Lanqing Yang,Xinqi Chen,Xiangyong Jian,Leping Yang,Yijie Li,Qianfei Ren,Yi-Chao Chen,Guangtao Xue,Xiaoyu Ji

2023-01-01

Abstract:Speech recognition (SR) systems are used on smartphones and speakers to make inquiries, compose emails, and initiate phone calls. However, they also impose a severe security risk. Researchers have demonstrated that the introduction of certain sounds can threaten the security of SR systems. Nonetheless, most of those methods require that the attacker approach within a short distance of the victim, thereby limiting the applicability of such schemes. Other researchers have attacked SR systems remotely using peripheral devices (e.g., lasers); however, those methods require line-of-sight access and an always-on speaker in the vicinity of the victim. To the best of our knowledge, this paper presents the first-ever scheme, named SINGATTACK, in which SR systems are manipulated by human-like sounds generated in the switching mode power supply of the victim's device. The fact that attack signals are transmitted via the power grid enables long-range attacks on existing SR systems. In experiments on ten SR systems, SINGATTACK achieved Mel-Cepstral Distortion of 7.8 from an attack initiated at a distance of 23m.

Xinfeng Li,Xiaoyu Ji,Chen Yan,Chaohao Li,Yichen Li,Zhenning Zhang,Wenyuan Xu

2023-01-01

Abstract:Inaudible voice attacks silently inject malicious voice commands into voice assistants to manipulate voice-controlled devices such as smart speakers. To alleviate such threats for both existing and future devices, this paper proposes NormDetect, a software-based mitigation that can be instantly applied to a wide range of devices without requiring any hardware modification. To overcome the challenge that the attack patterns vary between devices, we design a universal detection model that does not rely on audio features or samples derived from specific devices. Unlike existing studies' supervised learning approach, we adopt unsupervised learning inspired by anomaly detection. Though the patterns of inaudible voice attacks are diverse, we find that benign audios share similar patterns in the time-frequency domain. Therefore, we can detect the attacks (the anomaly) by learning the patterns of benign audios (the normality). NormDetect maps spectrum features to a low-dimensional space, performs similarity queries, and replaces them with the standard feature embeddings for spectrum reconstruction. This results in a more significant reconstruction error for attacks than normality. Evaluation based on the 383,320 test samples we collected from 24 smart devices shows an average AUC of 99.48% and EER of 2.23%, suggesting the effectiveness of NormDetect in detecting inaudible voice attacks.

Tiantian Liu,Chao Wang,Zhengxiong Li,Ming-Chun Huang,Wenyao Xu,Feng Lin

DOI: https://doi.org/10.1145/3597457

2024-01-01

ACM Transactions on Sensor Networks

Abstract:As automatic speech recognition evolves, deployment of the voice user interface (VUI) has boomingly expanded. Especially since the COVID-19 pandemic, the VUI has gained more attention in online communication owing to its non-contact property. However, the VUI struggles to be applied in public scenes due to the degradation of received audio signals caused by various ambient noises. In this article, we propose Wavoice , the first noise-resistant multi-modal speech recognition system that fuses two distinct voices sensing modalities (i.e., millimeter-wave signals and audio signals from a microphone) together. One key contribution is to model the inherent correlation between millimeter-wave and audio signals. Based on it, Wavoice facilitates the real-time noise-resistant voice activity detection and user targeting from multiple speakers. Additionally, we elaborate on two novel modules for multi-modal fusion embedded into the neural network, leading to accurate speech recognition. Extensive experiments prove the effectiveness of Wavoice under adverse conditions—that is, the character recognition error rate below 1% in a range of 7 m. In terms of robustness and accuracy, Wavoice considerably outperforms existing audio-only speech recognition methods with lower character error and word error rates.

