Meng Xue,Kuang Peng,Xueluan Gong,Qian Zhang,Yanjiao Chen,Routing Li

DOI: https://doi.org/10.1145/3610874

2023-01-01

Abstract:Intelligent audio systems are ubiquitous in our lives, such as speech command recognition and speaker recognition. However, it is shown that deep learning-based intelligent audio systems are vulnerable to adversarial attacks. In this paper, we propose a physical adversarial attack that exploits reverberation, a natural indoor acoustic effect, to realize imperceptible, fast, and targeted black-box attacks. Unlike existing attacks that constrain the magnitude of adversarial perturbations within a fixed radius, we generate reverberation-alike perturbations that blend naturally with the original voice sample 1. Additionally, we can generate more robust adversarial examples even under over-the-air propagation by considering distortions in the physical environment. Extensive experiments are conducted using two popular intelligent audio systems in various situations, such as different room sizes, distance, and ambient noises. The results show that Echo can invade into intelligent audio systems in both digital and physical over-the-air environment.

Jiajie Zhang,Bingsheng Zhang,Bincheng Zhang

DOI: https://doi.org/10.1145/3327962.3331456

2019-01-01

Abstract:With the advancement of deep learning based speech recognition technology, an increasing number of cloud-aided automatic voice assistant applications, such as Google Home, Amazon Echo, and cloud AI services, such as IBM Watson, are emerging in our daily life. In a typical usage scenario, after keyword activation, the user's voice will be recorded and submitted to the cloud for automatic speech recognition (ASR) and then further action(s) might be triggered depending on the user's command(s). However, recent researches show that the deep learning based systems could be easily attacked by adversarial examples. Subsequently, the ASR systems are found being vulnerable to audio adversarial examples. Unfortunately, very few works about defending audio adversarial attack are known in the literature. Constructing a generic and robust defense mechanism to resolve this issue remains an open problem. In this work, we propose several proactive defense mechanisms against targeted audio adversarial examples in the ASR systems via code modulation and audio compression. We then show the effectiveness of the proposed strategies through extensive evaluation on natural dataset.

Robert Chang,Logan Kuo,Arthur Liu,Nader Sehatbakhsh

DOI: https://doi.org/10.48550/arXiv.2112.13144

2021-12-25

Abstract:As the use of Voice Processing Systems (VPS) continues to become more prevalent in our daily lives through the increased reliance on applications such as commercial voice recognition devices as well as major text-to-speech software, the attacks on these systems are increasingly complex, varied, and constantly evolving. With the use cases for VPS rapidly growing into new spaces and purposes, the potential consequences regarding privacy are increasingly more dangerous. In addition, the growing number and increased practicality of over-the-air attacks have made system failures much more probable. In this paper, we will identify and classify an arrangement of unique attacks on voice processing systems. Over the years research has been moving from specialized, untargeted attacks that result in the malfunction of systems and the denial of services to more general, targeted attacks that can force an outcome controlled by an adversary. The current and most frequently used machine learning systems and deep neural networks, which are at the core of modern voice processing systems, were built with a focus on performance and scalability rather than security. Therefore, it is critical for us to reassess the developing voice processing landscape and to identify the state of current attacks and defenses so that we may suggest future developments and theoretical improvements.

Cryptography and Security,Artificial Intelligence

Hao Tan,Le Wang,Huan Zhang,Junjian Zhang,Muhammad Shafiq,Zhaoquan Gu

DOI: https://doi.org/10.3390/electronics11142183

IF: 2.9

2022-07-12

Electronics

Abstract:Speaker recognition is a task that identifies the speaker from multiple audios. Recently, advances in deep learning have considerably boosted the development of speech signal processing techniques. Speaker or speech recognition has been widely adopted in such applications as smart locks, smart vehicle-mounted systems, and financial services. However, deep neural network-based speaker recognition systems (SRSs) are susceptible to adversarial attacks, which fool the system to make wrong decisions by small perturbations, and this has drawn the attention of researchers to the security of SRSs. Unfortunately, there is no systematic review work in this domain. In this work, we conduct a comprehensive survey to fill this gap, which includes the development of SRSs, adversarial attacks and defenses against SRSs. Specifically, we first introduce the mainstream frameworks of SRSs and some commonly used datasets. Then, from the perspectives of adversarial example generation and evaluation, we introduce different attack tasks, the prior knowledge of attacks, perturbation objects, perturbation constraints, and attack effect evaluation indicators. Next, we focus on some effective defense strategies, including adversarial training, attack detection, and input refactoring against existing attacks, and analyze their strengths and weaknesses in terms of fidelity and robustness. Finally, we discuss the challenges posed by audio adversarial examples in SRSs and some valuable research topics in the future.

