针对ASR系统的快速有目标自适应对抗攻击

doi:10.19665/j.issn1001-2400.2021.01.019

Abstract

Abstract:

Adversarial examples are malicious inputs designed to induce deep learning models to produce erroneous outputs,which make humans imperceptible by adding small perturbations to the input.Most research on adversarial examples is in the domain of image.Recently,studies on adversarial examples have expanded into the automatic speech recognition domain.The state-of-art attack on the ASR system comes from C &W,which aims to obtain the minimum perturbation that causes the model to be misclassified.However,this method is inefficient since it requires the optimization of two terms of loss functions at the same time,and usually requires thousands of iterations.In this paper,we propose an efficient approach based on strategies that maximize the likelihood of adversarial examples and target categories.A large number of experiments show that our attack achieves better results with fewer iterations.

Key words: deep neural networks(DNN), adversarial examples, speech recognition, machine learning, adversarial attacks

CLC Number:

TN912.34

ZHANG Shudong,GAO Haichang,CAO Xiwen,KANG Shuai. Adaptive fast and targeted adversarial attack for speech recognition[J].Journal of Xidian University, 2021, 48(1): 168-175.

Figures/Tables 5

References 15

[1]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[C/OL][2020-07-30].https://arxiv.org/abs/1312.6199v4.
[2]	GROSSE K, PAPEMOT N, MANOHARAN P, et al. Adversarial Perturbations against Deep Neural Networks for Malware Classification[J/OL].[2020-07-30].https://arxiv.org/pdf/1606.04435.pdf.
[3]	CARLINI N, WAGNER D. Audio Adversarial Examples:Targeted Attacks on Speech-to-text [C]//Proceedings of the 2018 IEEE Symposium on Security and Privacy Workshops.Piscataway:IEEE, 2018: 1-7.
[4]	AWNI H, CARL C, JARED C, et al.Deep Speech:Scaling Up End-to-end Speech Recognition[J/OL].[2020-07-30].https://arxiv.org/pdf/1412.5567.pdf.
[5]	CISSE M, ADI Y, NEVEROVA N, et al.Houdini:Fooling Deep Structured Prediction Models[C/OL].[ 2020- 07- 30]. http://papers.nips.cc/paper/7273-houdini-fooling-deep-structured-visual-and-speech-recognition-models-with-adversarial-examples.pdf.
[6]	LEA S, KATHARINA K, STEFFENZ, et al.Adversarial Attacks against Automatic Speech Recognition Systems via Psychoacoustic Hiding[J/OL].[2020-07-30].https://arxiv.org/pdf/1808.05665.pdf.
[7]	YUAN X, CHEN Y, ZHAO Y, et al. Commandersong:a Systematic Approach for Practical Adversarial Voice Recognition [C]//Proceedings of the 2018 27th USENIX Security Symposium.Berkeley:USENIX Association, 2018: 49-64.
[8]	YAKURA H, SAKUMA J.Robust Audio Adversarial Example for a Physical Attack[C/OL] .[2020-07-30].https://arxiv.org/abs/1810.11793v4.
[9]	QIN Y, CARLINI N, GOODFELLOW L, et al. Imperceptible,Robust,and Targeted Adversarial Examples for Automatic Speech Recognition [C]//Proceedings of the 2019 36th International Conference on Machine Learning.Lille:International Machine Learning Society, 2019: 9141-9150.
[10]	BOSI M, GOLDBERG R E.Introduction to Digital Audio Coding and Standards[M/OL].[2020-07-30].https://link.springer.com/book/10.1007%2F978-1-4615-0327-9.
[11]	SHEN J, NGUYEN P, WU Y, et al. Lingvo:a Modular and Scalable Framework for Sequence-to-sequence Modeling[J/OL].[2020-07-30].https://arxiv.org/abs/1902.08295v1.
[12]	LIU X, ZHANG X, WAN K, et al. Weighted-sampling Audio Adversarial Example Attack[J/OL].[2020-07-30].https://arxiv.org/pdf/1901.10300.pdf.
[13]	LI J B, QU S, LI X, et al. Adversarial Music:Real World Audio Adversary against Wake-word Detection System[C/OL].[2020-07-30].https://arxiv.org/abs/1911.00126?context=cs.CR.
[14]	HOCHREITER S, SCHMIDHUBER J. Long Short-term Memory[J]. Neural Computation, 1997,9(8):1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[15]	GRAVES A, FERNANDEZ S, GOMEZ F, et al. Connectionist Temporal Classification:Labelling Unsegmented Sequence Data with Recurrent Neural Networks [C]//Proceedings of the 2006 ACM International Conference on Machine Learning.New York:ACM, 2006: 369-376.

