Adversarial Audio Attacks that Evade Temporal Dependency

Transcript

1. Adversarial Audio Attacks that Evade Temporal Dependency Heng Liu and

   Gregory Ditzler
 Department of Electrical & Computer Engineering
 University of Arizona
 Tucson, AZ 85721 USA
 {hengl, ditzler}@email.arizona.edu SSCI 2020

2. Outline • Introduction • Related work s • Adversarial audio

   attack and detection methods • Temporal Dependency-based detection • Contribution s • Experiment s • Conclusion and future works

3. Introduction: Insecure DNNs Adversarial image example I. J. Goodfellow, J.

   Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in International Conference on Learning Representations, 2014.

4. Introduction: Insecure DNNs Adversarial audio example N. Carlini and D.

   Wagner, “Audio adversarial examples: Targeted attacks on speech-to-text,” in IEEE Security and Privacy Workshops (SPW), 2018.

5. Related works: adversarial audio examples Adversarial audio attacks • Gradient

   based audio attac k • Carlini and Wagner, 2018, SPW • Gradient based audio attack (over-the-air ) • Yukura and Sakuma, IJCAI, 2019 • Black-box audio attack (free of gradient calculation ) • Taori et al., SPW, 2019 Adversarial audio detection • Feature transformation • Frequency filters • Temporal dependency-based methods Yang, et al., “Characterizing audio adversarial examples using temporal dependency,” in International Conference on Learning Representations, 2019. K. Rajaratnam and J. Kalita, “Noise flooding for detecting audio adversarial examples against automatic speech recognition,” in IEEE International Symposium on Signal Processing and Information Technology, pp. 197–201, 2018.