engineering, electrical & electronic,computer science, information systems,physics, applied

Donghua Wang,Rangding Wang,Li Dong,Diqun Yan,Xueyuan Zhang,Yongkang Gong

DOI: https://doi.org/10.1007/978-981-15-9129-7_31

2020-01-01

Abstract:Speech recognition technology is affecting and changing the current human-computer interaction profoundly. Due to the remarkable progress of deep learning, the performance of the Automatic Speech Recognition (ASR) system has also increased significantly. As the core component of the speech assistant in the smartphone or other smart devices, ASR receives speech and responds accordingly, which allows us to control and interact with those devices remotely. However, speech adversarial samples where crafted by adding tiny perturbation to original speech, which can make the ASR system to generate malicious instructions while imperceptual to humans. This new attack brings several potential severe security risks to the deep-learning-based ASR system. In this paper, we provide a systematic survey on the speech adversarial examples. We first proposed a taxonomy of existing adversarial examples. Next, we give a brief introduction of existing adversarial examples for the acoustic system, especially for the ASR system, and summarize several major methods of generating the speech adversarial examples. Finally, after elaborating on the existing countermeasures of adversarial examples, we discuss the current challenges and countermeasures against speech adversarial examples. We also give several promising research directions on both making the attack constructing more realistic and the acoustic system more robust, respectively.

Yuchen Liu,Apu Kapadia,Donald Williamson

2023-09-27

Abstract:In contemporary society, voice-controlled devices, such as smartphones and home assistants, have become pervasive due to their advanced capabilities and functionality. The always-on nature of their microphones offers users the convenience of readily accessing these devices. However, recent research and events have revealed that such voice-controlled devices are prone to various forms of malicious attacks, hence making it a growing concern for both users and researchers to safeguard against such attacks. Despite the numerous studies that have investigated adversarial attacks and privacy preservation for images, a conclusive study of this nature has not been conducted for the audio domain. Therefore, this paper aims to examine existing approaches for privacy-preserving and privacy-attacking strategies for audio and speech. To achieve this goal, we classify the attack and defense scenarios into several categories and provide detailed analysis of each approach. We also interpret the dissimilarities between the various approaches, highlight their contributions, and examine their limitations. Our investigation reveals that voice-controlled devices based on neural networks are inherently susceptible to specific types of attacks. Although it is possible to enhance the robustness of such models to certain forms of attack, more sophisticated approaches are required to comprehensively safeguard user privacy.

Cryptography and Security,Audio and Speech Processing

Baochen Yan,Jiahe Lan,Zheng Yan

2023-07-23

Abstract:Voice Recognition Systems (VRSs) employ deep learning for speech recognition and speaker recognition. They have been widely deployed in various real-world applications, from intelligent voice assistance to telephony surveillance and biometric authentication. However, prior research has revealed the vulnerability of VRSs to backdoor attacks, which pose a significant threat to the security and privacy of VRSs. Unfortunately, existing literature lacks a thorough review on this topic. This paper fills this research gap by conducting a comprehensive survey on backdoor attacks against VRSs. We first present an overview of VRSs and backdoor attacks, elucidating their basic knowledge. Then we propose a set of evaluation criteria to assess the performance of backdoor attack methods. Next, we present a comprehensive taxonomy of backdoor attacks against VRSs from different perspectives and analyze the characteristic of different categories. After that, we comprehensively review existing attack methods and analyze their pros and cons based on the proposed criteria. Furthermore, we review classic backdoor defense methods and generic audio defense techniques. Then we discuss the feasibility of deploying them on VRSs. Finally, we figure out several open issues and further suggest future research directions to motivate the research of VRSs security.