Tiantian Liu,Chao Wang,Zhengxiong Li,Ming-Chun Huang,Wenyao Xu,Feng Lin

DOI: https://doi.org/10.1145/3597457

2024-01-01

ACM Transactions on Sensor Networks

Abstract:As automatic speech recognition evolves, deployment of the voice user interface (VUI) has boomingly expanded. Especially since the COVID-19 pandemic, the VUI has gained more attention in online communication owing to its non-contact property. However, the VUI struggles to be applied in public scenes due to the degradation of received audio signals caused by various ambient noises. In this article, we propose Wavoice, the first noise-resistant multi-modal speech recognition system that fuses two distinct voices sensing modalities (i.e., millimeter-wave signals and audio signals from a microphone) together. One key contribution is to model the inherent correlation between millimeter-wave and audio signals. Based on it, Wavoice facilitates the real-time noise-resistant voice activity detection and user targeting from multiple speakers. Additionally, we elaborate on two novel modules for multi-modal fusion embedded into the neural network, leading to accurate speech recognition. Extensive experiments prove the effectiveness of Wavoice under adverse conditions-that is, the character recognition error rate below 1% in a range of 7 m. In terms of robustness and accuracy, Wavoice considerably outperforms existing audio-only speech recognition methods with lower character error and word error rates.

Tiantian Liu,Chao Wang,Zhengxiong Li,Ming-Chun Huang,Wenyao Xu,Feng Lin

DOI: https://doi.org/10.1145/3597457

2022-01-01

ACM Transactions on Sensor Networks

Abstract:As automatic speech recognition evolves, the deployment of voice user interface has boomingly expanded. Especially since the COVID-19 pandemic, VUI has gained more attention in online communication owing to its non-contact property. However, VUI struggles to be applied in public scenes due to the degradation of received audio signals caused by various ambient noises. In this paper, we propose Wavoice , the first noise-resistant multi-modal speech recognition system that fuses two distinct voice sensing modalities, i.e., millimeter-wave (mmWave) signals and audio signals from a microphone, together. One key contribution is to model the inherent correlation between mmWave and audio signals. Based on it, Wavoice facilitates the real-time noise-resistant voice activity detection and user targeting from multiple speakers. Additionally, we elaborate on two novel modules for multi-modal fusion embedded into the neural network, leading to accurate speech recognition. Extensive experiments prove the effectiveness of Wavoice under adverse conditions, that is, the character recognition error rate below 1 \(\% \) in a range of 7 meters. In terms of robustness and accuracy, Wavoice considerably outperforms existing audio-only speech recognition methods with lower character error rate and word error rate.

Xiaojiao Chen,Sheng Li,Hao Huang

DOI: https://doi.org/10.3390/app11188450

2021-09-12

Applied Sciences

Abstract:Voice Processing Systems (VPSes), now widely deployed, have become deeply involved in people’s daily lives, helping drive the car, unlock the smartphone, make online purchases, etc. Unfortunately, recent research has shown that those systems based on deep neural networks are vulnerable to adversarial examples, which attract significant attention to VPS security. This review presents a detailed introduction to the background knowledge of adversarial attacks, including the generation of adversarial examples, psychoacoustic models, and evaluation indicators. Then we provide a concise introduction to defense methods against adversarial attacks. Finally, we propose a systematic classification of adversarial attacks and defense methods, with which we hope to provide a better understanding of the classification and structure for beginners in this field.