6. 6 Related works: Temporal Dependency Yang, et al., “Characterizing audio

   adversarial examples using temporal dependency,” in International Conference on Learning Representations, 2019. Temporal dependency: • Depicts the timely relations in a sequenc e • Modeled explicitly (e.g., hidden states in LSTM, attention in transformer ) • Open issue: temporal dependency’s role in adversarial audio remains unclea r Temporal dependency-based detection: X <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> Xa <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> X[: k] <latexit sha1_base64="W7Nf6gI4Ho7VydpEZnIV6Cmf7Ts=">AAAB7HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEUDwVvXisYNpCG8pmu2mXbjZhdyKU0N/gxYMiXv1B3vw3btsctPXBwOO9GWbmhakUBl332ymtrW9sbpW3Kzu7e/sH1cOjlkkyzbjPEpnoTkgNl0JxHwVK3kk1p3EoeTsc38389hPXRiTqEScpD2I6VCISjKKV/E73Zhz0qzW37s5BVolXkBoUaParX71BwrKYK2SSGtP13BSDnGoUTPJppZcZnlI2pkPetVTRmJsgnx87JWdWGZAo0bYUkrn6eyKnsTGTOLSdMcWRWfZm4n9eN8PoOsiFSjPkii0WRZkkmJDZ52QgNGcoJ5ZQpoW9lbAR1ZShzadiQ/CWX14lrYu659a9h8ta47aIowwncArn4MEVNOAemuADAwHP8ApvjnJenHfnY9FacoqZY/gD5/MHXcaOYQ==</latexit> <latexit sha1_base64="W7Nf6gI4Ho7VydpEZnIV6Cmf7Ts=">AAAB7HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEUDwVvXisYNpCG8pmu2mXbjZhdyKU0N/gxYMiXv1B3vw3btsctPXBwOO9GWbmhakUBl332ymtrW9sbpW3Kzu7e/sH1cOjlkkyzbjPEpnoTkgNl0JxHwVK3kk1p3EoeTsc38389hPXRiTqEScpD2I6VCISjKKV/E73Zhz0qzW37s5BVolXkBoUaParX71BwrKYK2SSGtP13BSDnGoUTPJppZcZnlI2pkPetVTRmJsgnx87JWdWGZAo0bYUkrn6eyKnsTGTOLSdMcWRWfZm4n9eN8PoOsiFSjPkii0WRZkkmJDZ52QgNGcoJ5ZQpoW9lbAR1ZShzadiQ/CWX14lrYu659a9h8ta47aIowwncArn4MEVNOAemuADAwHP8ApvjnJenHfnY9FacoqZY/gD5/MHXcaOYQ==</latexit> <latexit sha1_base64="W7Nf6gI4Ho7VydpEZnIV6Cmf7Ts=">AAAB7HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEUDwVvXisYNpCG8pmu2mXbjZhdyKU0N/gxYMiXv1B3vw3btsctPXBwOO9GWbmhakUBl332ymtrW9sbpW3Kzu7e/sH1cOjlkkyzbjPEpnoTkgNl0JxHwVK3kk1p3EoeTsc38389hPXRiTqEScpD2I6VCISjKKV/E73Zhz0qzW37s5BVolXkBoUaParX71BwrKYK2SSGtP13BSDnGoUTPJppZcZnlI2pkPetVTRmJsgnx87JWdWGZAo0bYUkrn6eyKnsTGTOLSdMcWRWfZm4n9eN8PoOsiFSjPkii0WRZkkmJDZ52QgNGcoJ5ZQpoW9lbAR1ZShzadiQ/CWX14lrYu659a9h8ta47aIowwncArn4MEVNOAemuADAwHP8ApvjnJenHfnY9FacoqZY/gD5/MHXcaOYQ==</latexit> <latexit sha1_base64="W7Nf6gI4Ho7VydpEZnIV6Cmf7Ts=">AAAB7HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEUDwVvXisYNpCG8pmu2mXbjZhdyKU0N/gxYMiXv1B3vw3btsctPXBwOO9GWbmhakUBl332ymtrW9sbpW3Kzu7e/sH1cOjlkkyzbjPEpnoTkgNl0JxHwVK3kk1p3EoeTsc38389hPXRiTqEScpD2I6VCISjKKV/E73Zhz0qzW37s5BVolXkBoUaParX71BwrKYK2SSGtP13BSDnGoUTPJppZcZnlI2pkPetVTRmJsgnx87JWdWGZAo0bYUkrn6eyKnsTGTOLSdMcWRWfZm4n9eN8PoOsiFSjPkii0WRZkkmJDZ52QgNGcoJ5ZQpoW9lbAR1ZShzadiQ/CWX14lrYu659a9h8ta47aIowwncArn4MEVNOAemuADAwHP8ApvjnJenHfnY9FacoqZY/gD5/MHXcaOYQ==</latexit> Xa[: k] <latexit sha1_base64="oVuAS+NAx7QKgcjhSdsJUdNceRE=">AAAB7nicbVBNS8NAEJ34WetX1aOXxSJ4KokIiqeiF48V7Ae0sWy2k3bJZhN2N0IJ/RFePCji1d/jzX/jts1BWx8MPN6bYWZekAqujet+Oyura+sbm6Wt8vbO7t5+5eCwpZNMMWyyRCSqE1CNgktsGm4EdlKFNA4EtoPoduq3n1BpnsgHM07Rj+lQ8pAzaqzU7jzS7nXk9ytVt+bOQJaJV5AqFGj0K1+9QcKyGKVhgmrd9dzU+DlVhjOBk3Iv05hSFtEhdi2VNEbt57NzJ+TUKgMSJsqWNGSm/p7Iaaz1OA5sZ0zNSC96U/E/r5uZ8MrPuUwzg5LNF4WZICYh09/JgCtkRowtoUxxeythI6ooMzahsg3BW3x5mbTOa55b8+4vqvWbIo4SHMMJnIEHl1CHO2hAExhE8Ayv8Oakzovz7nzMW1ecYuYI/sD5/AHNNY80</latexit> <latexit sha1_base64="oVuAS+NAx7QKgcjhSdsJUdNceRE=">AAAB7nicbVBNS8NAEJ34WetX1aOXxSJ4KokIiqeiF48V7Ae0sWy2k3bJZhN2N0IJ/RFePCji1d/jzX/jts1BWx8MPN6bYWZekAqujet+Oyura+sbm6Wt8vbO7t5+5eCwpZNMMWyyRCSqE1CNgktsGm4EdlKFNA4EtoPoduq3n1BpnsgHM07Rj+lQ8pAzaqzU7jzS7nXk9ytVt+bOQJaJV5AqFGj0K1+9QcKyGKVhgmrd9dzU+DlVhjOBk3Iv05hSFtEhdi2VNEbt57NzJ+TUKgMSJsqWNGSm/p7Iaaz1OA5sZ0zNSC96U/E/r5uZ8MrPuUwzg5LNF4WZICYh09/JgCtkRowtoUxxeythI6ooMzahsg3BW3x5mbTOa55b8+4vqvWbIo4SHMMJnIEHl1CHO2hAExhE8Ayv8Oakzovz7nzMW1ecYuYI/sD5/AHNNY80</latexit> <latexit sha1_base64="oVuAS+NAx7QKgcjhSdsJUdNceRE=">AAAB7nicbVBNS8NAEJ34WetX1aOXxSJ4KokIiqeiF48V7Ae0sWy2k3bJZhN2N0IJ/RFePCji1d/jzX/jts1BWx8MPN6bYWZekAqujet+Oyura+sbm6Wt8vbO7t5+5eCwpZNMMWyyRCSqE1CNgktsGm4EdlKFNA4EtoPoduq3n1BpnsgHM07Rj+lQ8pAzaqzU7jzS7nXk9ytVt+bOQJaJV5AqFGj0K1+9QcKyGKVhgmrd9dzU+DlVhjOBk3Iv05hSFtEhdi2VNEbt57NzJ+TUKgMSJsqWNGSm/p7Iaaz1OA5sZ0zNSC96U/E/r5uZ8MrPuUwzg5LNF4WZICYh09/JgCtkRowtoUxxeythI6ooMzahsg3BW3x5mbTOa55b8+4vqvWbIo4SHMMJnIEHl1CHO2hAExhE8Ayv8Oakzovz7nzMW1ecYuYI/sD5/AHNNY80</latexit> <latexit sha1_base64="oVuAS+NAx7QKgcjhSdsJUdNceRE=">AAAB7nicbVBNS8NAEJ34WetX1aOXxSJ4KokIiqeiF48V7Ae0sWy2k3bJZhN2N0IJ/RFePCji1d/jzX/jts1BWx8MPN6bYWZekAqujet+Oyura+sbm6Wt8vbO7t5+5eCwpZNMMWyyRCSqE1CNgktsGm4EdlKFNA4EtoPoduq3n1BpnsgHM07Rj+lQ8pAzaqzU7jzS7nXk9ytVt+bOQJaJV5AqFGj0K1+9QcKyGKVhgmrd9dzU+DlVhjOBk3Iv05hSFtEhdi2VNEbt57NzJ+TUKgMSJsqWNGSm/p7Iaaz1OA5sZ0zNSC96U/E/r5uZ8MrPuUwzg5LNF4WZICYh09/JgCtkRowtoUxxeythI6ooMzahsg3BW3x5mbTOa55b8+4vqvWbIo4SHMMJnIEHl1CHO2hAExhE8Ayv8Oakzovz7nzMW1ecYuYI/sD5/AHNNY80</latexit> X <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> <latexit sha1_base64="hf6hOeTjseL13iz+i/MO/ptaY5E=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48t2A9oQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgobm1vbO8Xd0t7+weFR+fikreNUMWyxWMSqG1CNgktsGW4EdhOFNAoEdoLJ3dzvPKHSPJYPZpqgH9GR5CFn1Fip2R2UK27VXYCsEy8nFcjRGJS/+sOYpRFKwwTVuue5ifEzqgxnAmelfqoxoWxCR9izVNIItZ8tDp2RC6sMSRgrW9KQhfp7IqOR1tMosJ0RNWO96s3F/7xeasIbP+MySQ1KtlwUpoKYmMy/JkOukBkxtYQyxe2thI2poszYbEo2BG/15XXSvqp6btVrXlfqt3kcRTiDc7gED2pQh3toQAsYIDzDK7w5j86L8+58LFsLTj5zCn/gfP4AtbmM3A==</latexit> Xa <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> <latexit sha1_base64="brABWL5OsX8Jz8MP4mZ2jZoh4/U=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lEqMeiF48V7Qe0sUy2m3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqKGvSWMSqE6BmgkvWNNwI1kkUwygQrB2Mb2Z++4kpzWP5YCYJ8yMcSh5yisZK951H7JcrbtWdg6wSLycVyNHol796g5imEZOGCtS667mJ8TNUhlPBpqVeqlmCdIxD1rVUYsS0n81PnZIzqwxIGCtb0pC5+nsiw0jrSRTYzgjNSC97M/E/r5ua8MrPuExSwyRdLApTQUxMZn+TAVeMGjGxBKni9lZCR6iQGptOyYbgLb+8SloXVc+teneXlfp1HkcRTuAUzsGDGtThFhrQBApDeIZXeHOE8+K8Ox+L1oKTzxzDHzifPyIrja8=</latexit> f(X[: k]) <latexit sha1_base64="aYaW0vwC9I9yabAobGwk3uP9bcA=">AAAB73icbVBNS8NAEJ34WetX1aOXxSLUS0lEUDwVvXisYNtAGspmu2mXbnbj7kYooX/CiwdFvPp3vPlv3LY5aOuDgcd7M8zMi1LOtHHdb2dldW19Y7O0Vd7e2d3brxwctrXMFKEtIrlUfoQ15UzQlmGGUz9VFCcRp51odDv1O09UaSbFgxmnNEzwQLCYEWys5Mc1P7gehWe9StWtuzOgZeIVpAoFmr3KV7cvSZZQYQjHWgeem5owx8owwumk3M00TTEZ4QENLBU4oTrMZ/dO0KlV+iiWypYwaKb+nshxovU4iWxngs1QL3pT8T8vyEx8FeZMpJmhgswXxRlHRqLp86jPFCWGjy3BRDF7KyJDrDAxNqKyDcFbfHmZtM/rnlv37i+qjZsijhIcwwnUwINLaMAdNKEFBDg8wyu8OY/Oi/PufMxbV5xi5gj+wPn8AedqjzY=</latexit> <latexit sha1_base64="aYaW0vwC9I9yabAobGwk3uP9bcA=">AAAB73icbVBNS8NAEJ34WetX1aOXxSLUS0lEUDwVvXisYNtAGspmu2mXbnbj7kYooX/CiwdFvPp3vPlv3LY5aOuDgcd7M8zMi1LOtHHdb2dldW19Y7O0Vd7e2d3brxwctrXMFKEtIrlUfoQ15UzQlmGGUz9VFCcRp51odDv1O09UaSbFgxmnNEzwQLCYEWys5Mc1P7gehWe9StWtuzOgZeIVpAoFmr3KV7cvSZZQYQjHWgeem5owx8owwumk3M00TTEZ4QENLBU4oTrMZ/dO0KlV+iiWypYwaKb+nshxovU4iWxngs1QL3pT8T8vyEx8FeZMpJmhgswXxRlHRqLp86jPFCWGjy3BRDF7KyJDrDAxNqKyDcFbfHmZtM/rnlv37i+qjZsijhIcwwnUwINLaMAdNKEFBDg8wyu8OY/Oi/PufMxbV5xi5gj+wPn8AedqjzY=</latexit> <latexit sha1_base64="aYaW0vwC9I9yabAobGwk3uP9bcA=">AAAB73icbVBNS8NAEJ34WetX1aOXxSLUS0lEUDwVvXisYNtAGspmu2mXbnbj7kYooX/CiwdFvPp3vPlv3LY5aOuDgcd7M8zMi1LOtHHdb2dldW19Y7O0Vd7e2d3brxwctrXMFKEtIrlUfoQ15UzQlmGGUz9VFCcRp51odDv1O09UaSbFgxmnNEzwQLCYEWys5Mc1P7gehWe9StWtuzOgZeIVpAoFmr3KV7cvSZZQYQjHWgeem5owx8owwumk3M00TTEZ4QENLBU4oTrMZ/dO0KlV+iiWypYwaKb+nshxovU4iWxngs1QL3pT8T8vyEx8FeZMpJmhgswXxRlHRqLp86jPFCWGjy3BRDF7KyJDrDAxNqKyDcFbfHmZtM/rnlv37i+qjZsijhIcwwnUwINLaMAdNKEFBDg8wyu8OY/Oi/PufMxbV5xi5gj+wPn8AedqjzY=</latexit> <latexit sha1_base64="aYaW0vwC9I9yabAobGwk3uP9bcA=">AAAB73icbVBNS8NAEJ34WetX1aOXxSLUS0lEUDwVvXisYNtAGspmu2mXbnbj7kYooX/CiwdFvPp3vPlv3LY5aOuDgcd7M8zMi1LOtHHdb2dldW19Y7O0Vd7e2d3brxwctrXMFKEtIrlUfoQ15UzQlmGGUz9VFCcRp51odDv1O09UaSbFgxmnNEzwQLCYEWys5Mc1P7gehWe9StWtuzOgZeIVpAoFmr3KV7cvSZZQYQjHWgeem5owx8owwumk3M00TTEZ4QENLBU4oTrMZ/dO0KlV+iiWypYwaKb+nshxovU4iWxngs1QL3pT8T8vyEx8FeZMpJmhgswXxRlHRqLp86jPFCWGjy3BRDF7KyJDrDAxNqKyDcFbfHmZtM/rnlv37i+qjZsijhIcwwnUwINLaMAdNKEFBDg8wyu8OY/Oi/PufMxbV5xi5gj+wPn8AedqjzY=</latexit> f(X) <latexit sha1_base64="i/Cd6J7vNtlfATvn6SRImsEjtLU=">AAAB63icbVBNSwMxEJ34WetX1aOXYBHqpeyKoMeiF48V7Ae0S8mm2TY0yS5JVihL/4IXD4p49Q9589+YbfegrQ8GHu/NMDMvTAQ31vO+0dr6xubWdmmnvLu3f3BYOTpumzjVlLVoLGLdDYlhgivWstwK1k00IzIUrBNO7nK/88S04bF6tNOEBZKMFI84JTaXolr3YlCpenVvDrxK/IJUoUBzUPnqD2OaSqYsFcSYnu8lNsiItpwKNiv3U8MSQidkxHqOKiKZCbL5rTN87pQhjmLtSlk8V39PZEQaM5Wh65TEjs2yl4v/eb3URjdBxlWSWqboYlGUCmxjnD+Oh1wzasXUEUI1d7diOiaaUOviKbsQ/OWXV0n7su57df/hqtq4LeIowSmcQQ18uIYG3EMTWkBhDM/wCm9Iohf0jj4WrWuomDmBP0CfPzu/jbE=</latexit> <latexit sha1_base64="i/Cd6J7vNtlfATvn6SRImsEjtLU=">AAAB63icbVBNSwMxEJ34WetX1aOXYBHqpeyKoMeiF48V7Ae0S8mm2TY0yS5JVihL/4IXD4p49Q9589+YbfegrQ8GHu/NMDMvTAQ31vO+0dr6xubWdmmnvLu3f3BYOTpumzjVlLVoLGLdDYlhgivWstwK1k00IzIUrBNO7nK/88S04bF6tNOEBZKMFI84JTaXolr3YlCpenVvDrxK/IJUoUBzUPnqD2OaSqYsFcSYnu8lNsiItpwKNiv3U8MSQidkxHqOKiKZCbL5rTN87pQhjmLtSlk8V39PZEQaM5Wh65TEjs2yl4v/eb3URjdBxlWSWqboYlGUCmxjnD+Oh1wzasXUEUI1d7diOiaaUOviKbsQ/OWXV0n7su57df/hqtq4LeIowSmcQQ18uIYG3EMTWkBhDM/wCm9Iohf0jj4WrWuomDmBP0CfPzu/jbE=</latexit> <latexit sha1_base64="i/Cd6J7vNtlfATvn6SRImsEjtLU=">AAAB63icbVBNSwMxEJ34WetX1aOXYBHqpeyKoMeiF48V7Ae0S8mm2TY0yS5JVihL/4IXD4p49Q9589+YbfegrQ8GHu/NMDMvTAQ31vO+0dr6xubWdmmnvLu3f3BYOTpumzjVlLVoLGLdDYlhgivWstwK1k00IzIUrBNO7nK/88S04bF6tNOEBZKMFI84JTaXolr3YlCpenVvDrxK/IJUoUBzUPnqD2OaSqYsFcSYnu8lNsiItpwKNiv3U8MSQidkxHqOKiKZCbL5rTN87pQhjmLtSlk8V39PZEQaM5Wh65TEjs2yl4v/eb3URjdBxlWSWqboYlGUCmxjnD+Oh1wzasXUEUI1d7diOiaaUOviKbsQ/OWXV0n7su57df/hqtq4LeIowSmcQQ18uIYG3EMTWkBhDM/wCm9Iohf0jj4WrWuomDmBP0CfPzu/jbE=</latexit> <latexit