Cryptography and Security,Sound,Audio and Speech Processing

Shengshan Hu,Xingcan Shang,Zhan Qin,Minghui Li,Qian Wang,Cong Wang

DOI: https://doi.org/10.1109/mcom.2019.1900006

IF: 9.03

2019-01-01

IEEE Communications Magazine

Abstract:Speech is a common and effective approach for communication between humans and modern mobile devices such as smartphones or home hubs. The remarkable advances in computing and networking have popularized automatic speech recognition (ASR) systems, which can interpret received speech signals on mobile devices and enable us to remotely control and interact with those devices. Despite promising development, audio adversarial examples, a new kind of attack on advanced ASR systems, are found to be extremely effective in imitating human speech while fooling mobile devices to produce incorrect commands. In this article, we provide a systematic survey of audio adversarial examples in the literature. We first present an overview of the architecture of ASR systems and outline the basic attack philosophy. Followed by a brief introduction of the state-of-the-art solutions to audio adversarial examples, a comprehensive comparison is presented. Finally, after discussing existing countermeasures to defend ASR, we highlight several promising future research directions and challenges on constructing more robust and practical audio adversarial examples.

Yuanda Wang,Qiben Yan,Nikolay Ivanov,Xun Chen

2024-01-05

Abstract:The emergence of Artificial Intelligence (AI)-driven audio attacks has revealed new security vulnerabilities in voice control systems. While researchers have introduced a multitude of attack strategies targeting voice control systems (VCS), the continual advancements of VCS have diminished the impact of many such attacks. Recognizing this dynamic landscape, our study endeavors to comprehensively assess the resilience of commercial voice control systems against a spectrum of malicious audio attacks. Through extensive experimentation, we evaluate six prominent attack techniques across a collection of voice control interfaces and devices. Contrary to prevailing narratives, our results suggest that commercial voice control systems exhibit enhanced resistance to existing threats. Particularly, our research highlights the ineffectiveness of white-box attacks in black-box scenarios. Furthermore, the adversaries encounter substantial obstacles in obtaining precise gradient estimations during query-based interactions with commercial systems, such as Apple Siri and Samsung Bixby. Meanwhile, we find that current defense strategies are not completely immune to advanced attacks. Our findings contribute valuable insights for enhancing defense mechanisms in VCS. Through this survey, we aim to raise awareness within the academic community about the security concerns of VCS and advocate for continued research in this crucial area.

Cryptography and Security,Sound,Audio and Speech Processing

Jiahe Lan,Rui Zhang,Zheng Yan,Jie Wang,Yu Chen,Ronghui Hou

DOI: https://doi.org/10.48550/arXiv.2205.13685

2022-05-27

Cryptography and Security

Abstract:Speaker recognition has become very popular in many application scenarios, such as smart homes and smart assistants, due to ease of use for remote control and economic-friendly features. The rapid development of SRSs is inseparable from the advancement of machine learning, especially neural networks. However, previous work has shown that machine learning models are vulnerable to adversarial attacks in the image domain, which inspired researchers to explore adversarial attacks and defenses in Speaker Recognition Systems (SRS). Unfortunately, existing literature lacks a thorough review of this topic. In this paper, we fill this gap by performing a comprehensive survey on adversarial attacks and defenses in SRSs. We first introduce the basics of SRSs and concepts related to adversarial attacks. Then, we propose two sets of criteria to evaluate the performance of attack methods and defense methods in SRSs, respectively. After that, we provide taxonomies of existing attack methods and defense methods, and further review them by employing our proposed criteria. Finally, based on our review, we find some open issues and further specify a number of future directions to motivate the research of SRSs security.

Li-Chi Chang,Zesheng Chen,Chao Chen,Guoping Wang,Zhuming Bi

DOI: https://doi.org/10.1109/ipccc51483.2021.9679446

2021-01-01

Abstract:In smart home, voice control becomes a main interface between users and smart devices. To make voice control more secure, speaker verification systems have been researched to apply human voice as biometrics to accurately identify a legitimate user and avoid illegal access. In recent studies, however, it has been shown that speaker verification systems are particularly vulnerable to adversarial attacks. In this work, we attempt to design and implement a defense system that is simple, light-weight, and effective against adversarial attacks for speaker verification. Specifically, we study two opposite operations to preprocess input audios in speaker verification systems against adversarial attacks: denoising that attempts to remove or reduce perturbations and noise-adding that adds small Gaussian noises to an input audio. We show through experiments that both methods can significantly degrade the performance of a state-of-the-art adversarial attack. Specifically, it is shown that denoising and noise-adding can reduce the targeted attack success rate of the attack from 100% to only 56% and 5.2%, respectively. Moreover, noise-adding can slow down the attack 25 times in speed and only has a minor effect on the normal operations of a speaker verification system.

