Gregory Ditzler Department of Electrical & Computer Engineering University of Arizona Tucson, AZ 85721 USA {hengl, ditzler}@email.arizona.edu SSCI 2020
based audio attac k • Carlini and Wagner, 2018, SPW • Gradient based audio attack (over-the-air ) • Yukura and Sakuma, IJCAI, 2019 • Black-box audio attack (free of gradient calculation ) • Taori et al., SPW, 2019 Adversarial audio detection • Feature transformation • Frequency filters • Temporal dependency-based methods Yang, et al., “Characterizing audio adversarial examples using temporal dependency,” in International Conference on Learning Representations, 2019. K. Rajaratnam and J. Kalita, “Noise flooding for detecting audio adversarial examples against automatic speech recognition,” in IEEE International Symposium on Signal Processing and Information Technology, pp. 197–201, 2018.
adversarial examples using temporal dependency,” in International Conference on Learning Representations, 2019. Temporal dependency-based detection: • Empirical test proves adequate to detect a variety of state-of-the-art audio attack s • Contributions : • revisit the LSTM to explore the role of temporal dependency in adversarial audi o • propose a new audio attack that evades the temporal dependency-based detection
• Scenario 2: audio attack completely removes the Temporal Dependency from the adversarial audio • A state-of-the-art audio attack method (Carlini and Wagner, 2018, SPW) : • Attack efficacy optimizatio n • Perturbation magnitude minimization Contribution: Part 2 A novel audio attack: arg min Xa L CTC(Xa, Y a) + kX Xak2 2 <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> <latexit sha1_base64="hyJ8eC4Lv2utgDtQL9EaJlXw+U8=">AAACLHicbVBNaxsxFNS6beK4+XCaYy6ippDQxOyaQHIM9SWHHlywYxevvbyVZVtEq12ktyFG2R/US/5KoPRQU3rt76js+NA6GRAMM+/xNBNnUhj0/blXevX6zcZmeavydntnd6+6/+7apLlmvMNSmepeDIZLoXgHBUreyzSHJJa8G980F373lmsjUtXGWcYHCUyUGAsG6KSo2gxBT8JEqMj2hlDYMAGcxrH9XEQ2RH6HttluFsWRM0/o1yEc0480vO/RU+qU8D5qDBtFVK35dX8J+pwEK1IjK7Si6vdwlLI84QqZBGP6gZ/hwIJGwSQvKmFueAbsBia876iChJuBXYYt6AenjOg41e4ppEv13w0LiTGzJHaTiyxm3VuIL3n9HMcXAytUliNX7OnQOJcUU7pojo6E5gzlzBFgWri/UjYFDQxdvxVXQrAe+Tm5btQDvx58OatdflrVUSaH5D05IgE5J5fkirRIhzDyjTySn2TuPXg/vF/e76fRkrfaOSD/wfvzF7Q/pyE=</latexit> N. Carlini and D. Wagner, “Audio adversarial examples: Targeted attacks on speech-to-text,” in IEEE Security and Privacy Workshops (SPW), 2018. Temporal dependency-based detection fails at:
the scenario 2: the audio attack completely removes the temporal dependency from the generated adversarial audio • The new audio attack objective : • Penalizing the hidden state’s impact on outputs, • Rewarding the input’s impact in outputs, arg min Xa L CTC(Xa, Y a) + ||X Xa||2 2 + X z2{f,i,o,c} X t {||Uzha t ||2 2 ||WzXa t ||2 2 } <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> <latexit