SoK: A Modularized Approach to Study the Security of Automatic Speech Recognition Systems

Chen, Yuxuan; Zhang, Jiangshan; Yuan, Xuejing; Zhang, Shengzhi; Chen, Kai; Guo, Shanqing

doi:10.1145/3510582

Cited by 14 publications

(5 citation statements)

References 92 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversarial attacks and defenses in the speech and speaker recognition domains recently have attracted intensive attention. Though both of them share a similar feature extraction pipeline, they perform different tasks and speaker recognition owns unique enrollment phase and decision making mechanism [15], [80]. Thus, in this section, we do not discuss adversarial attacks and defenses that focus on speech recognition [34], [60], [65], [81], [82], [83], [84], [85], [86], [87] (cf.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, in this section, we do not discuss adversarial attacks and defenses that focus on speech recognition [34], [60], [65], [81], [82], [83], [84], [85], [86], [87] (cf. [63], [80] for survey). There are other voice attacks in the speaker recognition domain, such as hidden voice attacks [78] and spoofing attacks [79], [88], [89], [90], [91], [92].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Chen¹,

Zhao²,

Fu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Speaker recognition systems (SRSs) have recently been shown to be vulnerable to adversarial attacks, raising significant security concerns. In this work, we systematically investigate transformation and adversarial training based defenses for securing SRSs. According to the characteristic of SRSs, we present 22 diverse transformations and thoroughly evaluate them using 7 recent promising adversarial attacks (4 white-box and 3 black-box) on speaker recognition. With careful regard for best practices in defense evaluations, we analyze the strength of transformations to withstand adaptive attacks. We also evaluate and understand their effectiveness against adaptive attacks when combined with adversarial training. Our study provides lots of useful insights and findings, many of them are new or inconsistent with the conclusions in the image and speech recognition domains, e.g., variable and constant bit rate speech compressions have different performance, and some non-differentiable transformations remain effective against current promising evasion techniques which often work well in the image domain. We demonstrate that the proposed novel feature-level transformation combined with adversarial training is rather effective compared to the sole adversarial training in a complete white-box setting, e.g., increasing the accuracy by 13.62% and attack cost by two orders of magnitude, while other transformations do not necessarily improve the overall defense capability. This work sheds further light on the research directions in this field. We also release our evaluation platform SPEAKERGUARD to foster further research.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Chen¹,

Zhao²,

Fu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Adversarial attacks and defenses in speech and speaker recognitions have attracted intensive attention. Though the modern speech recognition and speaker recognition systems are very similar to each other, they perform different tasks and differ at the last stage of the processing [12,27,29]. Thus, in this section, we do not discuss adversarial attacks and defenses for speech recognition [14,23,26,28,62,75,94,111,113,114] (cf.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, in this section, we do not discuss adversarial attacks and defenses for speech recognition [14,23,26,28,62,75,94,111,113,114] (cf. [12,29] for survey).…”

Section: Related Workmentioning

confidence: 99%

SEC4SR: A Security Analysis Platform for Speaker Recognition

Chen¹,

Zhao²,

Song³

et al. 2021

Preprint

View full text Add to dashboard Cite

Adversarial attacks have been expanded to speaker recognition (SR). However, existing attacks are often assessed using different SR models, recognition tasks and datasets, and only few adversarial defenses borrowed from computer vision are considered. Yet, these defenses have not been thoroughly evaluated against adaptive attacks. Thus, there is still a lack of quantitative understanding about the strengths and limitations of adversarial attacks and defenses. More effective defenses are also required for securing SR systems.To bridge this gap, we present SEC4SR, the first platform enabling researchers to systematically and comprehensively evaluate adversarial attacks and defenses in SR. SEC4SR incorporates 4 white-box and 2 black-box attacks, 24 defenses including our novel feature-level transformations. It also contains techniques for mounting adaptive attacks. Using SEC4SR, we conduct thus far the largest-scale empirical study on adversarial attacks and defenses in SR, involving 23 defenses, 15 attacks and 4 attack settings. Our study provides lots of useful findings that may advance future research: such as (1) all the transformations slightly degrade accuracy on benign examples and their effectiveness vary with attacks;(2) most transformations become less effective under adaptive attacks, but some transformations become more effective;(3) few transformations combined with adversarial training yield stronger defenses over some but not all attacks, while our feature-level transformation combined with adversarial training yields the strongest defense over all the attacks. Extensive experiments demonstrate capabilities and advantages of SEC4SR which can benefit future research in SR.

show abstract

“…When this method decomposes a complex problem into a set of sub-problems, problems, such as easily falling into the local optimum and poor solution accuracy for each sub-problem, arise. Chen et al[66] enhance a simple substitute model to roughly approximate the target black-box model with a more advanced white-box model. They find that such an approach can generate highly transferable adversarial examples.…”

mentioning

confidence: 99%

Adversarial example‐based test case generation for black‐box speech recognition systems

Cai

Zhang

Dong

et al. 2023

Software Testing Verif & Rel

View full text Add to dashboard Cite

Test case generation techniques based on adversarial examples are commonly used to enhance the reliability and robustness of image-based and text-based machine learning applications. However, efficient techniques for speech recognition systems are still absent. This paper proposes a family of methods that generate targeted adversarial examples for speech recognition systems. All are based on the firefly algorithm (F), and are enhanced with gauss mutations and / or gradient estimation (F-GM, F-GE, F-GMGE) to fit the specific problem of targeted adversarial test case generation. We conduct an experimental evaluation on three different types of speech datasets, including Google Command, Common Voice and LibriSpeech. In addition, we recruit volunteers to evaluate the performance of the adversarial examples. The experimental results show that, compared with existing approaches, these approaches can effectively improve the success rate of the targeted adversarial example generation. The code is publicly available at https://github.com/HanboCai/FGMGE.

show abstract

SoK: A Modularized Approach to Study the Security of Automatic Speech Recognition Systems

Cited by 14 publications

References 92 publications

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition

SEC4SR: A Security Analysis Platform for Speaker Recognition

Adversarial example‐based test case generation for black‐box speech recognition systems

Contact Info

Product

Resources

About