Chen Wang,S. Abhishek Anand,Jian Liu,Payton Walker,Yingying Chen,Nitesh Saxena

DOI: https://doi.org/10.1145/3359789.3359830

2019-01-01

Abstract:Voice access technologies are widely adopted in mobile devices and voice assistant systems as a convenient way of user interaction. Recent studies have demonstrated a potentially serious vulnerability of the existing voice interfaces on these systems to "hidden voice commands". This attack uses synthetically rendered adversarial sounds embedded within a voice command to trick the speech recognition process into executing malicious commands, without being noticed by legitimate users. In this paper, we employ low-cost motion sensors, in a novel way, to detect these hidden voice commands. In particular, our proposed system extracts and examines the unique audio signatures of the issued voice commands in the vibration domain. We show that such signatures of normal commands vs. synthetic hidden voice commands are distinctive, leading to the detection of the attacks. The proposed system, which benefits from a speaker-motion sensor setup, can be easily deployed on smartphones by reusing existing on-board motion sensors or utilizing a cloud service that provides the relevant setup environment. The system is based on the premise that while the crafted audio features of the hidden voice commands may fool an authentication system in the audio domain, their unique audio-induced surface vibrations captured by the motion sensor are hard to forge. Our proposed system creates a harder challenge for the attacker as now it has to forge the acoustic features in both the audio and vibration domains, simultaneously. We extract the time and frequency domain statistical features, and the acoustic features (e.g., chroma vectors and MFCCs) from the motion sensor data and use learning-based methods for uniquely determining both normal commands and hidden voice commands. The results show that our system can detect hidden voice commands vs. normal commands with 99.9% accuracy by simply using the low-cost motion sensors that have very low sampling frequencies.

Zhanjun Hao,Jianxiang Peng,Xiaochao Dang,Hao Yan,Ruidong Wang

DOI: https://doi.org/10.3390/s22239309

2022-11-29

Abstract:With the increasing popularity of smart devices, users can control their mobile phones, TVs, cars, and smart furniture by using voice assistants, but voice assistants are susceptible to intrusion by outsider speakers or playback attacks. In order to address this security issue, a millimeter-wave radar-based voice security authentication system is proposed in this paper. First, the speaker's fine-grained vocal cord vibration signal is extracted by eliminating static object clutter and motion effects; second, the weighted Mel Frequency Cepstrum Coefficients (MFCCs) are obtained as biometric features; and finally, text-independent security authentication is performed by the WMHS (Weighted MFCCs and Hog-based SVM) method. This system is highly adaptable and can authenticate designated speakers, resist intrusion by other unspecified speakers as well as playback attacks, and is secure for smart devices. Extensive experiments have verified that the system achieves a 93.4% speaker verification accuracy and a 5.8% miss detection rate for playback attacks.

Zhaoxia HE,Ping PAN,Hui LUO

DOI: https://doi.org/10.11857/j.issn.1674-5124.2017.02.020

2017-01-01

Abstract:To address the social security issue brought up by voice transformation software, a method for sound signal tamper detection is proposed. Firstly, with the extraction method of Mel frequency cepstral coefficients (MFCC), Duffing frequency cepstral coefficients(DFCC) characteristic parameters of audio signals are extracted based on the human hearing characteristics and chaos characteristics of speech signal. Then, the amplitude of characteristic parameters is enhanced and support vector machine(SVM) is used to classify the characteristic parameters and characteristics in corpus. In case of successful classification, the audio signal will be judged whether it is tampered as per the size of the amplitude enhanced. Meanwhile, the speaker gender will be judged according to the size of the amplitude enhanced and the gender of the audio. Through a large number of experiments, it shows that the method has stable performance and high accuracy both in the audio signal tampering detection and audio speaker real gender judgement.

Yao Wang,Wandong Cai,Tao Gu,Wei Shao,Yannan Li,Yong Yu

DOI: https://doi.org/10.1145/3369811

2019-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Voice control has attracted extensive attention recently as it is a prospective User Interface (UI) to substitute for conventional touch control on smart devices. Voice assistants have become increasingly popular in our daily lives, especially for those people who are visually impaired. However, the inherently insecure nature of voice biometrics means that voice assistants are vulnerable to spoofing attacks as evidenced by security experts. To secure the commands for voice assistants, in this paper, we present a liveness detection system that provides continuous speaker verification on smart devices. The basic aim is to match the voice received by the smart device's microphone with the oral airflow of the user when speaking a command. The airflow is captured by an auxiliary commercial off-the-shelf airflow sensor. Specifically, we establish a theoretical model to depict the relationship between the oral airflow pressure and the phonemes in users' speech. The system estimates a series of pressures from the speech according to the theoretical model, and then calculates the consistency between the estimated pressure signal and the actual pressure signal measured by the airflow sensor to determine whether a command is a genuine "live" voice or an artificially generated one. We evaluate the system with 26 participants and 30 different voice commands. The evaluation showed that our system achieves an overall accuracy of 97.25% with an Equal Error Rate (EER) of 2.08%.