sha1_base64="i/Cd6J7vNtlfATvn6SRImsEjtLU=">AAAB63icbVBNSwMxEJ34WetX1aOXYBHqpeyKoMeiF48V7Ae0S8mm2TY0yS5JVihL/4IXD4p49Q9589+YbfegrQ8GHu/NMDMvTAQ31vO+0dr6xubWdmmnvLu3f3BYOTpumzjVlLVoLGLdDYlhgivWstwK1k00IzIUrBNO7nK/88S04bF6tNOEBZKMFI84JTaXolr3YlCpenVvDrxK/IJUoUBzUPnqD2OaSqYsFcSYnu8lNsiItpwKNiv3U8MSQidkxHqOKiKZCbL5rTN87pQhjmLtSlk8V39PZEQaM5Wh65TEjs2yl4v/eb3URjdBxlWSWqboYlGUCmxjnD+Oh1wzasXUEUI1d7diOiaaUOviKbsQ/OWXV0n7su57df/hqtq4LeIowSmcQQ18uIYG3EMTWkBhDM/wCm9Iohf0jj4WrWuomDmBP0CfPzu/jbE=</latexit> f(Xa[: k]) <latexit sha1_base64="lh60RHtust9WRrWer+18lWXdqyM=">AAAB8XicbVBNSwMxEJ3Ur1q/qh69BItQL2VXBMVT0YvHCvYDt2vJptk2NJtdkqxQlv4LLx4U8eq/8ea/MW33oK0PBh7vzTAzL0gE18ZxvlFhZXVtfaO4Wdra3tndK+8ftHScKsqaNBax6gREM8ElaxpuBOskipEoEKwdjG6mfvuJKc1jeW/GCfMjMpA85JQYKz2E1c4j8a5G/mmvXHFqzgx4mbg5qUCORq/81e3HNI2YNFQQrT3XSYyfEWU4FWxS6qaaJYSOyIB5lkoSMe1ns4sn+MQqfRzGypY0eKb+nshIpPU4CmxnRMxQL3pT8T/PS0146WdcJqlhks4XhanAJsbT93GfK0aNGFtCqOL2VkyHRBFqbEglG4K7+PIyaZ3VXKfm3p1X6td5HEU4gmOoggsXUIdbaEATKEh4hld4Qxq9oHf0MW8toHzmEP4Aff4AWM+QCQ==</latexit> <latexit sha1_base64="lh60RHtust9WRrWer+18lWXdqyM=">AAAB8XicbVBNSwMxEJ3Ur1q/qh69BItQL2VXBMVT0YvHCvYDt2vJptk2NJtdkqxQlv4LLx4U8eq/8ea/MW33oK0PBh7vzTAzL0gE18ZxvlFhZXVtfaO4Wdra3tndK+8ftHScKsqaNBax6gREM8ElaxpuBOskipEoEKwdjG6mfvuJKc1jeW/GCfMjMpA85JQYKz2E1c4j8a5G/mmvXHFqzgx4mbg5qUCORq/81e3HNI2YNFQQrT3XSYyfEWU4FWxS6qaaJYSOyIB5lkoSMe1ns4sn+MQqfRzGypY0eKb+nshIpPU4CmxnRMxQL3pT8T/PS0146WdcJqlhks4XhanAJsbT93GfK0aNGFtCqOL2VkyHRBFqbEglG4K7+PIyaZ3VXKfm3p1X6td5HEU4gmOoggsXUIdbaEATKEh4hld4Qxq9oHf0MW8toHzmEP4Aff4AWM+QCQ==</latexit> <latexit sha1_base64="lh60RHtust9WRrWer+18lWXdqyM=">AAAB8XicbVBNSwMxEJ3Ur1q/qh69BItQL2VXBMVT0YvHCvYDt2vJptk2NJtdkqxQlv4LLx4U8eq/8ea/MW33oK0PBh7vzTAzL0gE18ZxvlFhZXVtfaO4Wdra3tndK+8ftHScKsqaNBax6gREM8ElaxpuBOskipEoEKwdjG6mfvuJKc1jeW/GCfMjMpA85JQYKz2E1c4j8a5G/mmvXHFqzgx4mbg5qUCORq/81e3HNI2YNFQQrT3XSYyfEWU4FWxS6qaaJYSOyIB5lkoSMe1ns4sn+MQqfRzGypY0eKb+nshIpPU4CmxnRMxQL3pT8T/PS0146WdcJqlhks4XhanAJsbT93GfK0aNGFtCqOL2VkyHRBFqbEglG4K7+PIyaZ3VXKfm3p1X6td5HEU4gmOoggsXUIdbaEATKEh4hld4Qxq9oHf0MW8toHzmEP4Aff4AWM+QCQ==</latexit> <latexit sha1_base64="lh60RHtust9WRrWer+18lWXdqyM=">AAAB8XicbVBNSwMxEJ3Ur1q/qh69BItQL2VXBMVT0YvHCvYDt2vJptk2NJtdkqxQlv4LLx4U8eq/8ea/MW33oK0PBh7vzTAzL0gE18ZxvlFhZXVtfaO4Wdra3tndK+8ftHScKsqaNBax6gREM8ElaxpuBOskipEoEKwdjG6mfvuJKc1jeW/GCfMjMpA85JQYKz2E1c4j8a5G/mmvXHFqzgx4mbg5qUCORq/81e3HNI2YNFQQrT3XSYyfEWU4FWxS6qaaJYSOyIB5lkoSMe1ns4sn+MQqfRzGypY0eKb+nshIpPU4CmxnRMxQL3pT8T/PS0146WdcJqlhks4XhanAJsbT93GfK0aNGFtCqOL2VkyHRBFqbEglG4K7+PIyaZ3VXKfm3p1X6td5HEU4gmOoggsXUIdbaEATKEh4hld4Qxq9oHf0MW8toHzmEP4Aff4AWM+QCQ==</latexit> f(Xa) <latexit sha1_base64="1qZ/muTHRRbu1T8TtN7j9rX5iTM=">AAAB7XicbVDLSgNBEOz1GeMr6tHLYBDiJeyKoMegF48RzAOSNcxOZpMx81hmZoWw5B+8eFDEq//jzb9xkuxBEwsaiqpuuruihDNjff/bW1ldW9/YLGwVt3d29/ZLB4dNo1JNaIMornQ7woZyJmnDMstpO9EUi4jTVjS6mfqtJ6oNU/LejhMaCjyQLGYEWyc140r7AZ/1SmW/6s+AlkmQkzLkqPdKX92+Iqmg0hKOjekEfmLDDGvLCKeTYjc1NMFkhAe046jEgpowm107QadO6aNYaVfSopn6eyLDwpixiFynwHZoFr2p+J/XSW18FWZMJqmlkswXxSlHVqHp66jPNCWWjx3BRDN3KyJDrDGxLqCiCyFYfHmZNM+rgV8N7i7Ktes8jgIcwwlUIIBLqMEt1KEBBB7hGV7hzVPei/fufcxbV7x85gj+wPv8AaoJjoQ=</latexit> <latexit sha1_base64="1qZ/muTHRRbu1T8TtN7j9rX5iTM=">AAAB7XicbVDLSgNBEOz1GeMr6tHLYBDiJeyKoMegF48RzAOSNcxOZpMx81hmZoWw5B+8eFDEq//jzb9xkuxBEwsaiqpuuruihDNjff/bW1ldW9/YLGwVt3d29/ZLB4dNo1JNaIMornQ7woZyJmnDMstpO9EUi4jTVjS6mfqtJ6oNU/LejhMaCjyQLGYEWyc140r7AZ/1SmW/6s+AlkmQkzLkqPdKX92+Iqmg0hKOjekEfmLDDGvLCKeTYjc1NMFkhAe046jEgpowm107QadO6aNYaVfSopn6eyLDwpixiFynwHZoFr2p+J/XSW18FWZMJqmlkswXxSlHVqHp66jPNCWWjx3BRDN3KyJDrDGxLqCiCyFYfHmZNM+rgV8N7i7Ktes8jgIcwwlUIIBLqMEt1KEBBB7hGV7hzVPei/fufcxbV7x85gj+wPv8AaoJjoQ=</latexit> <latexit sha1_base64="1qZ/muTHRRbu1T8TtN7j9rX5iTM=">AAAB7XicbVDLSgNBEOz1GeMr6tHLYBDiJeyKoMegF48RzAOSNcxOZpMx81hmZoWw5B+8eFDEq//jzb9xkuxBEwsaiqpuuruihDNjff/bW1ldW9/YLGwVt3d29/ZLB4dNo1JNaIMornQ7woZyJmnDMstpO9EUi4jTVjS6mfqtJ6oNU/LejhMaCjyQLGYEWyc140r7AZ/1SmW/6s+AlkmQkzLkqPdKX92+Iqmg0hKOjekEfmLDDGvLCKeTYjc1NMFkhAe046jEgpowm107QadO6aNYaVfSopn6eyLDwpixiFynwHZoFr2p+J/XSW18FWZMJqmlkswXxSlHVqHp66jPNCWWjx3BRDN3KyJDrDGxLqCiCyFYfHmZNM+rgV8N7i7Ktes8jgIcwwlUIIBLqMEt1KEBBB7hGV7hzVPei/fufcxbV7x85gj+wPv8AaoJjoQ=</latexit> <latexit sha1_base64="1qZ/muTHRRbu1T8TtN7j9rX5iTM=">AAAB7XicbVDLSgNBEOz1GeMr6tHLYBDiJeyKoMegF48RzAOSNcxOZpMx81hmZoWw5B+8eFDEq//jzb9xkuxBEwsaiqpuuruihDNjff/bW1ldW9/YLGwVt3d29/ZLB4dNo1JNaIMornQ7woZyJmnDMstpO9EUi4jTVjS6mfqtJ6oNU/LejhMaCjyQLGYEWyc140r7AZ/1SmW/6s+AlkmQkzLkqPdKX92+Iqmg0hKOjekEfmLDDGvLCKeTYjc1NMFkhAe046jEgpowm107QadO6aNYaVfSopn6eyLDwpixiFynwHZoFr2p+J/XSW18FWZMJqmlkswXxSlHVqHp66jPNCWWjx3BRDN3KyJDrDGxLqCiCyFYfHmZNM+rgV8N7i7Ktes8jgIcwwlUIIBLqMEt1KEBBB7hGV7hzVPei/fufcxbV7x85gj+wPv8AaoJjoQ=</latexit> ASR: f(⇤) <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> ASR: f(⇤) <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> ASR: f(⇤) <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> ASR: