NOICE Attack: Covert Noise-Based Adversaries

Updated 30 December 2025

NOICE Attack is an adversarial methodology that transforms benign noise into a carrier for covert, harmful instructions in AI systems.
In audio, techniques like the ENJ evolutionary algorithm mix harmful waveforms with environmental noise to achieve high attack success rates.
In vision, procedural noise generates universal perturbations that mislead image classifiers, highlighting weaknesses in deep learning defenses.

A NOICE Attack is an adversarial methodology in which noise, typically perceived as an innocuous and unstructured perturbation by humans, is algorithmically crafted into a covert carrier of actionable instructions for AI models such as Large Speech Models (LSMs) or Deep Neural Networks (DNNs). Unlike conventional adversarial examples that conceal semantically aligned triggers, the NOICE paradigm leverages ambient, environmental, or procedurally generated noise—optimized through algorithmic processes—to induce misclassification, model evasion, or even “jailbreak” behaviors in targeted systems, all while retaining perceptual stealth. The viability and impact of NOICE-style attacks have been rigorously evaluated in both the audio/speech and image domains via recent methods such as Evolutionary Noise Jailbreak (ENJ) for LSMs (Zhang et al., 14 Sep 2025) and procedural noise universal adversarial perturbations for vision models (Yan et al., 2021).

1. Core Principles and Mechanisms

The NOICE Attack paradigm is characterized by embedding semantically meaningful or harmful content into noise representations that remain unremarkable to human perception. In speech, this involves time-domain or environmental noises masking latent instructions, while in images, visually innocuous textures (e.g., Simplex or Worley noise) disguise adversarial directions. Such attacks exploit the high capacity and non-linear feature extractors of modern models to recover and act on the “hidden” instructions, exposing critical vulnerabilities in model alignment and input preprocessing.

For LSMs, the ENJ approach formulates the attack as a black-box optimization problem over audio signals, where each candidate audio $A\in\mathbb{R}^T$ (at 16 kHz) is synthesized by mixing a harmful instruction waveform $A_\mathrm{harm}$ and environmental noise $N_k$ , constrained by a mixing coefficient $\alpha\in[0.4,0.6]$ to maintain stealth. The attack objective function maximizes the Harmfulness Score $HS(A)$ , computed by a safety-evaluation module ( $\Phi$ ), typically an advanced LLM-as-Judge that assesses if the transcript $\mathcal{T}(A)$ from the LSM matches the intended harmful instruction $P_\mathrm{harm}$ (Zhang et al., 14 Sep 2025).

In computer vision, procedural adversarial noise attacks utilize noise functions such as Simplex and Worley noise, generating universal perturbations $\Delta$ added to images without requiring model gradients or data-specific priors. The attack success is typically evaluated as the Universal Evasion Rate on holdout datasets (Yan et al., 2021).

2. NOICE Attack Construction: Audio and Vision Domains

For LSMs, ENJ (Evolutionary Noise Jailbreak) operationalizes NOICE attacks through a genetic algorithm pipeline comprising:

Population Initialization: Each audio candidate is generated by linearly mixing $A_\mathrm{harm}$ and a randomly selected $N_k$ with $\alpha\sim U(0.4,0.6)$ , zero-padded and band-pass filtered for uniformity.
Crossover Fusion: The elite set (top 50%) is identified, and offspring are created by randomly blending elite parent pairs using $\beta\sim U(0.2,0.7)$ .
Probabilistic Mutation: With probability $p_m=0.3$ , a random noise sample at low intensity ( $\gamma=0.1$ ) is injected to maintain diversity and optimize the covert capacity of the noise.
Selection and Termination: Generations proceed until a candidate achieves maximum harmfulness ( $HS=5$ ) or a fixed upper limit of iterations (Zhang et al., 14 Sep 2025).

For image classifiers, procedural adversarial noise attacks implement:

Noise Generation: Procedural noise (Simplex or Worley) is parameterized by spatial (for Simplex) or point count (for Worley) hyperparameters.
Perturbation Application: The universal perturbation $\Delta$ is ℓ∞-normalized and added across the evaluation set, yielding perturbed images $I_\text{adv} = \text{clip}(I+\Delta, 0, 255)$ .
Black-box Optimization: No knowledge of model gradients or data statistics is required; hyperparameters are grid-searched for optimal evasion rates (Yan et al., 2021).