Xiao Zhang,Hao Tan,Xuan Huang,Denghui Zhang,Keke Tang,Zhaoquan Gu

DOI: https://doi.org/10.48550/arXiv.2208.02250

2022-08-03

Sound

Abstract:With the development of hardware and algorithms, ASR(Automatic Speech Recognition) systems evolve a lot. As The models get simpler, the difficulty of development and deployment become easier, ASR systems are getting closer to our life. On the one hand, we often use APPs or APIs of ASR to generate subtitles and record meetings. On the other hand, smart speaker and self-driving car rely on ASR systems to control AIoT devices. In past few years, there are a lot of works on adversarial examples attacks against ASR systems. By adding a small perturbation to the waveforms, the recognition results make a big difference. In this paper, we describe the development of ASR system, different assumptions of attacks, and how to evaluate these attacks. Next, we introduce the current works on adversarial examples attacks from two attack assumptions: white-box attack and black-box attack. Different from other surveys, we pay more attention to which layer they perturb waveforms in ASR system, the relationship between these attacks, and their implementation methods. We focus on the effect of their works.

Ivan Himawan,Srikanth Madikeri,Petr Motlicek,Milos Cernak,Sridha Sridharan,Clinton Fookes

DOI: https://doi.org/10.1007/978-3-319-92627-8_17

2019-01-01

Abstract:Current state-of-the-art automatic speaker verification (ASV) systems are prone to spoofing. The security and reliability of ASV systems can be threatened by different types of spoofing attacks using voice conversion, synthetic speech, or recorded passphrase. It is therefore essential to develop countermeasure techniques which can detect such spoofed speech. Inspired by the success of deep learning approaches in various classification tasks, this work presents an in-depth study of convolutional neural networks (CNNs) for spoofing detection in automatic speaker verification (ASV) systems. Specifically, we have compared the use of three different CNNs architectures: AlexNet, CNNs with max-feature-map activation, and an ensemble of standard CNNs for developing spoofing countermeasures, and discussed their potential to avoid overfitting due to small amounts of training data that is usually available in this task. We used popular deep learning toolkits for the system implementation and have released the implementation code of our methods publicly. We have evaluated the proposed countermeasure systems for detecting replay attacks on recently released spoofing corpora ASVspoof 2017, and also provided in-depth visual analyses of CNNs to aid for future research in this area.

Hongshuo Liang,Erlu He,Yangyang Zhao,Zhe Jia,Hao Li

DOI: https://doi.org/10.3390/electronics11081283

IF: 2.9

2022-04-18

Electronics

Abstract:In recent years, artificial intelligence technology represented by deep learning has achieved remarkable results in image recognition, semantic analysis, natural language processing and other fields. In particular, deep neural networks have been widely used in different security-sensitive tasks. Fields, such as facial payment, smart medical and autonomous driving, which accelerate the construction of smart cities. Meanwhile, in order to fully unleash the potential of edge big data, there is an urgent need to push the AI frontier to the network edge. Edge AI, the combination of artificial intelligence and edge computing, supports the deployment of deep learning algorithms to edge devices that generate data, and has become a key driver of smart city development. However, the latest research shows that deep neural networks are vulnerable to attacks from adversarial example and output wrong results. This type of attack is called adversarial attack, which greatly limits the promotion of deep neural networks in tasks with extremely high security requirements. Due to the influence of adversarial attacks, researchers have also begun to pay attention to the research in the field of adversarial defense. In the game process of adversarial attacks and defense technologies, both attack and defense technologies have been developed rapidly. This article first introduces the principles and characteristics of adversarial attacks, and summarizes and analyzes the adversarial example generation methods in recent years. Then, it introduces the adversarial example defense technology in detail from the three directions of model, data, and additional network. Finally, combined with the current status of adversarial example generation and defense technology development, put forward challenges and prospects in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Ke Li,Cameron Baird,Dan Lin

DOI: https://doi.org/10.1109/TDSC.2023.3289446

2023-07-08

Abstract:With the advances in deep learning, speaker verification has achieved very high accuracy and is gaining popularity as a type of biometric authentication option in many scenes of our daily life, especially the growing market of web services. Compared to traditional passwords, "vocal passwords" are much more convenient as they relieve people from memorizing different passwords. However, new machine learning attacks are putting these voice authentication systems at risk. Without a strong security guarantee, attackers could access legitimate users' web accounts by fooling the deep neural network (DNN) based voice recognition models. In this paper, we demonstrate an easy-to-implement data poisoning attack to the voice authentication system, which can hardly be captured by existing defense mechanisms. Thus, we propose a more robust defense method, called Guardian, which is a convolutional neural network-based discriminator. The Guardian discriminator integrates a series of novel techniques including bias reduction, input augmentation, and ensemble learning. Our approach is able to distinguish about 95% of attacked accounts from normal accounts, which is much more effective than existing approaches with only 60% accuracy.