Robert Chang,Logan Kuo,Arthur Liu,Nader Sehatbakhsh

DOI: https://doi.org/10.48550/arXiv.2112.13144

2021-12-25

Abstract:As the use of Voice Processing Systems (VPS) continues to become more prevalent in our daily lives through the increased reliance on applications such as commercial voice recognition devices as well as major text-to-speech software, the attacks on these systems are increasingly complex, varied, and constantly evolving. With the use cases for VPS rapidly growing into new spaces and purposes, the potential consequences regarding privacy are increasingly more dangerous. In addition, the growing number and increased practicality of over-the-air attacks have made system failures much more probable. In this paper, we will identify and classify an arrangement of unique attacks on voice processing systems. Over the years research has been moving from specialized, untargeted attacks that result in the malfunction of systems and the denial of services to more general, targeted attacks that can force an outcome controlled by an adversary. The current and most frequently used machine learning systems and deep neural networks, which are at the core of modern voice processing systems, were built with a focus on performance and scalability rather than security. Therefore, it is critical for us to reassess the developing voice processing landscape and to identify the state of current attacks and defenses so that we may suggest future developments and theoretical improvements.

Cryptography and Security,Artificial Intelligence

Wenhan Yao,Jiangkun Yang,Yongqiang He,Jia Liu,Weiping Wen

2024-10-18

Abstract:Speech recognition is an essential start ring of human-computer interaction, and recently, deep learning models have achieved excellent success in this task. However, when the model training and private data provider are always separated, some security threats that make deep neural networks (DNNs) abnormal deserve to be researched. In recent years, the typical backdoor attacks have been researched in speech recognition systems. The existing backdoor methods are based on data poisoning. The attacker adds some incorporated changes to benign speech spectrograms or changes the speech components, such as pitch and timbre. As a result, the poisoned data can be detected by human hearing or automatic deep algorithms. To improve the stealthiness of data poisoning, we propose a non-neural and fast algorithm called Random Spectrogram Rhythm Transformation (RSRT) in this paper. The algorithm combines four steps to generate stealthy poisoned utterances. From the perspective of rhythm component transformation, our proposed trigger stretches or squeezes the mel spectrograms and recovers them back to signals. The operation keeps timbre and content unchanged for good stealthiness. Our experiments are conducted on two kinds of speech recognition tasks, including testing the stealthiness of poisoned samples by speaker verification and automatic speech recognition. The results show that our method has excellent effectiveness and stealthiness. The rhythm trigger needs a low poisoning rate and gets a very high attack success rate.