3. Quantitative Evaluation and Comparative Performance

Quantitative benchmarking of NOICE-style attacks demonstrates their efficacy and transferability:

LSM Audio Jailbreak (ENJ):

ENJ achieves dominant performance relative to several baselines (SSJ, BoN, AdaPPA, CodeAttack, and a naive text-to-audio pipeline). Key metrics include Harmfulness Score (HS) and Attack Success Rate (ASR, fraction with $HS\ge 4$ ). The empirical results for four major LSMs are:

Method	DiVA (HS/ASR)	MiniCPM (HS/ASR)	Qwen2-Audio (HS/ASR)	Qwen-Audio (HS/ASR)	AVG (HS/ASR)
SSJ	1.63 / 0.10	1.74 / 0.15	1.58 / 0.04	2.50 / 0.38	1.86 / 0.16
BoN	3.33 / 0.48	3.67 / 0.59	3.03 / 0.24	3.86 / 0.75	3.47 / 0.51
AdaPPA	1.05 / 0.01	1.05 / 0.01	1.88 / 0.18	1.09 / 0.01	1.26 / 0.05
CodeAttack	3.56 / 0.51	3.20 / 0.28	3.00 / 0.11	2.98 / 0.19	3.18 / 0.27
ΔT	1.04 / 0.43	1.14 / 0.36	1.55 / 0.67	1.11 / 0.25	1.27 / 0.44
ENJ	4.60 / 0.94	4.81 / 0.95	4.58 / 0.91	4.97 / 1.00	4.74 / 0.95

ENJ demonstrates an average ASR of 95%, with mean HS=4.74, surpassing best baselines by a wide margin. Generated audio is confirmed to be perceptually ambiguous as environmental noise to human listeners (Zhang et al., 14 Sep 2025).

Vision Model Universal Perturbation:

At a perturbation budget $\epsilon=0.0465$ , procedural noise attacks such as Simplex4D and Worley100 reach universal evasion rates of 0.51 and 0.63 (ImageNet/InceptionV3), outperforming several gradient-free and data-driven alternatives. For query-limited black-box settings, procedural approaches remain competitive (e.g., Simplex4D: 0.61 on VGG-19 vs. PixelAttack: 0.14) (Yan et al., 2021).

4. Embedding, Stealth, and Model Vulnerabilities

NOICE attacks leverage signal properties to optimize the tradeoff between embedding capacity and perceptual inconspicuousness:

LSM Embedding: Malicious instructions are encoded via direct time-domain mixture with environmental noise classes (keyboard, crowd, natural, mechanical sounds), normalized and zero-padded. No spectro-temporal transformations are performed; the LSM's own encoder deciphers the instruction.
Perceptual Stealth: Strict $\alpha$ mixing constraints and low-intensity mutations ensure output remains audio-ambient and non-suspicious even to attentive human listeners. Rhythmic and continuous noises are empirically favored as instruction carriers.
Model Sensitivity: Both speech and vision domains reveal models’ susceptibility to adversarial noise channels, where benign-appearing signals contain exploitable high-dimensional features not perceived by humans (Zhang et al., 14 Sep 2025, Yan et al., 2021).

A plausible implication is that the NOICE paradigm exposes a fundamental mismatch between model feature space capacity and natural input distribution, especially for high-capacity, overparameterized encoders.

5. Defenses and Countermeasures

Both speech and vision NOICE attacks are partially remediated—never wholly neutralized—by existing defense strategies:

Pre-processing and Denoising: Median, bilateral, and autoencoding filters (denoising AE) can restore robustness; e.g., on CIFAR-10, bilateral filters reach >85% accuracy after procedural noise attack (Yan et al., 2021).
Adversarial Training: Alignment fine-tuning using NOICE-evolved samples or universal perturbations as “hard negatives” improves baseline robustness. Ensemble adversarial training yields the highest robust accuracy on defended ImageNet models (up to ∼0.53) (Yan et al., 2021).
Input Sanitization: For LSMs, spectral-domain anomaly detection flags audio with cross-correlations to known instruction embeddings; pre-filtering rhythmic or non-speech signals can be effective.
Model-internal Monitoring: Monitoring encoder attention patterns for disproportionate focus on noise-like frequency bands may indicate adversarial activity (Zhang et al., 14 Sep 2025).

However, no single defense is universally effective; evolutionary and procedural attacks remain viable under most published mitigation strategies.

6. Relationship to Broader Adversarial Research

The NOICE Attack class is closely related to universal adversarial perturbations (UAPs), data-free attacks, and black-box optimization methods. Unlike targeted, minimal-norm perturbations, NOICE attacks favor high transferability, automation, and model/data agnosticism—facilitated by universal procedural functions or population-based optimization rather than gradient-following. The approach generalizes across domains (audio, vision) and architectures, underscoring a broader risk posed by high-dimensional noise as a covert adversarial channel (Yan et al., 2021, Zhang et al., 14 Sep 2025).

NOICE attacks contextualize the dual role of noise in model security: noise is not only a source of benign interference but, when actively optimized, a powerful carrier for covert adversarial instructions. The rapid progress in evolutionary and procedural attack pipelines emphasizes the evolving arms race between adversarial robustness and the search for perceptual stealth.