Universal adversarial examples in speech command classification

TL;DR

This paper demonstrates the existence of universal adversarial perturbations in speech command classification, showing they can generalize across models and proposing new evaluation frameworks for their effectiveness and realism.

Contribution

It introduces the first evidence of universal attacks in speech command tasks and develops analytical and distortion measurement frameworks.

Findings

Universal perturbations can generalize across models.

Effectiveness decreases with higher universality levels.

Current methods may overestimate perturbation realism.

Abstract

Adversarial examples are inputs intentionally perturbed with the aim of forcing a machine learning model to produce a wrong prediction, while the changes are not easily detectable by a human. Although this topic has been intensively studied in the image domain, classification tasks in the audio domain have received less attention. In this paper we address the existence of universal perturbations for speech command classification. We provide evidence that universal attacks can be generated for speech command classification tasks, which are able to generalize across different models to a significant extent. Additionally, a novel analytical framework is proposed for the evaluation of universal perturbations under different levels of universality, demonstrating that the feasibility of generating effective perturbations decreases as the universality level increases. Finally, we propose a more detailed and rigorous framework to measure the amount of distortion introduced by the perturbations, demonstrating that the methods employed by convention are not realistic in audio-based problems.