Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition

TL;DR

This paper introduces imperceptible and robust targeted adversarial examples for speech recognition, leveraging auditory masking and environmental robustness to improve over previous methods in imperceptibility and physical-world effectiveness.

Contribution

It presents novel audio adversarial examples that are both imperceptible to humans and effective in real-world conditions, advancing the security of speech recognition systems.

Findings

Achieved 100% targeted success rate with imperceptible perturbations

Developed perturbations effective after environmental distortions

Validated imperceptibility through human studies

Abstract

Adversarial examples are inputs to machine learning models designed by an adversary to cause an incorrect output. So far, adversarial examples have been studied most extensively in the image domain. In this domain, adversarial examples can be constructed by imperceptibly modifying images to cause misclassification, and are practical in the physical world. In contrast, current targeted adversarial examples applied to speech recognition systems have neither of these properties: humans can easily identify the adversarial perturbations, and they are not effective when played over-the-air. This paper makes advances on both of these fronts. First, we develop effectively imperceptible audio adversarial examples (verified through a human study) by leveraging the psychoacoustic principle of auditory masking, while retaining 100% targeted success rate on arbitrary full-sentence targets. Next, we make progress towards physical-world over-the-air audio adversarial examples by constructing perturbations which remain effective even after applying realistic simulated environmental distortions.