Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding

Schönherr, Lea; Kohls, Katharina; Zeiler, Steffen; Holz, Thorsten; Kolossa, Dorothea

doi:10.14722/ndss.2019.23288

Cited by 194 publications

(171 citation statements)

References 36 publications

Supporting

Mentioning

157

Contrasting

Order By: Relevance

“…They also showed that such samples could be played over-the-air and even transfered to another commercial black-box speech model. In addition, [44] use psychoacoustic hiding method to inject command into audios and attack Kaldi without human realization. Our work differ with them as our attack could compromise Amazon Echo and can be launched in a long range.…”

Section: Related Workmentioning

confidence: 99%

Manipulating Users’ Trust on Amazon Echo: Compromising Smart Home from Outside

Yuxuan¹,

Yuan²,

Wang³

et al. 2020

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Nowadays, voice control becomes a popular application that allows people to communicate with their devices more conveniently. Amazon Echo, designed around Alexa, is capable of controlling devices, e.g., smart lights, etc. Moreover, with the help of IFTTT (if-this-then-that) service, Amazon Echo's skill set gets improved significantly. However, people who are enjoying these conveniences may not take security into account. Hence, it becomes important to carefully scrutinize the Echo's voice control attack surface and the corresponding impacts. In this paper, we proposed MUTAE (Manipulating Users' Trust on Amazon Echo) attack to remotely compromise Echo's voice control interface. We also conducted security analysis and performed taxonomy based on different consequences considering the level of trust that users have placed on Echo. Finally, we also proposed mitigation techniques that protect Echo from MUTAE attack.

show abstract

Section: Related Workmentioning

confidence: 99%

Manipulating Users’ Trust on Amazon Echo: Compromising Smart Home from Outside

Yuxuan¹,

Yuan²,

Wang³

et al. 2020

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

show abstract

“…The CTC-loss between the target phrase and the network's output is backpropagated through the victim neural network and the MFCC computation, to update the additive adversarial perturbation. The adversarial samples generated by this work are quasi-perceptible, motivating a separate work [30] to minimize the perceptibility of the adversarial perturbations using psychoacoustic hiding.…”

Section: Related Workmentioning

confidence: 99%

Universal Adversarial Perturbations for Speech Recognition Systems

Neekhara¹,

Hussain²,

Pandey³

et al. 2019

Interspeech 2019

View full text Add to dashboard Cite

In this work, we demonstrate the existence of universal adversarial audio perturbations that cause mis-transcription of audio signals by automatic speech recognition (ASR) systems. We propose an algorithm to find a single quasi-imperceptible perturbation, which when added to any arbitrary speech signal, will most likely fool the victim speech recognition model. Our experiments demonstrate the application of our proposed technique by crafting audio-agnostic universal perturbations for the state-of-the-art ASR system -Mozilla DeepSpeech. Additionally, we show that such perturbations generalize to a significant extent across models that are not available during training, by performing a transferability test on a WaveNet based ASR system.

show abstract

“…Adversarial attacks are a well-known vulnerability of neural networks [24]. For instance, a self-driving car can be tricked into confusing a stop sign with a speed limit sign [9], or a home automation system can be commanded to deactivate the security camera by a voice reciting poetry [22]. The attack is carried out by superposing the innocuous input with a crafted perturbation that is imperceptible to humans.…”

Section: Introductionmentioning

confidence: 99%

How Many Bits Does it Take to Quantize Your Neural Network?

Giacobbe

Henzinger

Lechner

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Quantization converts neural networks into low-bit fixed-point computations which can be carried out by efficient integer-only hardware, and is standard practice for the deployment of neural networks on real-time embedded devices. However, like their real-numbered counterpart, quantized networks are not immune to malicious misclassification caused by adversarial attacks. We investigate how quantization affects a network’s robustness to adversarial attacks, which is a formal verification question. We show that neither robustness nor non-robustness are monotonic with changing the number of bits for the representation and, also, neither are preserved by quantization from a real-numbered network. For this reason, we introduce a verification method for quantized neural networks which, using SMT solving over bit-vectors, accounts for their exact, bit-precise semantics. We built a tool and analyzed the effect of quantization on a classifier for the MNIST dataset. We demonstrate that, compared to our method, existing methods for the analysis of real-numbered networks often derive false conclusions about their quantizations, both when determining robustness and when detecting attacks, and that existing methods for quantized networks often miss attacks. Furthermore, we applied our method beyond robustness, showing how the number of bits in quantization enlarges the gender bias of a predictor for students’ grades.

show abstract

Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding

Cited by 194 publications

References 36 publications

Manipulating Users’ Trust on Amazon Echo: Compromising Smart Home from Outside

Manipulating Users’ Trust on Amazon Echo: Compromising Smart Home from Outside

Universal Adversarial Perturbations for Speech Recognition Systems

How Many Bits Does it Take to Quantize Your Neural Network?

Contact Info

Product

Resources

About