Sound,Artificial Intelligence,Audio and Speech Processing

Hanqing Guo,Qiben Yan,Nikolay Ivanov,Ying Zhu,Li Xiao,Eric J. Hunter

DOI: https://doi.org/10.48550/arXiv.2205.14496

2022-05-29

Abstract:Voice-activated systems are integrated into a variety of desktop, mobile, and Internet-of-Things (IoT) devices. However, voice spoofing attacks, such as impersonation and replay attacks, in which malicious attackers synthesize the voice of a victim or simply replay it, have brought growing security concerns. Existing speaker verification techniques distinguish individual speakers via the spectrographic features extracted from an audible frequency range of voice commands. However, they often have high error rates and/or long delays. In this paper, we explore a new direction of human voice research by scrutinizing the unique characteristics of human speech at the ultrasound frequency band. Our research indicates that the high-frequency ultrasound components (e.g. speech fricatives) from 20 to 48 kHz can significantly enhance the security and accuracy of speaker verification. We propose a speaker verification system, SUPERVOICE that uses a two-stream DNN architecture with a feature fusion mechanism to generate distinctive speaker models. To test the system, we create a speech dataset with 12 hours of audio (8,950 voice samples) from 127 participants. In addition, we create a second spoofed voice dataset to evaluate its security. In order to balance between controlled recordings and real-world applications, the audio recordings are collected from two quiet rooms by 8 different recording devices, including 7 smartphones and an ultrasound microphone. Our evaluation shows that SUPERVOICE achieves 0.58% equal error rate in the speaker verification task, it only takes 120 ms for testing an incoming utterance, outperforming all existing speaker verification systems. Moreover, within 91 ms processing time, SUPERVOICE achieves 0% equal error rate in detecting replay attacks launched by 5 different loudspeakers.

Sound,Human-Computer Interaction,Machine Learning,Audio and Speech Processing

Feng Lin,Chao Wang,Tiantian Liu,Ziwei Liu,Yijie Shen,Zhongjie Ba,Li Lu,Wenyao Xu,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3322295

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Online voice communications are widely used nowadays. To protect speech from leakage, people tend to initiate the talk in sound-isolated environments. In this paper, we reveal a novel attack that recovers high-quality speech from outside soundproof zones. The rationale of the attack is to leverage sound-sensitive characteristics of piezoelectric materials, i.e., a piezo film that can change the phase of reflected mmWaves when placed in a sound field. If the attacker transmits mmWaves and analyzes reflected signals from the piezo film, the speech information can be compromised. More importantly, the piezo film is paper-like and works without a power supply. We propose a new speech recovery methodology to transform sound waves into wireless signals and build an end-to-end eavesdropping system working as a through-wall “microphone” to recover high-quality speech stealthily. To combat signal attenuation and improve speech quality, we develop a speech-enhancement scheme based on generative adversarial networks and propose to use multi-antenna information for intelligible speech reconstruction. We conduct extensive experiments to evaluate the system. The results indicate that the system achieves over 98% accuracy for digit recognition and works well over 5m away through the wall. We also test the system under complex scenarios and give countermeasures.

Bang Tran,Shenhui Pan,Xiaohui Liang,Honggang Zhang

DOI: https://doi.org/10.1109/icc42927.2021.9500792

2021-01-01

Abstract:Voice Assistant System (VAS) provides a convenient way for users to interact with smart-home devices via a voice interface. However, it raises unique security issues, including voice replay and injection attacks, where attackers remotely and maliciously control the smart-home devices via a voice interface. In this paper, we consider a typical smart-home scenario in which a VAS device and a compromised speaker device are placed in close physical proximity. The attacker can remotely play malicious voice commands through the speaker device to manipulate the VAS device for malicious purposes. We propose a defense system on the VAS device to secure the VAS device against both voice replay and injection attacks, without any additional devices and without any extra user effort. Specifically, our system aims to collect voice data and wireless data continuously from the VAS device and then extracts the Mel-Cepstral Frequency Coefficients (MFCC) features from voice and wireless data. We consider that both voice and wireless data are affected by the same present users’ physical activities, and the correlation can be used to detect the attacks. Finally, our system applies a deep learning model that learns from previous time-series data and analyzes real-time data to infer whether the real-time voice command is generated from a user or the speaker device. We have tested our system in certain real-world smart-home scenarios. Our experiments showed that the proposed system has a probability between 76.4% to 89.1% to successfully detect the voice replay and injection attacks in the considered scenarios.