Cryptography and Security,Artificial Intelligence,Machine Learning,Sound,Audio and Speech Processing

Jun Wang,Juan Liu

DOI: https://doi.org/10.1109/access.2024.3506605

IF: 3.9

2024-12-07

IEEE Access

Abstract:Recent breakthroughs in deep learning applied to voice processing have sparked an upsurge in security and privacy concerns. This paper presents an inventive adversarial sample generation technique termed the "Ultrasonic Attack," crafted to covertly steer downstream voice-related tasks – encompassing voice emotion classification, voice synthesis, and voice recognition processes such as biometric authentication used in sporting events. This technique is distinctive in its employment of a multi-feature fitting strategy that allows for precise targeting and alteration of key voice attributes critical for downstream tasks. Ingeniously integrating ultrasonic noise into the original vocal recordings, our method can mislead sophisticated deep learning systems while remaining undetectable to the human ear, leading to erroneous outcomes in voice-based applications. The implications of this are particularly profound in high-stakes situations like athlete identity verification or voice command integrity in sports technology systems. Rigorous experimental validations underscore the "Ultrasonic Attack" as a potent method. When juxtaposed with leading-edge adversarial sample generation techniques, our approach stands out, delivering unrivaled performance in tasks as varied as Voice Emotion Classification and Speaker Identification. Our method triumphs in creating adversarial samples that not only carry out successful attacks with enhanced efficacy but also conserve the natural features of the voice, underscoring the critical need for fortified security in speech-processing technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

Man Zhou,Zhan Qin,Xiu Lin,Shengshan Hu,Qian Wang,Kui Ren

DOI: https://doi.org/10.1109/mwc.2019.1800477

IF: 12.777

2019-01-01

IEEE Wireless Communications

Abstract:Autonomous driving is becoming one of the most popular applications of AI. Meanwhile, the advances in deep learning have promoted the rapid development of the voice controllable systems (VCSs), which have almost reached the maturity stage. Before autonomous driving cars reach the highest level of automation, intelligent voice interaction remains the primary approach for human-vehicle interaction. Recent works show that such intelligent systems are vulnerable to hidden voice commands that are unnoticed or unintelligible to humans. In particular, an adversary utilizing hidden voice commands is able to control autonomous driving cars. For example, malicious voice commands embedded into the sound of online shared videos can stealthily control the vehicle when people watch the videos in the car. In this article, we investigate the potential perniciousness of hidden voice commands on the VCS of autonomous driving cars, and then discuss feasible defense strategies. We finally propose a pop-noisebased general defense strategy that can resist various kinds of attacks.

Chien-yu Huang,Yist Y. Lin,Hung-yi Lee,Lin-shan Lee

DOI: https://doi.org/10.1109/slt48900.2021.9383529

2021-01-01

Abstract:Substantial improvements have been achieved in recent years in voice conversion, which converts the speaker characteristics of an utterance into those of another speaker without changing the linguistic content of the utterance. Nonetheless, the improved conversion technologies also led to concerns about privacy and authentication. It thus becomes highly desired to be able to prevent one's voice from being improperly utilized with such voice conversion technologies. This is why we report in this paper the first known attempt to perform adversarial attack on voice conversion. We introduce human imperceptible noise into the utterances of a speaker whose voice is to be defended. Given these adversarial examples, voice conversion models cannot convert other utterances so as to sound like being produced by the defended speaker. Preliminary experiments were conducted on two currently state-of-the-art zero-shot voice conversion models. Objective and subjective evaluation results in both white-box and black-box scenarios are reported. It was shown that the speaker characteristics of the converted utterances were made obviously different from those of the defended speaker, while the adversarial examples of the defended speaker are not distinguishable from the authentic utterances.