What problem does this paper attempt to address?

The problem that this paper attempts to solve is to explore how to conduct Clean Label Backdoor Attacks (CLBD) on advanced speech recognition models that support Spoken Language Understanding (SLU) tasks. Specifically, the authors have studied the following issues: 1. **Adaptability**: How to successfully apply CLBD attacks to SLU tasks in the speech field. Although there have been studies on CLBD attacks for image classification and audio classification, relatively few studies have been conducted on sequence tasks (such as speech recognition and translation). 2. **Effectiveness**: By changing different parameters (such as trigger signal strength, the proportion of contaminated samples, and the choice of triggers), evaluate the impact of these changes on the attack success rate. In addition, the effect of selecting specific training samples for attack is also studied, especially those samples that are difficult to classify for the proxy model. 3. **Defense mechanisms**: Test the effectiveness of two existing adversarial attack defense methods when facing new CLBD attacks and analyze their performance. 4. **Improvement strategies**: Propose an improved CLBD attack method - ranked CLBD attack, which selects samples to be contaminated according to the closeness of the samples to the source category, thereby increasing the attack success rate. ### Main contributions - Expand CLBD attacks to SLU tasks, achieving an attack success rate of 99.8% with only 10% of the training data being contaminated. - Propose an improved CLBD attack method, namely ranked CLBD attack. By selecting samples close to the source category for attack, an attack success rate of 99.3% can be achieved with only 1.5% of the training data being contaminated. - Conduct a comprehensive analysis of multiple dimensions of CLBD attacks, including trigger signal strength, sample selection strategy, trigger location, etc. - Test and evaluate the effectiveness of two existing defense methods in new fields and find that the filtering - type defense is more effective than the denoising - type defense. ### Experimental setup - Use the Fluent Speech Commands dataset for experiments. This dataset contains 30,043 short sentences, and each sentence is labeled with three intention frames (action, object, location). - Design an SLU model based on RNN Transducer and implement it using the Icefall toolkit. - Systematically study the impact of factors such as the strength and location of the trigger and the proportion of contaminated samples on the attack success rate by adjusting them. ### Results discussion - At a low contamination ratio (such as 1.5%), the ranked CLBD attack shows an extremely high success rate (99.3%), indicating that selecting appropriate samples for attack can significantly improve the attack effect. - The strength and location of the trigger have a significant impact on the attack success rate. The optimal configuration is to insert the trigger at the beginning of the utterance, and the loudness of the trigger is at least 30 dB. - Existing defense methods show different effects when facing CLBD attacks, and the filtering - type defense is more effective than the denoising - type defense. ### Conclusion The authors have demonstrated the effectiveness of CLBD attacks in the field of speech recognition and proposed an improved attack strategy. At the same time, they also pointed out that existing defense methods have limitations when facing such attacks, and further research is needed in the future to enhance the robustness of the system.