f(⇤) <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> Benign audio: <latexit sha1_base64="b2meWSXIVh9gqRmprHsg0bzyotM=">AAAB/XicbVDJSgNBEO1xjXEbl5uXxiB4CjMiKJ5CvHiMYBZIhtDTqSRNenqG7hoxDsFf8eJBEa/+hzf/xs5y0MQHBY/3qqiqFyZSGPS8b2dpeWV1bT23kd/c2t7Zdff2ayZONYcqj2WsGyEzIIWCKgqU0Eg0sCiUUA8H12O/fg/aiFjd4TCBIGI9JbqCM7RS2z1sITxgVgYleoqytCPiq1HbLXhFbwK6SPwZKZAZKm33q9WJeRqBQi6ZMU3fSzDImEbBJYzyrdRAwviA9aBpqWIRmCCbXD+iJ1bp0G6sbSmkE/X3RMYiY4ZRaDsjhn0z743F/7xmit3LIBMqSREUny7qppJiTMdR0I7QwFEOLWFcC3sr5X2mGUcbWN6G4M+/vEhqZ0XfK/q354VSeRZHjhyRY3JKfHJBSuSGVEiVcPJInskreXOenBfn3fmYti45s5kD8gfO5w+XLpVL</latexit> <latexit sha1_base64="b2meWSXIVh9gqRmprHsg0bzyotM=">AAAB/XicbVDJSgNBEO1xjXEbl5uXxiB4CjMiKJ5CvHiMYBZIhtDTqSRNenqG7hoxDsFf8eJBEa/+hzf/xs5y0MQHBY/3qqiqFyZSGPS8b2dpeWV1bT23kd/c2t7Zdff2ayZONYcqj2WsGyEzIIWCKgqU0Eg0sCiUUA8H12O/fg/aiFjd4TCBIGI9JbqCM7RS2z1sITxgVgYleoqytCPiq1HbLXhFbwK6SPwZKZAZKm33q9WJeRqBQi6ZMU3fSzDImEbBJYzyrdRAwviA9aBpqWIRmCCbXD+iJ1bp0G6sbSmkE/X3RMYiY4ZRaDsjhn0z743F/7xmit3LIBMqSREUny7qppJiTMdR0I7QwFEOLWFcC3sr5X2mGUcbWN6G4M+/vEhqZ0XfK/q354VSeRZHjhyRY3JKfHJBSuSGVEiVcPJInskreXOenBfn3fmYti45s5kD8gfO5w+XLpVL</latexit> <latexit sha1_base64="b2meWSXIVh9gqRmprHsg0bzyotM=">AAAB/XicbVDJSgNBEO1xjXEbl5uXxiB4CjMiKJ5CvHiMYBZIhtDTqSRNenqG7hoxDsFf8eJBEa/+hzf/xs5y0MQHBY/3qqiqFyZSGPS8b2dpeWV1bT23kd/c2t7Zdff2ayZONYcqj2WsGyEzIIWCKgqU0Eg0sCiUUA8H12O/fg/aiFjd4TCBIGI9JbqCM7RS2z1sITxgVgYleoqytCPiq1HbLXhFbwK6SPwZKZAZKm33q9WJeRqBQi6ZMU3fSzDImEbBJYzyrdRAwviA9aBpqWIRmCCbXD+iJ1bp0G6sbSmkE/X3RMYiY4ZRaDsjhn0z743F/7xmit3LIBMqSREUny7qppJiTMdR0I7QwFEOLWFcC3sr5X2mGUcbWN6G4M+/vEhqZ0XfK/q354VSeRZHjhyRY3JKfHJBSuSGVEiVcPJInskreXOenBfn3fmYti45s5kD8gfO5w+XLpVL</latexit> <latexit sha1_base64="b2meWSXIVh9gqRmprHsg0bzyotM=">AAAB/XicbVDJSgNBEO1xjXEbl5uXxiB4CjMiKJ5CvHiMYBZIhtDTqSRNenqG7hoxDsFf8eJBEa/+hzf/xs5y0MQHBY/3qqiqFyZSGPS8b2dpeWV1bT23kd/c2t7Zdff2ayZONYcqj2WsGyEzIIWCKgqU0Eg0sCiUUA8H12O/fg/aiFjd4TCBIGI9JbqCM7RS2z1sITxgVgYleoqytCPiq1HbLXhFbwK6SPwZKZAZKm33q9WJeRqBQi6ZMU3fSzDImEbBJYzyrdRAwviA9aBpqWIRmCCbXD+iJ1bp0G6sbSmkE/X3RMYiY4ZRaDsjhn0z743F/7xmit3LIBMqSREUny7qppJiTMdR0I7QwFEOLWFcC3sr5X2mGUcbWN6G4M+/vEhqZ0XfK/q354VSeRZHjhyRY3JKfHJBSuSGVEiVcPJInskreXOenBfn3fmYti45s5kD8gfO5w+XLpVL</latexit> Adversarial audio: <latexit sha1_base64="n+tm8nG5DNKcWFzCqyTi7PMgGOY=">AAACAnicbVC7SgNBFJ31GeMraiU2g0GwCrsiKFZRG8sI5gHJEu7OziZDZh/M3BXDEmz8FRsLRWz9Cjv/xkmyhSYeGDiccy537vESKTTa9re1sLi0vLJaWCuub2xubZd2dhs6ThXjdRbLWLU80FyKiNdRoOStRHEIPcmb3uB67DfvudIiju5wmHA3hF4kAsEAjdQt7XeQP2B26Y9DoARICqkv4otRt1S2K/YEdJ44OSmTHLVu6avjxywNeYRMgtZtx07QzUChYJKPip1U8wTYAHq8bWgEIdduNjlhRI+M4tMgVuZFSCfq74kMQq2HoWeSIWBfz3pj8T+vnWJw7mYiSlLkEZsuClJJMabjPqgvFGcoh4YAU8L8lbI+KGBoCimaEpzZk+dJ46Ti2BXn9rRcvcrrKJADckiOiUPOSJXckBqpE0YeyTN5JW/Wk/VivVsf0+iClc/skT+wPn8AsDOXmA==</latexit> <latexit sha1_base64="n+tm8nG5DNKcWFzCqyTi7PMgGOY=">AAACAnicbVC7SgNBFJ31GeMraiU2g0GwCrsiKFZRG8sI5gHJEu7OziZDZh/M3BXDEmz8FRsLRWz9Cjv/xkmyhSYeGDiccy537vESKTTa9re1sLi0vLJaWCuub2xubZd2dhs6ThXjdRbLWLU80FyKiNdRoOStRHEIPcmb3uB67DfvudIiju5wmHA3hF4kAsEAjdQt7XeQP2B26Y9DoARICqkv4otRt1S2K/YEdJ44OSmTHLVu6avjxywNeYRMgtZtx07QzUChYJKPip1U8wTYAHq8bWgEIdduNjlhRI+M4tMgVuZFSCfq74kMQq2HoWeSIWBfz3pj8T+vnWJw7mYiSlLkEZsuClJJMabjPqgvFGcoh4YAU8L8lbI+KGBoCimaEpzZk+dJ46Ti2BXn9rRcvcrrKJADckiOiUPOSJXckBqpE0YeyTN5JW/Wk/VivVsf0+iClc/skT+wPn8AsDOXmA==</latexit> <latexit sha1_base64="n+tm8nG5DNKcWFzCqyTi7PMgGOY=">AAACAnicbVC7SgNBFJ31GeMraiU2g0GwCrsiKFZRG8sI5gHJEu7OziZDZh/M3BXDEmz8FRsLRWz9Cjv/xkmyhSYeGDiccy537vESKTTa9re1sLi0vLJaWCuub2xubZd2dhs6ThXjdRbLWLU80FyKiNdRoOStRHEIPcmb3uB67DfvudIiju5wmHA3hF4kAsEAjdQt7XeQP2B26Y9DoARICqkv4otRt1S2K/YEdJ44OSmTHLVu6avjxywNeYRMgtZtx07QzUChYJKPip1U8wTYAHq8bWgEIdduNjlhRI+M4tMgVuZFSCfq74kMQq2HoWeSIWBfz3pj8T+vnWJw7mYiSlLkEZsuClJJMabjPqgvFGcoh4YAU8L8lbI+KGBoCimaEpzZk+dJ46Ti2BXn9rRcvcrrKJADckiOiUPOSJXckBqpE0YeyTN5JW/Wk/VivVsf0+iClc/skT+wPn8AsDOXmA==</latexit> <latexit sha1_base64="n+tm8nG5DNKcWFzCqyTi7PMgGOY=">AAACAnicbVC7SgNBFJ31GeMraiU2g0GwCrsiKFZRG8sI5gHJEu7OziZDZh/M3BXDEmz8FRsLRWz9Cjv/xkmyhSYeGDiccy537vESKTTa9re1sLi0vLJaWCuub2xubZd2dhs6ThXjdRbLWLU80FyKiNdRoOStRHEIPcmb3uB67DfvudIiju5wmHA3hF4kAsEAjdQt7XeQP2B26Y9DoARICqkv4otRt1S2K/YEdJ44OSmTHLVu6avjxywNeYRMgtZtx07QzUChYJKPip1U8wTYAHq8bWgEIdduNjlhRI+M4tMgVuZFSCfq74kMQq2HoWeSIWBfz3pj8T+vnWJw7mYiSlLkEZsuClJJMabjPqgvFGcoh4YAU8L8lbI+KGBoCimaEpzZk+dJ46Ti2BXn9rRcvcrrKJADckiOiUPOSJXckBqpE0YeyTN5JW/Wk/VivVsf0+iClc/skT+wPn8AsDOXmA==</latexit> Consistency{f(X[: k]), f(X)} > Consistency{f(Xa[: k]), f(Xa)} <latexit sha1_base64="/W9KJ0ViIc8EXaev79lPgTZntgY=">AAACTXicdVHLSgMxFM3UR2t9jbp0EyyWFkqZEUFxIcVuXFawD+hMSybN1NBMZkgyYhn6g24Ed/6FGxeKiOkDtK2eEDicew8398SLGJXKsl6M1Mrq2no6s5Hd3Nre2TX39hsyjAUmdRyyULQ8JAmjnNQVVYy0IkFQ4DHS9AbVcb15T4SkIb9Vw4i4Aepz6lOMlJa6Zi/vKPKgkmrIpZ5GOB6OnMQvtNoXA7dYgpoVnRF0nGzeKc2fS/iPtYN+zB2k7V0zZ5WtCeAysWckB2aodc1npxfiOCBcYYakbNtWpNwECUUxI6OsE0sSITxAfdLWlKOASDeZpDGCx1rpQT8U+nIFJ+pvR4ICKYeBpzsDpO7kYm0s/lVrx8o/dxPKo3i87HSQHzOoQjiOFvaoIFixoSYIC6rfCvEdEggr/QFZHYK9uPIyaZyUbats35zmKlezODLgEByBArDBGaiAa1ADdYDBI3gF7+DDeDLejE/ja9qaMmaeAzCHVPobkwmxIg==</latexit> <latexit