Multi-Discriminator Sobolev Defense-GAN Against Adversarial Attacks for End-to-End Speech Systems

TL;DR

This paper presents a novel defense method for speech-to-text systems against adversarial attacks, utilizing a Sobolev GAN-based spectrogram synthesis and a spectrogram subspace projection to enhance robustness and signal quality.

Contribution

The paper introduces a new Sobolev GAN architecture and a spectrogram subspace projection method for improved adversarial defense in speech systems.

Findings

Outperforms state-of-the-art defenses in accuracy.

Effective against six strong white and black-box attacks.

Maintains high signal quality and stability.

Abstract

This paper introduces a defense approach against end-to-end adversarial attacks developed for cutting-edge speech-to-text systems. The proposed defense algorithm has four major steps. First, we represent speech signals with 2D spectrograms using the short-time Fourier transform. Second, we iteratively find a safe vector using a spectrogram subspace projection operation. This operation minimizes the chordal distance adjustment between spectrograms with an additional regularization term. Third, we synthesize a spectrogram with such a safe vector using a novel GAN architecture trained with Sobolev integral probability metric. To improve the model's performance in terms of stability and the total number of learned modes, we impose an additional constraint on the generator network. Finally, we reconstruct the signal from the synthesized spectrogram and the Griffin-Lim phase approximation technique. We evaluate the proposed defense approach against six strong white and black-box adversarial attacks benchmarked on DeepSpeech, Kaldi, and Lingvo models. Our experimental results show that our algorithm outperforms other state-of-the-art defense algorithms both in terms of accuracy and signal quality.