Dongzhi He,Yibin Hou,Yuanyuan Li,Zhihao Ding

DOI: https://doi.org/10.1109/MESA.2010.5552096

2010-01-01

Abstract:Signal pre-processing and post-processing are becoming two key factors that impact embedded speech recognition systems from the laboratory to practical application. Speech endpoint detection and out-of-vocabulary rejection are the most important part of the speech pre-processing and post-processing respectively. The performance of traditional speech endpoint detection based on short-term energy and zero-crossing rate degrade dramatically in noisy environments. Methods based on frequency-domain need complex computing, and they can not meet embedded systems well. In this paper, we present a new endpoint detection algorithm that is based on statistical theory for isolated-word. The correct endpoint detection rate reaches 97.40% using the method. In this paper one-class support vector machine theory is introduced to solve out-of-vocabulary rejection. Using this algorithm system, true recognition fraction(TRF) is up to 96%, and false recognition fraction(FRF ) is about 95%.

Dongqiu Huang,Zhihong Tian,Shen Su,Yu Jiang

DOI: https://doi.org/10.1145/3444370.3444560

2020-01-01

Abstract:DolphinAttack is an attack model aiming at audio frequency identification vulnerabilities in voice control system microphones. It modulates voice command on the ultrasonic carrier to achieve inaudibility, and the modulated low frequency audio command can be successfully demodulated, recorded, and interpreted by the speech recognition system. The DolphinAttack threatens the property right and privacy of smart device users. In the paper, we propose a security reinforcement method for voice control system based on disconnected loop authentication that combines software and hardware to prevent DolphinAttack. The security enhancement solution that we proposed based on secondary authentication also can mitigate some unknown vulnerabilities. When the attacker or user wakes up the speech recognition system and performs command control, it will force the voice control system at a high security level to perform secondary authentication. If the command passes the secondary authentication, it enters the execution state. Otherwise, the command is discarded and the report is sent to the user. This kind of security enhancement avoids the privacy leakage and property damage caused by the DolphinAttack at some degree.

Gianpaolo Perelli,Andrea Panzino,Roberto Casula,Marco Micheletto,Giulia Orrù,Gian Luca Marcialis

2024-10-21

Abstract:The impact of voice disorders is becoming more widely acknowledged as a public health issue. Several machine learning-based classifiers with the potential to identify disorders have been used in recent studies to differentiate between normal and pathological voices and sounds. In this paper, we focus on analyzing the vulnerabilities of these systems by exploring the possibility of attacks that can reverse classification and compromise their reliability. Given the critical nature of personal health information, understanding which types of attacks are effective is a necessary first step toward improving the security of such systems. Starting from the original audios, we implement various attack methods, including adversarial, evasion, and pitching techniques, and evaluate how state-of-the-art disorder detection models respond to them. Our findings identify the most effective attack strategies, underscoring the need to address these vulnerabilities in machine-learning systems used in the healthcare domain.

Cryptography and Security,Machine Learning

Si Chen,Kui Ren,Sixu Piao,Cong Wang,Qian Wang,Jian Weng,Lu Su,Aziz Mohaisen

DOI: https://doi.org/10.1109/ICDCS.2017.133

2017-01-01

Abstract:Voice, as a convenient and efficient way of information delivery, has a significant advantage over the conventional keyboard-based input methods, especially on small mobile devices such as smartphones and smartwatches. However, the human voice could often be exposed to the public, which allows an attacker to quickly collect sound samples of targeted victims and further launch voice impersonation attacks to spoof those voice-based applications. In this paper, we propose the design and implementation of a robust software-only voice impersonation defense system, which is tailored for mobile platforms and can be easily integrated with existing off-the-shelf smart devices. In our system, we explore magnetic field emitted from loudspeakers as the essential characteristic for detecting machine-based voice impersonation attacks. Furthermore, we use a state-of-the-art automatic speaker verification system to defend against human imitation attacks. Finally, our evaluation results show that our system achieves simultaneously high accuracy (100%) and low equal error rates (EERs) (0%) in detecting the machine-based voice impersonation attack on smartphones.