sha1_base64="NLl3BIlqhKOQao2HrdkuZ4aoqBs=">AAACeXicbZFNb9MwGMedjJetvJVxhIOhGiqsq5KCBMeJXnbYYUjrGlS3keM6rbXEiewniM7xd+Cz7cYX4cIFt40EbDySpb9+fz9++T9JmQkNQfDD83fu3L13f3ev9eDho8dP2k/3L3RRKcZHrMgKFSVU80xIPgIBGY9KxWmeZHycXA7X/vgrV1oU8hxWJZ/mdCFFKhgFh+L2d0LVguRCxiaaUYtJTmGZJObUxoYA/wZmeD60tuvMHv4yo2/wIa7rCB9hR+o6HswGjhBd5bG5IkISg9Oe6BU9hom1Ww7WEFPXo/gKL2c0hqbtyB00diz6wyyxcbsT9INN4dsibEQHNXUWt6/JvGBVziWwjGo9CYMSpoYqECzjtkUqzUvKLumCT5yUNOd6ajbJWXzgyBynhXJLAt7QvzsMzbVe5YnbuQ5G3/TW8H/epIL049QIWVbAJdtelFYZhgKvx4DnQnEG2coJypRwb8VsSRVl4IbVciGEN798W1wM+mHQDz+/7xx/auLYRc/RK9RFIfqAjtEJOkMjxNBP74V34L32fvkv/a7/drvV95qeZ+if8t/9BoLdvvw=</latexit> ||Uzha t ||2 2 <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> <latexit sha1_base64="fcHrIpaNksaSqojQJOygNN58zLw=">AAAB+nicbVBNS8NAEN34WetXqkcvi0XwVJIi6LHoxWMF0xbaNGy2m3bp5oPdiVKT/hQvHhTx6i/x5r9x2+agrQ8GHu/NMDPPTwRXYFnfxtr6xubWdmmnvLu3f3BoVo5aKk4lZQ6NRSw7PlFM8Ig5wEGwTiIZCX3B2v74Zua3H5hUPI7uYZIwNyTDiAecEtCSZ1by3PGe8KhPPMjzft2re2bVqllz4FViF6SKCjQ986s3iGkasgioIEp1bSsBNyMSOBVsWu6liiWEjsmQdTWNSMiUm81Pn+IzrQxwEEtdEeC5+nsiI6FSk9DXnSGBkVr2ZuJ/XjeF4MrNeJSkwCK6WBSkAkOMZzngAZeMgphoQqjk+lZMR0QSCjqtsg7BXn55lbTqNduq2XcX1cZ1EUcJnaBTdI5sdIka6BY1kYMoekTP6BW9GbnxYrwbH4vWNaOYOUZ/YHz+AMyZk64=</latexit> ||WzXa t ||2 2 <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit> <latexit sha1_base64="2ZnbKPUTJB9PQogojv3p2hnBBwg=">AAAB+nicbVDLSsNAFJ34rPWV6tLNYBFclaQIuiy6cVnBPqCPMJlO2qGTSZi5UWrST3HjQhG3fok7/8Zpm4W2HrhwOOde7r3HjwXX4Djf1tr6xubWdmGnuLu3f3Bol46aOkoUZQ0aiUi1faKZ4JI1gINg7VgxEvqCtfzxzcxvPTCleSTvYRKzXkiGkgecEjCSZ5eyrOU94XafeJBl/apX9eyyU3HmwKvEzUkZ5ah79ld3ENEkZBKoIFp3XCeGXkoUcCrYtNhNNIsJHZMh6xgqSch0L52fPsVnRhngIFKmJOC5+nsiJaHWk9A3nSGBkV72ZuJ/XieB4KqXchknwCRdLAoSgSHCsxzwgCtGQUwMIVRxcyumI6IIBZNW0YTgLr+8SprViutU3LuLcu06j6OATtApOkcuukQ1dIvqqIEoekTP6BW9WZn1Yr1bH4vWNSufOUZ/YH3+ALbdk6A=</latexit>
work on the new objective: • the hyper-parameter controls the trade off: 1 = L CTC(Xa, Y a) + ||X Xa||2 2 2 = X z2{f,i,o,c} X t {||Uzha t ||2 2 ||WzXa t ||2 2 } arg min Xa ↵ 1 1 + 2 + (1 ↵) 2 1 + 2 <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> <latexit sha1_base64="pFDL5uAjRKG+w4tdtJIa3bD+Xzw=">AAAC+HicbVLLjtMwFHXCaygwdGDJxqICdUSpkgiJ2SCN6IYFiyJNp0F1Gzmu01iTOJHtjGgdfwkbFiDElk9hx9/gNJWY15UsH5177vH1teMyY1J53l/HvXX7zt17e/c7Dx4+2n/cPXhyKotKEDohRVaIMMaSZozTiWIqo2EpKM7jjE7js1GTn55TIVnBT9S6pPMcrzhLGMHKUtGBs/8SjVMW+fAdRDlWaRzrjybSSNEvSo9ORsb0wwUewM8LfAhfwboO4WtombqOgkWAeMGrPKYCoU5rFDRGssojvUGMIw2TARsUAwKRMS2vjEa6rifRBqYLHKnWybrW9dRy4X/OIHP5ACxWKGc80lZkXXBWphglAhPdXsLsdtto24yxqO9b71Z7CC+ogxvUJur2vKG3DXgd+DvQA7sYR90/aFmQKqdckQxLOfO9Us01FoqRjJoOqiQtMTnDKzqzkOOcyrnePpyBLyyzhEkh7OIKbtmLFRrnUq7z2Cqbt5FXcw15U25WqeRorhkvK0U5aQ9KqgyqAja/AC6ZoERlawswEcz2CkmK7WiU/SsdOwT/6pWvg9Ng6HtD/9Ob3vH73Tj2wDPwHPSBD96CY/ABjMEEEKdyvjrfnR/uxv3m/nR/tVLX2dU8BZfC/f0PCqXrRg==</latexit> ↵ ⇠ [0, 1] <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit> <latexit sha1_base64="H5vQRYIkQq2T8VZu+SHde3ePncs=">AAAB+XicbVBNS8NAEN34WetX1KOXxSJ4kJKIoMeiF48V7AckoUy2m3bp7ibsbgol9J948aCIV/+JN/+N2zYHbX0w8Hhvhpl5ccaZNp737aytb2xubVd2qrt7+weH7tFxW6e5IrRFUp6qbgyaciZpyzDDaTdTFETMaSce3c/8zpgqzVL5ZCYZjQQMJEsYAWOlnuuGwLMhhJqJwLvEftRza17dmwOvEr8kNVSi2XO/wn5KckGlIRy0DnwvM1EByjDC6bQa5ppmQEYwoIGlEgTVUTG/fIrPrdLHSapsSYPn6u+JAoTWExHbTgFmqJe9mfifF+QmuY0KJrPcUEkWi5KcY5PiWQy4zxQlhk8sAaKYvRWTISggxoZVtSH4yy+vkvZV3ffq/uN1rXFXxlFBp+gMXSAf3aAGekBN1EIEjdEzekVvTuG8OO/Ox6J1zSlnTtAfOJ8/OB2Stw==</latexit>
