SoK: A Modularized Approach to Study the Security of Automatic Speech Recognition Systems

TL;DR

This paper systematically reviews the security of Automatic Speech Recognition systems, categorizing attacks and defenses, and draws parallels with image recognition security to identify challenges and future directions.

Contribution

It provides a comprehensive taxonomy of ASR security based on a modular workflow and aligns it with image recognition security research for better understanding.

Findings

Transfer learning across ASR models is feasible without knowledge of models or data.

A modularized taxonomy for ASR security attacks and defenses.

Comparison with image recognition security highlights unique challenges in ASR.

Abstract

With the wide use of Automatic Speech Recognition (ASR) in applications such as human machine interaction, simultaneous interpretation, audio transcription, etc., its security protection becomes increasingly important. Although recent studies have brought to light the weaknesses of popular ASR systems that enable out-of-band signal attack, adversarial attack, etc., and further proposed various remedies (signal smoothing, adversarial training, etc.), a systematic understanding of ASR security (both attacks and defenses) is still missing, especially on how realistic such threats are and how general existing protection could be. In this paper, we present our systematization of knowledge for ASR security and provide a comprehensive taxonomy for existing work based on a modularized workflow. More importantly, we align the research in this domain with that on security in Image Recognition System (IRS), which has been extensively studied, using the domain knowledge in the latter to help understand where we stand in the former. Generally, both IRS and ASR are perceptual systems. Their similarities allow us to systematically study existing literature in ASR security based on the spectrum of attacks and defense solutions proposed for IRS, and pinpoint the directions of more advanced attacks and the directions potentially leading to more effective protection in ASR. In contrast, their differences, especially the complexity of ASR compared with IRS, help us learn unique challenges and opportunities in ASR security. Particularly, our experimental study shows that transfer learning across ASR models is feasible, even in the absence of knowledge about models (even their types) and training data.