sha1_base64="/W9KJ0ViIc8EXaev79lPgTZntgY=">AAACTXicdVHLSgMxFM3UR2t9jbp0EyyWFkqZEUFxIcVuXFawD+hMSybN1NBMZkgyYhn6g24Ed/6FGxeKiOkDtK2eEDicew8398SLGJXKsl6M1Mrq2no6s5Hd3Nre2TX39hsyjAUmdRyyULQ8JAmjnNQVVYy0IkFQ4DHS9AbVcb15T4SkIb9Vw4i4Aepz6lOMlJa6Zi/vKPKgkmrIpZ5GOB6OnMQvtNoXA7dYgpoVnRF0nGzeKc2fS/iPtYN+zB2k7V0zZ5WtCeAysWckB2aodc1npxfiOCBcYYakbNtWpNwECUUxI6OsE0sSITxAfdLWlKOASDeZpDGCx1rpQT8U+nIFJ+pvR4ICKYeBpzsDpO7kYm0s/lVrx8o/dxPKo3i87HSQHzOoQjiOFvaoIFixoSYIC6rfCvEdEggr/QFZHYK9uPIyaZyUbats35zmKlezODLgEByBArDBGaiAa1ADdYDBI3gF7+DDeDLejE/ja9qaMmaeAzCHVPobkwmxIg==</latexit> <latexit sha1_base64="/W9KJ0ViIc8EXaev79lPgTZntgY=">AAACTXicdVHLSgMxFM3UR2t9jbp0EyyWFkqZEUFxIcVuXFawD+hMSybN1NBMZkgyYhn6g24Ed/6FGxeKiOkDtK2eEDicew8398SLGJXKsl6M1Mrq2no6s5Hd3Nre2TX39hsyjAUmdRyyULQ8JAmjnNQVVYy0IkFQ4DHS9AbVcb15T4SkIb9Vw4i4Aepz6lOMlJa6Zi/vKPKgkmrIpZ5GOB6OnMQvtNoXA7dYgpoVnRF0nGzeKc2fS/iPtYN+zB2k7V0zZ5WtCeAysWckB2aodc1npxfiOCBcYYakbNtWpNwECUUxI6OsE0sSITxAfdLWlKOASDeZpDGCx1rpQT8U+nIFJ+pvR4ICKYeBpzsDpO7kYm0s/lVrx8o/dxPKo3i87HSQHzOoQjiOFvaoIFixoSYIC6rfCvEdEggr/QFZHYK9uPIyaZyUbats35zmKlezODLgEByBArDBGaiAa1ADdYDBI3gF7+DDeDLejE/ja9qaMmaeAzCHVPobkwmxIg==</latexit> <latexit sha1_base64="/W9KJ0ViIc8EXaev79lPgTZntgY=">AAACTXicdVHLSgMxFM3UR2t9jbp0EyyWFkqZEUFxIcVuXFawD+hMSybN1NBMZkgyYhn6g24Ed/6FGxeKiOkDtK2eEDicew8398SLGJXKsl6M1Mrq2no6s5Hd3Nre2TX39hsyjAUmdRyyULQ8JAmjnNQVVYy0IkFQ4DHS9AbVcb15T4SkIb9Vw4i4Aepz6lOMlJa6Zi/vKPKgkmrIpZ5GOB6OnMQvtNoXA7dYgpoVnRF0nGzeKc2fS/iPtYN+zB2k7V0zZ5WtCeAysWckB2aodc1npxfiOCBcYYakbNtWpNwECUUxI6OsE0sSITxAfdLWlKOASDeZpDGCx1rpQT8U+nIFJ+pvR4ICKYeBpzsDpO7kYm0s/lVrx8o/dxPKo3i87HSQHzOoQjiOFvaoIFixoSYIC6rfCvEdEggr/QFZHYK9uPIyaZyUbats35zmKlezODLgEByBArDBGaiAa1ADdYDBI3gF7+DDeDLejE/ja9qaMmaeAzCHVPobkwmxIg==</latexit> Word/Char Error Rate(WER/CER) <latexit sha1_base64="bjC+3qn0NYGx2lD6ye4DtKs1ws0=">AAACDXicbVC7SgNBFJ31GeMramkzGAVtkl0RtAyGgGUMxghJCLOTu2ZwdmeZuSuGJT9g46/YWChia2/n3zh5FJp4qsM593LPPX4shUHX/Xbm5hcWl5YzK9nVtfWNzdzW9rVRieZQ50oqfeMzA1JEUEeBEm5iDSz0JTT8u/LQb9yDNkJFV9iPoR2y20gEgjO0Uie330J4wLShdLdY7jFNK1orTWsM4bBRqRXLldrRoJPLuwV3BDpLvAnJkwmqndxXq6t4EkKEXDJjmp4bYztlGgWXMMi2EgMx43fsFpqWRiwE005H3wzogVW6NLApAhUhHam/N1IWGtMPfTsZMuyZaW8o/uc1EwzO2qmI4gQh4uNDQSIpKjqshnaFBo6ybwnjWtislNtKGEdbYNaW4E2/PEuujwueW/AuT/Kl80kdGbJL9sgh8cgpKZELUiV1wskjeSav5M15cl6cd+djPDrnTHZ2yB84nz+YJpqT</latexit> <latexit sha1_base64="bjC+3qn0NYGx2lD6ye4DtKs1ws0=">AAACDXicbVC7SgNBFJ31GeMramkzGAVtkl0RtAyGgGUMxghJCLOTu2ZwdmeZuSuGJT9g46/YWChia2/n3zh5FJp4qsM593LPPX4shUHX/Xbm5hcWl5YzK9nVtfWNzdzW9rVRieZQ50oqfeMzA1JEUEeBEm5iDSz0JTT8u/LQb9yDNkJFV9iPoR2y20gEgjO0Uie330J4wLShdLdY7jFNK1orTWsM4bBRqRXLldrRoJPLuwV3BDpLvAnJkwmqndxXq6t4EkKEXDJjmp4bYztlGgWXMMi2EgMx43fsFpqWRiwE005H3wzogVW6NLApAhUhHam/N1IWGtMPfTsZMuyZaW8o/uc1EwzO2qmI4gQh4uNDQSIpKjqshnaFBo6ybwnjWtislNtKGEdbYNaW4E2/PEuujwueW/AuT/Kl80kdGbJL9sgh8cgpKZELUiV1wskjeSav5M15cl6cd+djPDrnTHZ2yB84nz+YJpqT</latexit> <latexit sha1_base64="bjC+3qn0NYGx2lD6ye4DtKs1ws0=">AAACDXicbVC7SgNBFJ31GeMramkzGAVtkl0RtAyGgGUMxghJCLOTu2ZwdmeZuSuGJT9g46/YWChia2/n3zh5FJp4qsM593LPPX4shUHX/Xbm5hcWl5YzK9nVtfWNzdzW9rVRieZQ50oqfeMzA1JEUEeBEm5iDSz0JTT8u/LQb9yDNkJFV9iPoR2y20gEgjO0Uie330J4wLShdLdY7jFNK1orTWsM4bBRqRXLldrRoJPLuwV3BDpLvAnJkwmqndxXq6t4EkKEXDJjmp4bYztlGgWXMMi2EgMx43fsFpqWRiwE005H3wzogVW6NLApAhUhHam/N1IWGtMPfTsZMuyZaW8o/uc1EwzO2qmI4gQh4uNDQSIpKjqshnaFBo6ybwnjWtislNtKGEdbYNaW4E2/PEuujwueW/AuT/Kl80kdGbJL9sgh8cgpKZELUiV1wskjeSav5M15cl6cd+djPDrnTHZ2yB84nz+YJpqT</latexit> <latexit sha1_base64="bjC+3qn0NYGx2lD6ye4DtKs1ws0=">AAACDXicbVC7SgNBFJ31GeMramkzGAVtkl0RtAyGgGUMxghJCLOTu2ZwdmeZuSuGJT9g46/YWChia2/n3zh5FJp4qsM593LPPX4shUHX/Xbm5hcWl5YzK9nVtfWNzdzW9rVRieZQ50oqfeMzA1JEUEeBEm5iDSz0JTT8u/LQb9yDNkJFV9iPoR2y20gEgjO0Uie330J4wLShdLdY7jFNK1orTWsM4bBRqRXLldrRoJPLuwV3BDpLvAnJkwmqndxXq6t4EkKEXDJjmp4bYztlGgWXMMi2EgMx43fsFpqWRiwE005H3wzogVW6NLApAhUhHam/N1IWGtMPfTsZMuyZaW8o/uc1EwzO2qmI4gQh4uNDQSIpKjqshnaFBo6ybwnjWtislNtKGEdbYNaW4E2/PEuujwueW/AuT/Kl80kdGbJL9sgh8cgpKZELUiV1wskjeSav5M15cl6cd+djPDrnTHZ2yB84nz+YJpqT</latexit> ASR: f(⇤) <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit> <latexit sha1_base64="o/Ll7Xt2W/yePEGF3HF2JfNiO4k=">AAAB/3icbVDJSgNBEO1xjXEbFbx4aQxChBBmRFA8Rb14jEsWyAyhp9OTNOlZ6K4Rw5iDv+LFgyJe/Q1v/o2dZA6a+KDg8V4VVfW8WHAFlvVtzM0vLC4t51byq2vrG5vm1nZdRYmkrEYjEcmmRxQTPGQ14CBYM5aMBJ5gDa9/OfIb90wqHoV3MIiZG5BuyH1OCWipbe46wB4gPb+9ORs6JafkFx2i4LBtFqyyNQaeJXZGCihDtW1+OZ2IJgELgQqiVMu2YnBTIoFTwYZ5J1EsJrRPuqylaUgCptx0fP8QH2ilg/1I6goBj9XfEykJlBoEnu4MCPTUtDcS//NaCfinbsrDOAEW0skiPxEYIjwKA3e4ZBTEQBNCJde3YtojklDQkeV1CPb0y7OkflS2rbJ9fVyoXGRx5NAe2kdFZKMTVEFXqIpqiKJH9Ixe0ZvxZLwY78bHpHXOyGZ20B8Ynz+bipUr</latexit>