c	d_Bδ		W_er/%		I_ter		S_uc/%
c	MCVMCV		LSLS		MCVMCV		LSLS
0.1	-48.73	-47.10	102.92	135.23	4 950	5 000	1	0
1	-46.51	-46.58	80.86	122.30	4 869	5 000	6	0
10	-44.22	-42.81	36.60	76.70	4 178	4 798	42	6
100	-43.12	-42.68	5.77	3.94	3 495	3 960	85	84
1 000	-41.17	-40.58	0.29	0.00	2 802	2 688	99	100

ε	d_Bδ	I_ter	S_uc/%
300	-32.49	237	100
500	-28.65	227	100
800	-26.07	205	100
1 000	-25.32	199	100
1 500	-24.55	199	100
2 000	-24.34	199	100

α	d_Bδ		W_er/%		I_ter		S_uc/%
α	ε=300	ε=2 000	ε=300	ε=2 000	ε=300	ε=2 000	ε=300	ε=2 000
10	-32.49	-24.43	0.00	0.00	237	199	100	100
20	-32.44	-21.06	1.57	0.00	60	144	94	100
30	-32.37	-19.07	1.96	0.00	100	113	90	100
40	-32.37	-17.68	6.83	0.00	240	105	73	100
50	-32.37	-16.78	7.06	0.00	290	95	70	100
60	-32.37	-16.36	14.00	0.00	420	94	56	100
70	-32.37	-16.13	20.90	0.00	570	89	43	100
80	-32.37	-16.09	33.45	0.00	700	87	28	100
90	-32.37	-16.07	33.05	0.00	730	81	24	100
100	-32.37	-15.97	34.39	0.00	770	81	22	100

迭代次数	d_Bδ		W_er/%		I_ter		S_uc/%
迭代次数	MCV	LS	MCV	LS	MCV	LS	MCV	LS
100	-31.17	-24.81	0.69	5.90	97	96	98	68
300	-44.00	-38.17	0.00	0.00	287	276	100	100
500	-46.83	-42.58	0.00	0.00	442	443	100	100
1 000	-49.02	-45.60	0.00	0.00	660	772	100	100

Adaptive fast and targeted adversarial attack for speech recognition

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 15

Related Articles 9

Metrics

Comments

Recommended 10

[1]	QIAO Wenxin,LU Yu,LIU Yicen,LI Zhiwei,LI Xi. Dynamic scheduling method for service function chains in space air terrestrial aided edge cloud networks [J]. Journal of Xidian University, 2022, 49(2): 79-88.
[2]	ZENG Yong,WU Zhengyuan,DONG Lihua,LIU Zhihong,MA Jianfeng,LI Zan. Research on malicious traffic identification technology in encrypted traffic [J]. Journal of Xidian University, 2021, 48(3): 170-187.
[3]	WANG Junxiang,HUANG Lin,ZHANG Ying,NI Jiangqun,LIN Lang. Algorithm for the detection of a low complexity contrast enhanced image source [J]. Journal of Xidian University, 2021, 48(1): 96-106.
[4]	ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks [J]. Journal of Xidian University, 2021, 48(1): 149-159.
[5]	YAN Lin,LIU Kai,DUAN Meiyu. Lightweight deep neural network for point cloud classification [J]. Journal of Xidian University, 2020, 47(2): 46-53.
[6]	BAI Jing,SHI Yanyan,XUE Peiyun,GUO Qianyan. CFCC feature extraction for fusion of the power-law nonlinearity function and spectral subtraction [J]. Journal of Xidian University, 2019, 46(1): 86-92.
[7]	YAO Hui;SUN Ying;ZHANG Xueying. Research on nonlinear dynamics features of emotional speech [J]. Journal of Xidian University, 2016, 43(5): 167-172.
[8]	CHEN Bin;ZHANG Lianhai;QU Dan;LI Bicheng. Regularized discriminative segmental feature transform method [J]. Journal of Xidian University, 2016, 43(2): 102-107.
[9]	LI Juan;WANG Yuping. New nearest neighbor affinity similarity function based on separation and compactness between samples [J]. J4, 2014, 41(3): 123-130.