metamorph injecting inaudible commands into over the air
play

Metamorph: Injecting Inaudible Commands into Over-the-air Voice - PowerPoint PPT Presentation

Sep 22, 2023 •261 likes •808 views

Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems Tao Chen 1 Longfei Shangguan 2 Zhenjiang Li 1 Kyle Jamieson 3 1 City University of Hong Kong, 2 Microsoft, 3 Princeton University Voice Assistants in Smart Home 2

  1. Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems Tao Chen 1 Longfei Shangguan 2 Zhenjiang Li 1 Kyle Jamieson 3 1 City University of Hong Kong, 2 Microsoft, 3 Princeton University

  2. Voice Assistants in Smart Home 2 5 4 1 3 2

  3. Voice Assistants in Smart Home 2 5 4 1 3 2

  4. Voice Assistants in Smart Home 2 5 4 1 111.8 million people in U.S. use voice assistants and related services! 3 2 https://www.emarketer.com/content/us-voice-assistant-users-2019

  5. 3 Are they safe enough?

  6. How to attack the voice assistant? 4 Neural networks Speech Recognition Models (SR)

  7. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : SR ( I )

  8. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : “ open the door” T ′ : SR ( I ) Adversarial Example: I + δ Perturbation: δ

  9. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : “ open the door” T ′ : SR ( I ) Adversarial Example: I + δ minimize dB I ( δ ), Perturbation: δ SR ( I ) = T , such that SR ( I + δ ) = T ′ Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

  10. How to attack the voice assistant? 5 Audio Clip: I “ This is for you” T : “ Open the door” T ′ : SR ( I ) Adversarial Example: I + δ Audio Adversarial Attack minimize dB I ( δ ), Perturbation: δ SR ( I ) = T , such that SR ( I + δ ) = T ′ Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

  11. 6

  12. 6

  13. 6

  14. 6

  15. 6 Is it a real threat? Yes!

  16. 6 Adversarial Example

  17. 6 Adversarial Example But, failed Over-the-air!

  18. Challenge 7 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  19. Challenge 7 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity VS SR ( I + δ ) SR ( H ( I + δ )) H is unknown in advance!

  20. Understand Over-the-air Attack 8 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  21. 9 Attenuation Attenuation

  22. 9 Attenuation Attenuation

  23. 9 Attenuation “ Open the door” Normalization Attenuation

  24. 9 Attenuation “ Open the door” Normalization Attenuation No frequency-selectivity, doesn’t matter at all!

  25. Understand Over-the-air Attack 10 Channel E ff ect Noise Multi-path Attenuation Hardware Heterogeneity

  26. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  27. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  28. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  29. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Not strong, device’s inherent feature, compensable! Anechoic Chamber Testing

  30. 12 Hardware Heterogeneity Transmitter Character Successful Rate (CSR): Anechoic Materials Receiver Static, predictable and compensable! Anechoic Chamber Testing

  31. Understand Over-the-air Attack 13 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  32. 14 Multi-path HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  33. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  34. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1

  35. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1

  36. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1 Also not strong and similar!

  37. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  38. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1

  39. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1

  40. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1 Stronger and unpredictable!

  41. 17 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Character Successful Rate (CSR): Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1 Highly unpredictable !

  42. 18 Design Inspiration “ Open the door” SR ( H ( I + δ )) I + δ

  43. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ

  44. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ SR ( H ( I + δ )) H: public acoustic CIR datasets

  45. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ SR ( H ( I + δ )) H: public acoustic CIR datasets arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ )

  46. 19 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ Transcript and Character Successful Rate: SR ( H ( I + δ )) public acoustic CIR datasets arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ )

  47. 20 Design Inspiration “ Open the door” SR ( H ( I + δ )) I + δ Domain (environment-specific) information dominates! SR ( H ( I + δ )) H: public acoustic CIR datasets

  48. 21 Metamorph: Meta-Enha Clean domain information arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ ) − β ⋅ L d

  49. ̂ 22 Metamorph: Meta-Qual • Acoustic Gra ffi ti: distance ( δ , N ) • Reducing Perturbation’s Coverage: L1/L2 regularization

  50. 23 Evaluation: Audio Quality • Examples Classical music Original: Meta-Enha: Meta-Qual: [no transcription] “hello world” “hello world” Human speech Original: Meta-Enha: Meta-Qual: “your son went to “open the door” “open the door” serve at a distant place and became a centurion”

  51. 24 Evaluation: Attack Successful Rate • Attack Target: “DeepSpeech” (White-Box) A multi-path prevalent o ffi ce

  52. 25 Evaluation: Attack Successful Rate • Line-of-Sight (LOS) Attack Character Successful Rate Transcript Successful Rate Meta-Enha: > 90% attack successful rate

  53. 26 Evaluation: Attack Successful Rate • No-Line-of-Sight (NLOS) Attack Character Successful Rate Transcript Successful Rate Meta-Enha: over 85% attack successful rate across 11/20 NLOS location!

  54. 27 Conclusion 1. Investigate over-the-air audio adversarial attacks systematically. 2. Propose a “generate-and-clean” two-phase design and improve the audio quality. 3. Develop a prototype and conduct extensive evaluations. Visit acoustic-metamorph-system.github.io for more information!

