Abstract:Automatic speech recognition (ASR) systems are vulnerable to audio adversarial examples, which aim to deceive ASR systems by adding perturbations to benign speech signals. These audio adversarial examples appear indistinguishable from benign audio waves, but the ASR system decodes them as intentional malicious commands. Previous studies have demonstrated the feasibility of such attacks in simulated environments (over-line) and have further showcased the creation of robust physical audio adversarial examples (over-air). Various defense techniques have been proposed to counter these attacks. However, most of them have either failed to handle various types of attacks effectively or have resulted in significant time overhead. In this paper, we propose a novel method for detecting audio adversarial examples. Our approach involves feeding both smoothed audio and original audio inputs into the ASR system. Subsequently, we introduce noise to the logits before providing them to the decoder of the ASR. We demonstrate that carefully selected noise can considerably influence the transcription results of audio adversarial examples while having minimal impact on the transcription of benign audio waves. Leveraging this characteristic, we detect audio adversarial examples by comparing the altered transcription, resulting from logit noising, with the original transcription. The proposed method can be easily applied to ASR systems without requiring any structural modifications or additional training. Experimental results indicate that the proposed method exhibits robustness against both over-line and over-air audio adversarial examples, outperforming state-of-the-art detection methods.
What problem does this paper attempt to address?
### Problems the paper attempts to solve
This paper aims to address the vulnerability of Automatic Speech Recognition (ASR) systems to audio adversarial examples. Audio adversarial examples refer to malicious audio signals that deceive ASR systems by adding tiny perturbations to benign audio signals. These adversarial examples are almost indistinguishable from normal audio to human ears, but the ASR system will decode them into specific malicious commands. Such attacks have been proven to be feasible in both simulated (over - line) and physical (over - air) environments, and various defense techniques have been proposed. However, most of the existing defense methods are either unable to effectively deal with various types of attacks or result in significant time overhead.
To meet this challenge, this paper proposes a new method for detecting audio adversarial examples. This method detects adversarial examples by introducing noise into the logits of the ASR system. Specifically, the method first smoothes the input audio, then inputs the smoothed audio and the original audio into the ASR system respectively. Next, noise is introduced at the logit level, and these noised logits are provided to the decoder of the ASR system. Experimental results show that carefully selected noise can significantly affect the transcription results of audio adversarial examples, while having little impact on benign audio. By comparing the transcription results after introducing noise with the original transcription results, audio adversarial examples can be effectively detected.
### Method overview
1. **Smoothing processing**:
- Smooth the input audio signal to reduce the interference effect of adversarial examples. Use an IIR filter to process the audio signal to make it have an effect similar to 1D convolution, thereby smoothing the audio signal.
2. **Logit noise**:
- Introduce noise into the logits, taking advantage of the different characteristics of audio adversarial examples and benign audio in the logit value gap distribution. Specifically, the logit value gap of audio adversarial examples is small, while that of benign audio is large. By introducing appropriate noise into the logits, the logit sequence of the adversarial example can be disrupted, causing its transcription result to be different from the expected one, while having a smaller impact on benign audio.
3. **Similarity analysis**:
- Compare the similarity between the transcription result after introducing noise and the original transcription result. If the similarity is significantly reduced, it is considered that the audio may be an adversarial example.
### Experimental results
The experimental results show that this method performs excellently in detecting over - line and over - air audio adversarial examples, outperforming the existing state - of - the - art detection methods. In addition, this method also shows strong robustness in adaptive attacks (i.e., when the attacker knows the model and the detection method). Most importantly, this method can be seamlessly integrated into existing ASR systems without the need for structural modification or retraining.
### Formula representation
- **Audio distortion measure**:
\[
\text{PSNR}(x)=20\cdot\log_{10}\left(\frac{\|x\|_\infty}{\|x - y\|_\infty}\right)
\]
where \(x\) represents the original audio signal and \(y\) represents the adversarial example.
- **Logit noise selection**:
\[
P(\text{inversion}) = P(\text{logit}_1+\epsilon<\text{logit}_k+\epsilon)
\]
where \(\text{logit}_1\) and \(\text{logit}_k\) represent the largest logit value and the \(k\) - th largest logit value respectively, and \(\epsilon\) represents the added noise.
### Conclusion
This paper proposes a new method for detecting audio adversarial examples. By introducing noise into the logits of the ASR system, it can effectively detect over - line and over - air audio adversarial examples while having a small impact on benign audio. This method shows strong robustness in adaptive attacks and can be seamlessly integrated into existing ASR systems.