7. 7 Related works: Temporal Dependency Yang, et al., “Characterizing audio

   adversarial examples using temporal dependency,” in International Conference on Learning Representations, 2019. Temporal dependency-based detection: • Empirical test proves adequate to detect a variety of state-of-the-art audio attack s • Contributions : • revisit the LSTM to explore the role of temporal dependency in adversarial audi o • propose a new audio attack that evades the temporal dependency-based detection

8. Contribution: Part 1 • In an LSTM: • Temporal dependency-based

   detection analysis : • Removing part of the audio impacts the transition of hidden state s • Adversarial perturbation doesn’t consider the hidden states’ transition, thus easily detectable Temporal dependency’s role in adversarial audios ft = ⇣(Wf xt + Uf ht 1) it = ⇣(Wixt + Uiht 1) ot = ⇣(Woxt + Uoht 1) ct = ft ct 1 + it ⇣(Wcxt + Ucht 1) ht = ot ⇣(ct) <latexit sha1_base64="RWdro0l7tc5lUjux89QoPpVuYd0=">AAACxnicbZFLa9tAFIVH6iOJ+3LbZTZDTUtCqZFKoN0EQrPJMoE6DlhGjK6v4iGjGTFz1dYRhv7G7rrof8nYckXl9MLA4dxvzjxuVirpKIp+B+GDh48e7+zu9Z48ffb8Rf/lq0tnKgs4AqOMvcqEQyU1jkiSwqvSoigyhePs5nTVH39D66TRX2lR4rQQ11rmEgR5K+3/yVPi7455coskDsZpzn944z0feTVPa/oQLw95kvRkF5MtJjuY6WKmxUwHgwZbnZ2AtMChaXpUtt7fEGhDoA3xGfMmw2zxPvow0UZXRYY27Q+iYbQufl/EGzFgmzpP+7+SmYGqQE2ghHOTOCppWgtLEhQue0nlsBRwI65x4qUWBbppvR7Dkr/1zoznxvqlia/df3fUonBuUWSeLATN3XZvZf6vN6ko/zytpS4rQg3NQXmlOBm+mimfSYtAauGFACv9XTnMhRVAfvI9/wnx9pPvi8uPwzgaxhdHg5Mvm+/YZfvsDTtgMfvETtgZO2cjBsFpIAMbuPAs1GEVfm/QMNjsec06Ff68A38z0l0=</latexit> <latexit sha1_base64="RWdro0l7tc5lUjux89QoPpVuYd0=">AAACxnicbZFLa9tAFIVH6iOJ+3LbZTZDTUtCqZFKoN0EQrPJMoE6DlhGjK6v4iGjGTFz1dYRhv7G7rrof8nYckXl9MLA4dxvzjxuVirpKIp+B+GDh48e7+zu9Z48ffb8Rf/lq0tnKgs4AqOMvcqEQyU1jkiSwqvSoigyhePs5nTVH39D66TRX2lR4rQQ11rmEgR5K+3/yVPi7455coskDsZpzn944z0feTVPa/oQLw95kvRkF5MtJjuY6WKmxUwHgwZbnZ2AtMChaXpUtt7fEGhDoA3xGfMmw2zxPvow0UZXRYY27Q+iYbQufl/EGzFgmzpP+7+SmYGqQE2ghHOTOCppWgtLEhQue0nlsBRwI65x4qUWBbppvR7Dkr/1zoznxvqlia/df3fUonBuUWSeLATN3XZvZf6vN6ko/zytpS4rQg3NQXmlOBm+mimfSYtAauGFACv9XTnMhRVAfvI9/wnx9pPvi8uPwzgaxhdHg5Mvm+/YZfvsDTtgMfvETtgZO2cjBsFpIAMbuPAs1GEVfm/QMNjsec06Ff68A38z0l0=</latexit> <latexit sha1_base64="RWdro0l7tc5lUjux89QoPpVuYd0=">AAACxnicbZFLa9tAFIVH6iOJ+3LbZTZDTUtCqZFKoN0EQrPJMoE6DlhGjK6v4iGjGTFz1dYRhv7G7rrof8nYckXl9MLA4dxvzjxuVirpKIp+B+GDh48e7+zu9Z48ffb8Rf/lq0tnKgs4AqOMvcqEQyU1jkiSwqvSoigyhePs5nTVH39D66TRX2lR4rQQ11rmEgR5K+3/yVPi7455coskDsZpzn944z0feTVPa/oQLw95kvRkF5MtJjuY6WKmxUwHgwZbnZ2AtMChaXpUtt7fEGhDoA3xGfMmw2zxPvow0UZXRYY27Q+iYbQufl/EGzFgmzpP+7+SmYGqQE2ghHOTOCppWgtLEhQue0nlsBRwI65x4qUWBbppvR7Dkr/1zoznxvqlia/df3fUonBuUWSeLATN3XZvZf6vN6ko/zytpS4rQg3NQXmlOBm+mimfSYtAauGFACv9XTnMhRVAfvI9/wnx9pPvi8uPwzgaxhdHg5Mvm+/YZfvsDTtgMfvETtgZO2cjBsFpIAMbuPAs1GEVfm/QMNjsec06Ff68A38z0l0=</latexit> <latexit sha1_base64="RWdro0l7tc5lUjux89QoPpVuYd0=">AAACxnicbZFLa9tAFIVH6iOJ+3LbZTZDTUtCqZFKoN0EQrPJMoE6DlhGjK6v4iGjGTFz1dYRhv7G7rrof8nYckXl9MLA4dxvzjxuVirpKIp+B+GDh48e7+zu9Z48ffb8Rf/lq0tnKgs4AqOMvcqEQyU1jkiSwqvSoigyhePs5nTVH39D66TRX2lR4rQQ11rmEgR5K+3/yVPi7455coskDsZpzn944z0feTVPa/oQLw95kvRkF5MtJjuY6WKmxUwHgwZbnZ2AtMChaXpUtt7fEGhDoA3xGfMmw2zxPvow0UZXRYY27Q+iYbQufl/EGzFgmzpP+7+SmYGqQE2ghHOTOCppWgtLEhQue0nlsBRwI65x4qUWBbppvR7Dkr/1zoznxvqlia/df3fUonBuUWSeLATN3XZvZf6vN6ko/zytpS4rQg3NQXmlOBm+mimfSYtAauGFACv9XTnMhRVAfvI9/wnx9pPvi8uPwzgaxhdHg5Mvm+/YZfvsDTtgMfvETtgZO2cjBsFpIAMbuPAs1GEVfm/QMNjsec06Ff68A38z0l0=</latexit> 8z 2 {f, i, o, c}, Wz ! xt, Uz ! ht 1 <latexit sha1_base64="bq1waMsJR+m7McixMeUIfbo0M44=">AAACOHicbVDLSgMxFM3Ud31VXboJFsFFLTMi6LLoxp0KthU6ZcikmTY0kwzJHbUd+llu/Ax34saFIm79AtN2Fr5OCBzOuZfknDAR3IDrPjmFmdm5+YXFpeLyyuraemljs2FUqimrUyWUvg6JYYJLVgcOgl0nmpE4FKwZ9k/HfvOGacOVvIJBwtox6UoecUrASkHp3I+UJkLgoc+ln+GowiuqQrE/qvj5aQZDX/NuD4jW6hbfBTCR6z/lXpDBvjcKSmW36k6A/xIvJ2WU4yIoPfodRdOYSaCCGNPy3ATaGdHAqWCjop8alhDaJ13WslSSmJl2Ngk+wrtW6WCbwF4JeKJ+38hIbMwgDu1kTKBnfntj8T+vlUJ03M64TFJgkk4filKBQeFxi7jDNaMgBpYQqrn9K6Y9ogkF23XRluD9jvyXNA6qnlv1Lg/LtZO8jkW0jXbQHvLQEaqhM3SB6oiie/SMXtGb8+C8OO/Ox3S04OQ7W+gHnM8vuderyw==</latexit> <latexit sha1_base64="bq1waMsJR+m7McixMeUIfbo0M44=">AAACOHicbVDLSgMxFM3Ud31VXboJFsFFLTMi6LLoxp0KthU6ZcikmTY0kwzJHbUd+llu/Ax34saFIm79AtN2Fr5OCBzOuZfknDAR3IDrPjmFmdm5+YXFpeLyyuraemljs2FUqimrUyWUvg6JYYJLVgcOgl0nmpE4FKwZ9k/HfvOGacOVvIJBwtox6UoecUrASkHp3I+UJkLgoc+ln+GowiuqQrE/qvj5aQZDX/NuD4jW6hbfBTCR6z/lXpDBvjcKSmW36k6A/xIvJ2WU4yIoPfodRdOYSaCCGNPy3ATaGdHAqWCjop8alhDaJ13WslSSmJl2Ngk+wrtW6WCbwF4JeKJ+38hIbMwgDu1kTKBnfntj8T+vlUJ03M64TFJgkk4filKBQeFxi7jDNaMgBpYQqrn9K6Y9ogkF23XRluD9jvyXNA6qnlv1Lg/LtZO8jkW0jXbQHvLQEaqhM3SB6oiie/SMXtGb8+C8OO/Ox3S04OQ7W+gHnM8vuderyw==</latexit> <latexit sha1_base64="bq1waMsJR+m7McixMeUIfbo0M44=">AAACOHicbVDLSgMxFM3Ud31VXboJFsFFLTMi6LLoxp0KthU6ZcikmTY0kwzJHbUd+llu/Ax34saFIm79AtN2Fr5OCBzOuZfknDAR3IDrPjmFmdm5+YXFpeLyyuraemljs2FUqimrUyWUvg6JYYJLVgcOgl0nmpE4FKwZ9k/HfvOGacOVvIJBwtox6UoecUrASkHp3I+UJkLgoc+ln+GowiuqQrE/qvj5aQZDX/NuD4jW6hbfBTCR6z/lXpDBvjcKSmW36k6A/xIvJ2WU4yIoPfodRdOYSaCCGNPy3ATaGdHAqWCjop8alhDaJ13WslSSmJl2Ngk+wrtW6WCbwF4JeKJ+38hIbMwgDu1kTKBnfntj8T+vlUJ03M64TFJgkk4filKBQeFxi7jDNaMgBpYQqrn9K6Y9ogkF23XRluD9jvyXNA6qnlv1Lg/LtZO8jkW0jXbQHvLQEaqhM3SB6oiie/SMXtGb8+C8OO/Ox3S04OQ7W+gHnM8vuderyw==</latexit> <latexit sha1_base64="bq1waMsJR+m7McixMeUIfbo0M44=">AAACOHicbVDLSgMxFM3Ud31VXboJFsFFLTMi6LLoxp0KthU6ZcikmTY0kwzJHbUd+llu/Ax34saFIm79AtN2Fr5OCBzOuZfknDAR3IDrPjmFmdm5+YXFpeLyyuraemljs2FUqimrUyWUvg6JYYJLVgcOgl0nmpE4FKwZ9k/HfvOGacOVvIJBwtox6UoecUrASkHp3I+UJkLgoc+ln+GowiuqQrE/qvj5aQZDX/NuD4jW6hbfBTCR6z/lXpDBvjcKSmW36k6A/xIvJ2WU4yIoPfodRdOYSaCCGNPy3ATaGdHAqWCjop8alhDaJ13WslSSmJl2Ngk+wrtW6WCbwF4JeKJ+38hIbMwgDu1kTKBnfntj8T+vlUJ03M64TFJgkk4filKBQeFxi7jDNaMgBpYQqrn9K6Y9ogkF23XRluD9jvyXNA6qnlv1Lg/LtZO8jkW0jXbQHvLQEaqhM3SB6oiie/SMXtGb8+C8OO/Ox3S04OQ7W+gHnM8vuderyw==</latexit>

