Just a tiny twist is enough.
Audio Adversarial Examples: Targeted Attacks on Speech-to-Text (Pdf)
Nicholas Carlini David Wagner University of California, Berkeley
Abstract
We construct targeted audio adversarial examples on automatic speech recognition. Given any audio waveform, we can produce another that is over 99.9% similar, but transcribes as any phrase we choose (at a rate of up to 50 characters per second). We apply our white-box iterative optimization-based attack to Mozilla’s implementation DeepSpeech end-to-end, and show it has a 100% success rate. The feasibility of this attack introduce a new domain to study adversarial examples.
I. INTRODUCTION
As the use of neural networks continues to grow, it is critical to examine their behavior in adversarial settings. Prior work [6] has shown that neural networks are vulnerable to adversarial examples [41], instances x similar to a natural instance x, but classified incorrectly by a neural network. While neural networks are being used in increasingly many new domains, existing work on adversarial examples has focused largely on the space of images, be it image classification [41], generative models on images [26], image segmentation [1], face detection [37], or reinforcement learning by manipulating the images the RL agent sees [5, 21]. In the discrete domain, there has been some study of adversarial examples over text classification [23] and malware classification [16, 20]. Neural networks are commonly used used for speech recognition — given an audio waveform x, perform the speechto-text transform that gives the transcription y of the phrase being spoken (as used in, e.g., Apple Siri, Google Now, and Amazon Echo). On audio, untargeted adversarial examples are uninteresting, as simply causing word-misspellings would be regarded as a successful attack.
...
IV Conclusion
We introduce audio adversarial examples: targeted attacks on automatic speech recognition. With powerful iterative optimization-based attacks applied completely end-to-end, we are able to turn any audio waveform into any target transcription with 100% success by only adding a slight distortion. We can cause audio to transcribe up to 50 characters per second (the theoretical maximum), cause music to transcribe as arbitrary speech, and hide speech from being transcribed. We give preliminary evidence that audio adversarial examples have different properties from those on images by showing that linearity does not hold on the audio domain. We hope that future work will continue to investigate audio adversarial examples, and separate the fundamental properties of adversarial examples from properties which occur only on image recognition.
Pdf here
H/T MR
Keine Kommentare:
Kommentar veröffentlichen
Hinweis: Nur ein Mitglied dieses Blogs kann Kommentare posten.