Abstract:Recent years have witnessed the rapid development of automatic speech recognition (ASR) systems, providing a practical voice-user interface for widely deployed smart devices. With the ever-growing deployment of such an interface, several voice-based attack schemes have been proposed towards current ASR systems to exploit certain vulnerabilities. Posing one of the more serious threats,hidden voice attack uses the human-machine perception gap to generate obfuscated/hidden voice commands that are unintelligible to human listeners but can be interpreted as commands by machines. However, due to the nature of hidden voice commands (i.e., normal and obfuscated samples exhibit a significant difference in their acoustic features), recent studies show that they can be easily detected and defended by a pre-trained classifier, thereby making it less threatening. In this paper, we validate that such a defense strategy can be circumvented with a more advanced type of hidden voice attack calledHVAC. Our proposed HVAC attack can easily bypass the existing learning-based defense classifiers while preserving all the essential characteristics of hidden voice attacks (i.e., unintelligible to humans and recognizable to machines). Specifically, we find that all classifier-based defenses build on top of classification models that are trained with acoustic features extracted from the entire audio of normal and obfuscated samples. However, only speech parts (i.e., human voice parts) of these samples contain the useful linguistic information needed for machine transcription. We thus propose a fusion-based method to combine the normal sample and corresponding obfuscated sample as a hybrid HVAC command, which can effectively cheat the defense classifiers. Moreover, to make the command more unintelligible to humans, we tune the speed and pitch of the sample and make it even more distorted in the time domain while ensuring it can still be recognized by machines. Extensive physical over-the-air experiments demonstrate the robustness and generalizability of our HVAC attack under different realistic attack scenarios. Results show that our HVAC commands can achieve an average 94.1% success rate of bypassing machine-learning-based defense approaches under various realistic settings.

HVAC: Evading Classifier-based Defenses in Hidden Voice Attacks.

Echo: Reverberation-based Fast Black-Box Adversarial Attacks on Intelligent Audio Systems.

The Silent Manipulator: A Practical and Inaudible Backdoor Attack against Speech Recognition Systems

UltraBD: Backdoor Attack against Automatic Speaker Verification Systems via Adversarial Ultrasound

EarArray: Defending Against DolphinAttack Via Acoustic Attenuation

Fast and Lightweight Voice Replay Attack Detection Via Time-frequency Spectrum Difference

Learning Normality is Enough: A Software-based Mitigation against Inaudible Voice Attacks

Defending Adversarial Attacks on Cloud-aided Automatic Speech Recognition Systems.

IUAC: Inaudible Universal Adversarial Attacks Against Smart Speakers

Voiceprint Mimicry Attack Towards Speaker Verification System in Smart Home

Canceling Inaudible Voice Commands Against Voice Control Systems

Adversarial Attack and Defense on Deep Neural Network-Based Voice Processing Systems: An Overview

Stop Deceiving! an Effective Defense Scheme Against Voice Impersonation Attacks on Smart Devices

Hidden Voice Commands: Attacks and Defenses on the VCS of Autonomous Driving Cars.

Voice Spoofing Countermeasure for Voice Replay Attacks Using Deep Learning

Audio Hotspot Attack: An Attack on Voice Assistance Systems Using Directional Sound Beams and its Feasibility

DolphinAtack: Inaudible Voice Commands

The Feasibility of Injecting Inaudible Voice Commands to Voice Assistants

DolphinAttack: Inaudible Voice Commands

CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition

Fake the Real: Backdoor Attack on Deep Speech Classification via Voice Conversion