Imperceptible, Robust and Targeted Adversarial Examples for Automatic Speech Recognition 1 2 2 1 2 Yao Qin , Nicholas Carlini , Ian Goodfellow , Garrison Cottrell and Colin Raffel 1 2 UC San Diego Google Research Long Beach, ICML June 12, 2019
Our Goals β Targeted Given an input audio π¦ , a targeted transcription π§ , an automatic speech recognition system π(β ) , our target is to find a perturbation π , that π π¦ + π = π§ and π π¦ β π§ . β Imperceptible Humans cannot differentiate π¦ and π¦ + π when listening to these examples. β Robust Played by a speaker and recorded by a microphone (over-the-air). (We donβt achieve this goal completely, but succeed at simulated rooms.)
Our Settings β Threat Model White-box Attack β ASR Model Lingvo ASR system (state-of-the-art) [1] [1] Shen, Jonathan, et al. "Lingvo: a Modular and Scalable Framework for Sequence-to-Sequence Modeling." arXiv preprint arXiv:1902.08295 (2019).
Imperceptibility β Frequency Masking A louder signal (the βmaskerβ) can make other signals at nearby frequencies (the βmaskeesβ) imperceptible. Power Spectral Density Can hide sounds in here! Single tone (PSD) [dB] as an example Human perceptibility threshold Frequency [KHz]
Imperceptibility β Loss function β π¦, π, π§ = β ./0 π π¦ + π , π§ + π½ β β 2 π¦, π q β ./0 π π¦ + π , π§ is the cross-entropy loss function; q β 2 π¦, π = max{πΜ 9 π β π = π , 0} is the imperceptibility loss Where π is the perturbation, πΜ 9 π is the psd of π and π = π is the masking threshold
Robustness β Room Simulator q Simulate room impulse π based on room configurations q Convolve speech with reverberation π’ π¦ = π¦ β π , π’ ~ T β Robustness Loss Function q Minimize β π¦, π, π§ = E 0βΌG [β ./0 π π’(π¦ + π) , π§ ] such that π < π
Imperceptible and Robust Attacks β Combination Loss Function (imperceptibility & robustness) q Minimize β π¦, π, π§ = E 0βΌG [β ./0 π π’(π¦ + π) , π§ ] + π½ β β 2 (π¦, π) Robustness loss Imperceptibility loss
Conclusions β Construct effectively imperceptible adversarial examples using frequency masking. β Develop robust adversarial examples that remain effective after playing over-the-air in the simulated rooms. β Generate adversarial examples for non- β L -based metrics.
Thanks! Come to our poster #65 οΌ Project Webpage: http://cseweb.ucsd.edu/~yaq007/imperceptible-robust-adv.html Code: https://github.com/tensorflow/cleverhans/tree/master/examples/adversarial_asr
Recommend
More recommend
