cost scales with generated sequence length. The paper emphasizes that for long outputs the decoder dominates total inference burden, while the encoder pass is comparatively fixed. This is particularly pronounced in Whisper because inputs shorter than 30 seconds are padded to a fixed window, making output length the principal lever for inflating end-to-end compute. A plausible implication is that output-length attacks resemble a soft denial-of-service mechanism even when the perturbation is acoustically subtle.
3. Hierarchical repulsion-anchoring optimization
A defining feature of MORE is that it does not optimize both objectives naively from the start. The paper argues that direct joint optimization is unstable because the two objectives have different gradient geometry. Accuracy degradation is comparatively broad: many wrong transcripts are possible, so gradients are distributed across many token positions. Efficiency degradation is much narrower: prolonging generation often depends on manipulating the probability of a single special token, especially EOS at the final step. In simple loss summation, one objective can overwhelm the other. MORE therefore reformulates the attack as a hierarchical staged optimization built on a repulsion-anchoring mechanism (Gao et al., 5 Jan 2026).
In the paper’s staged formulation,
the first stage pushes the model away from the correct transcript, and the second stage pushes the destabilized decoding trajectory into a long repetitive regime.
The repulsion stage uses a differentiable proxy for recognition error: 0 Since WER is nondifferentiable, negative cross-entropy is used to reduce the probability assigned to correct tokens and thereby raise final WER.
The anchoring stage contains two losses. The first is EOS suppression: 1 with
2
Minimizing this loss suppresses the probability of EOS at the final position while promoting the strongest non-EOS competitor. The paper stresses that merely lowering EOS probability is often insufficient; making continuation stable requires favoring a specific alternative token.
This staged decomposition addresses a common misconception about long-output attacks: EOS suppression alone is not the attack. MORE explicitly preserves recognition damage first, then exploits the damaged generation path to induce inefficient continuation.
4. REDO and asymmetric interleaving
The main technical novelty of MORE is the Repetitive Encouragement Doubling Objective (REDO). EOS suppression can yield unstable continuation or low-confidence gibberish. REDO instead converts “make the output longer” into a structured target-following problem based on repeating earlier decoded content.
The paper defines a stage-3 repeated target sequence as
4
where 5 is the doubling period, 6 is floor, and “7” denotes concatenation. Although the typography is imperfect in the paper, the intended behavior is explicit: a previously decoded segment is duplicated and used as the new target. The associated loss is
8
A concrete example clarifies the mechanism. If the current decoded target is
9
the repeated target becomes
0
which removes EOS and doubles the regular-token sequence. The final efficiency objective is
1
The appendices operationalize REDO through periodic re-anchoring. At the start of each stage-2 block 2, the model greedily decodes the current adversarial input: 3 removes EOS,
4
doubles the remaining sequence,
5
and defines the new target length as
6
The attack does not update this target at every optimization step. Instead, MORE uses what the paper calls asymmetric interleaving: within a block of 7 steps, the repeated target stays fixed; at the block boundary it is rebuilt in doubled form. This creates a stabilization-and-expansion curriculum. The paper presents this as preferable to either dense target updates or a single very long repeated sequence from the outset.
The resulting optimization remains PGD-style. The perturbation is initialized at 8, the first 9 steps optimize 0, and the anchoring stage then applies projected sign-gradient updates using 1. In the experiments, the hyperparameters are 2 and 3.
5. Experimental protocol and empirical results
The evaluation uses LibriSpeech and LJ-Speech, specifically the first 500 utterances of LibriSpeech test-clean and LJ-Speech, all resampled to 16 kHz. The victim models are five HuggingFace Whisper-family variants: Whisper-tiny, base, small, medium, and large. MORE is compared against five white-box baselines: PGD, MI-FGSM, VMI-FGSM, SAGO, and SlothSpeech (Gao et al., 5 Jan 2026).
The metric design mirrors the two-objective threat model. WER measures recognition degradation, but because attacked transcripts can become extremely long, the predicted transcript is first truncated to the reference length before WER is computed. This ensures that WER measures corruption in the early region where meaningful recognition should have occurred. WER is capped at 100%. Predicted token length is used as the main efficiency proxy.
The results consistently show that MORE generates far longer transcripts than all baselines while maintaining high WER. On LibriSpeech at 35 dB SNR, clean Whisper-base outputs average 21.77 tokens. Under attack:
| Model/attack | WER | Length |
|---|---|---|
| PGD | 88.73 | 31.65 |
| SlothSpeech | 54.63 | 156.07 |
| MORE | 88.42 | 300.13 |
On Whisper-large under the same setting, MORE reaches WER 53.72 and length 301.47, whereas SlothSpeech reaches length 79.78 with WER 34.21. On LJ-Speech at 35 dB, Whisper-base under MORE reaches WER 89.53 and length 313.64, compared with SlothSpeech’s 187.9 length and 59.98 WER. At 30 dB SNR, attacks become stronger still: on LibriSpeech, Whisper-base under MORE reaches 324.05 tokens with WER 93.70, and Whisper-large reaches 277.65 tokens with WER 60.90. On LJ-Speech at 30 dB, Whisper-large reaches 229.08 tokens and WER 54.13.
The paper repeatedly emphasizes that MORE preserves the accuracy attack strength of PGD-like methods while adding a substantial efficiency burden that accuracy-only attacks do not induce. This is especially visible on larger Whisper models, where MORE often attains both much longer outputs and substantially higher WER than the efficiency-only baseline SlothSpeech. The qualitative outputs also show that the attack does not merely elongate transcripts with random symbols; it tends to induce semantically coherent local loops.
6. Component roles, computational implications, and limitations
The ablation study clarifies how the staged design distributes functionality. On LJ-Speech at 35 dB, full MORE yields WER 90.85 and length 296.66. The reported variants are:
| Variant | WER | Length |
|---|---|---|
| Full MORE | 90.85 | 296.66 |
| w/o 4 | 27.58 | 293.03 |
| w/o 5 | 93.63 | 30.60 |
| w/o 6 | 88.89 | 233.84 |
| w/o REDO | 87.58 | 120.67 |
These numbers show a precise functional separation. Removing 7 leaves output inflation largely intact but sharply reduces transcription corruption. Removing 8 produces a conventional accuracy attack with little elongation. Removing EOS suppression reduces length, but removing REDO produces a much larger efficiency collapse, establishing REDO as the principal driver of extreme transcript inflation. The paper also reports that removing both REDO and 9 yields WER 47.10 and length 116.05, close to SlothSpeech-like behavior, while removing both 0 and 1 yields WER 6.97 and length 270.21, indicating that REDO alone can sustain inefficient generation but not reliable recognition corruption (Gao et al., 5 Jan 2026).
The computational appendix ties output length directly to inference cost. The inference complexity is written as
2
where 3 is the number of encoder frames, 4 is vocabulary size, and 5 is adversarial output length. The slowdown relative to clean decoding is approximately quadratic in decoder length because of self-attention. The appendices further report that MORE increases per-example inference FLOPs for Whisper by roughly 9× to 14×, depending on model size.
The study is nevertheless bounded by its setting. It is explicitly white-box and digital; transferability and physical attacks are not the focus. No defense is comprehensively evaluated. The authors suggest decoding-time repetition or loop detectors, band-limiting or input-time filtering, and adversarial training focused on EOS and repetition pathologies. This suggests that the principal contribution of MORE is diagnostic as much as algorithmic: it exposes an underexamined failure mode in autoregressive ASR, namely that robustness must be evaluated not only in terms of whether a model is correct, but also in terms of whether it remains computationally well-behaved under perturbation.