~ 7.8s • Attack targets: • ‘hello google’ • ‘this is an adversarial example’ • ‘hello google please cancel my medical appointment’ N. Carlini and D. Wagner, “Audio adversarial examples: Targeted attacks on speech-to-text,” in IEEE Security and Privacy Workshops (SPW), 2018. • Comparisons in terms of: • Temporal dependency-based detection results • Audio attack efficacies • Perturbation magnitudes Comparisons against Carlini and Wagner, 2018, SPW:
measured by AUC score • Main observations: • The temporal dependency detection identifies Carlini’s adversarial audios accurately • The detection against out method is not much better than random guessing, i.e., our method can evade detection with high probability
0.130 0.040 Average Attack Word/Char Error Rates <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> <latexit sha1_base64="q6AmSZF3md/7/Tw7c9kT2eBDO3E=">AAACFHicbVDLSsNAFJ34tr6iLt0MFkEQaiKCLqsiuFSxrdCGMpnc2KGTTJi5EUvoR7jxV9y4UMStC3f+jdPHwtdZHc65l3PvCTMpDHrepzMxOTU9Mzs3X1pYXFpecVfX6kblmkONK6n0dcgMSJFCDQVKuM40sCSU0Ai7JwO/cQvaCJVeYS+DIGE3qYgFZ2iltrvTQrjD4sjOsBugR4iMd2lD6Wj3pMM0PdVaaXrJEEy/7Za9ijcE/Uv8MSmTMc7b7kcrUjxPIEUumTFN38swKJhGwSX0S63cQGbzbHLT0pQlYIJi+FSfblklorFNj1WKdKh+3yhYYkwvCe1kwrBjfnsD8T+vmWN8GBQizXKElI+C4lxSVHTQEI2EBo6yZwnjWthbKbdVMI62x5Itwf/98l9S36v4XsW/2C9Xj8d1zJENskm2iU8OSJWckXNSI5zck0fyTF6cB+fJeXXeRqMTznhnnfyA8/4FUpyeVw==</latexit> • Attack efficacy metric: • Use WER/CER to measure consistency between adversarial audio’s transcript and corresponding attack target • We compare the averaged WER/CER between ours and Carlini’s • Both audio attack methods have about the same attack efficacy
measure the perturbation magnitude: • Smaller value indicates quieter perturbation: • The averaged perturbations of Our’s and Carlini’s are: -30dB v.s. -45dB • We sacrificed some perturbation magnitude in exchange for lower detectability dB(x) = max i 20 log10 xi <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit> <latexit sha1_base64="KQeRN2eeXAwcPztFFUhqpvphYPw=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0Wom5IUQTdCqRuXFewDmhAmk0k7dCYJMxNpCdm68VfcuFDErX/gzr9x2mahrQcuHM65l3vv8RNGpbKsb6O0tr6xuVXeruzs7u0fmIdHXRmnApMOjlks+j6ShNGIdBRVjPQTQRD3Gen545uZ33sgQtI4ulfThLgcDSMaUoyUljwTBq3a5BxeQ4ejiZfRPGtYDouHXmZb+cSjuWdWrbo1B1wldkGqoEDbM7+cIMYpJ5HCDEk5sK1EuRkSimJG8oqTSpIgPEZDMtA0QpxIN5t/ksMzrQQwjIWuSMG5+nsiQ1zKKfd1J0dqJJe9mfifN0hVeOVmNEpSRSK8WBSmDKoYzmKBARUEKzbVBGFB9a0Qj5BAWOnwKjoEe/nlVdJt1G2rbt9dVJutIo4yOAGnoAZscAma4Ba0QQdg8AiewSt4M56MF+Pd+Fi0loxi5hj8gfH5A9JQmSk=</latexit>
temporal dependency in adversarial audio example s • We proposed a new audio attack that evades the temporal dependency detectio n • Experiments shows the new audio attack’s efficacy and low perturbation magnitude Conclusions Future work • One future work is to incorporate temporal dependency to develop more robustness detection methods Funding • This work was supported by grants from the Department of Energy #DE-NA0003946, Army Research Lab W56KGU-20-C-0002, and National Science Foundation CAREER #1943552