Recommend

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu Zhejiang University BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice commands at VCS by exploiting the

481 views • 28 slides
DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin

DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin

DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, Wenyuan Xu Zhejiang University Presenter: Huichen Li This paper won the CCS 2017 Best Paper award Speech Recognition Systems Apple Siri

720 views • 51 slides
Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV beyond using the same syringes/needles Messages Our main message for the safer injecting theme is: Use a sterile syringe and needle each time

252 views • 8 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed

Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed

Lecture 8: Visual Mode, /<CR>, Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed to next week... Too few things to test on Make sure to practice on commands discussed so far. Every

1.11k views • 83 slides
A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring

A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring

23rd International Congress on Acoustics A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring brainwaves and heart rate Steven Cooper Sound system calibrated to playback 3-min sample of Cape

628 views • 15 slides
Colossians Commands Commands put to death your members 3:5 you yourself are to put

Colossians Commands Commands put to death your members 3:5 you yourself are to put

Colossians Commands Commands put to death your members 3:5 you yourself are to put off all these 3:8 put off the old man with his deeds 3:9 put on the new man who is renewed 3:10 put on tender mercies

2.44k views • 197 slides
Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting Faults for Engine Management Development M t D l t Scott James Applied Dynamics International Sh Shaun Fuller Pickering Interfaces F ll

353 views • 18 slides
Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now!

Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now!

Lecture 5: Review + Basic Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now! Midterm next week! Format is similar to hws, focus on writing clear descriptions that do exactly what you want to

549 views • 43 slides
April 7: Safety Question Protection State Transitions Commands Conditional Commands

April 7: Safety Question Protection State Transitions Commands Conditional Commands

April 7: Safety Question Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Harrison-Ruzzo-Ullman result Corollaries April 7, 2017 ECS 235B Spring Quarter

588 views • 33 slides
A simplified A simplified method method for for determination determination of of

A simplified A simplified method method for for determination determination of of

23rd International Congress on Acoustics A simplified A simplified method method for for determination determination of of amplitude amplitude modulation of modulation of audible audible and and inaudible inaudible wind

462 views • 10 slides
The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne Professor Robert Power Burnet Institute Acknowledgements Traditional owners: W urundjeri Yarra Drug Health Forum Project team

633 views • 22 slides
SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL

SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL

SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL Statements, Operators, Clauses Aggregate Functions Structured Query Language ( SQL SQL ) The ANSI standard language for the definition and manipulation

854 views • 30 slides
Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores

Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores

Advanced Linux Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores the previous commands that you have issued. Most shells allow you to press the up arrow to cycle through previous commands.

656 views • 17 slides
Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands

Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands

Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands working with files tree, ls and echo od (octal dump), stat (show meta data of file) touch, temporary file, file with random bytes locate,

548 views • 51 slides
Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in

Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in

Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in Georgia April, 2017 www.curatiofoundation.org Who did the study Research team CIF: Ivdity Chikovani, Natia Shengelia, Lela Sulaberidze,

395 views • 28 slides
Injecting Linguistics into NLP by Annotation Eduard Hovy Information Sciences Institute

Injecting Linguistics into NLP by Annotation Eduard Hovy Information Sciences Institute

Injecting Linguistics into NLP by Annotation Eduard Hovy Information Sciences Institute University of Southern California Lesson 1: Banko and Brill, HLT-01 Confusion set disambiguation task: {youre | your}, {to | too | two}, {its |

665 views • 19 slides
Agenda Introduction Demo of SpyPhone in Action SpyPhone Design Injecting SpyPhone

Agenda Introduction Demo of SpyPhone in Action SpyPhone Design Injecting SpyPhone

How to Build a SpyPhone Black Hat 2013 Kevin McNamee Alcatel-Lucent Agenda Introduction Demo of SpyPhone in Action SpyPhone Design Injecting SpyPhone Service into an App Conclusion & Questions 2 SpyPhone - Then 3

992 views • 30 slides
Presentation for IQPC 18 April 2007 Becoming an authentic leader and injecting innovation into

Presentation for IQPC 18 April 2007 Becoming an authentic leader and injecting innovation into

Presentation for IQPC 18 April 2007 Becoming an authentic leader and injecting innovation into your organisation I really like the word authentic - as it means both genuine and original. And, without genuineness, without sincerity, there cant

210 views • 5 slides
Evolving the Process Injection Injecting the Python bytecode WhoAmI Red teamer at Sberbank

Evolving the Process Injection Injecting the Python bytecode WhoAmI Red teamer at Sberbank

Evolving the Process Injection Injecting the Python bytecode WhoAmI Red teamer at Sberbank of Russia OSCP/OSCE/SLAE Process Injection purposes Accessing/modifying in-memory data or program execution flow AV evasion &

696 views • 54 slides
VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331:

VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331:

VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is SQL Injection? Manipulating query strings to execute code Injecting SQL commands into

379 views • 9 slides
UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls

UNIX Commands CIS 218 Advanced UNIX Commands (UNIX) File/Directory information ls LiSt. Shows contents of current directory. cd Change Directory mv

264 views • 7 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
SDSF Enhancements April 2016 New Commands New commands provided in APAR PI56007 ENQ

SDSF Enhancements April 2016 New Commands New commands provided in APAR PI56007 ENQ

SDSF Enhancements April 2016 New Commands New commands provided in APAR PI56007 ENQ (enqueues for each system in the sysplex) ENQC (enqueues with contention) SYM (system static and dynamic symbols for each system in the sysplex)

228 views • 11 slides

More recommend