9. • Scenario 1: audio attack explicitly designs the hidden states

   • Scenario 2: audio attack completely removes the Temporal Dependency from the adversarial audio • A state-of-the-art audio attack method (Carlini and Wagner, 2018, SPW) : • Attack efficacy optimizatio n • Perturbation magnitude minimization Contribution: Part 2 A novel audio attack: arg min Xa L CTC(Xa, Y a) + kX Xak2 2 <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> N. Carlini and D. Wagner, “Audio adversarial examples: Targeted attacks on speech-to-text,” in IEEE Security and Privacy Workshops (SPW), 2018. Temporal dependency-based detection fails at:

10. Contribution: Part 2 A novel audio attack: • We exploit

    the scenario 2: the audio attack completely removes the temporal dependency from the generated adversarial audio • The new audio attack objective : • Penalizing the hidden state’s impact on outputs, • Rewarding the input’s impact in outputs, arg min Xa L CTC(Xa, Y a) + ||X Xa||2 2 + X z2{f,i,o,c} X t {||Uzha t ||2 2 ||WzXa t ||2 2 } <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> ||Uzha t ||2 2 <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> ||WzXa t ||2 2 <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit>

11. Contribution: Part 2 A novel audio attack: • We further

    work on the new objective: • the hyper-parameter controls the trade off: 1 = L CTC(Xa, Y a) + ||X Xa||2 2 2 = X z2{f,i,o,c} X t {||Uzha t ||2 2 ||WzXa t ||2 2 } arg min Xa ↵ 1 1 + 2 + (1 ↵) 2 1 + 2 <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> ↵ ⇠ [0, 1] <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit>

12. Experiments: Experiment settings: • Mozilla Common Voice: durations between 1.73s

    ~ 7.8s • Attack targets: • ‘hello google’ • ‘this is an adversarial example’ • ‘hello google please cancel my medical appointment’ N. Carlini and D. Wagner, “Audio adversarial examples: Targeted attacks on speech-to-text,” in IEEE Security and Privacy Workshops (SPW), 2018. • Comparisons in terms of: • Temporal dependency-based detection results • Audio attack efficacies • Perturbation magnitudes Comparisons against Carlini and Wagner, 2018, SPW:

13. Experiments: Temporal dependency-based detection results comparison: • Detection result is

    measured by AUC score • Main observations: • The temporal dependency detection identifies Carlini’s adversarial audios accurately • The detection against out method is not much better than random guessing, i.e., our method can evade detection with high probability

14. Experiments: Attack efficacies comparison: WER CER Our’s 0.134 0.044 Carlini’s

    0.130 0.040 Average Attack Word/Char Error Rates <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> • Attack efficacy metric: • Use WER/CER to measure consistency between adversarial audio’s transcript and corresponding attack target • We compare the averaged WER/CER between ours and Carlini’s • Both audio attack methods have about the same attack efficacy

15. 15 Perturbation magnitudes comparison: Experiments: • We use Decibel to

    measure the perturbation magnitude: • Smaller value indicates quieter perturbation: • The averaged perturbations of Our’s and Carlini’s are: -30dB v.s. -45dB • We sacrificed some perturbation magnitude in exchange for lower detectability dB(x) = max i 20 log10 xi <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit>

16. Conclusion and future work • We explored the role of

    temporal dependency in adversarial audio example s • We proposed a new audio attack that evades the temporal dependency detectio n • Experiments shows the new audio attack’s efficacy and low perturbation magnitude Conclusions Future work • One future work is to incorporate temporal dependency to develop more robustness detection methods Funding • This work was supported by grants from the Department of Energy #DE-NA0003946, Army Research Lab W56KGU-20-C-0002, and National Science Foundation CAREER #1943552

17. Questions Please email [email protected] Thank You!