Speech Pattern based Black-box Model Watermarking for Automatic Speech Recognition

TL;DR

This paper introduces a novel black-box watermarking framework for automatic speech recognition models that embeds ownership information via linguistic steganography, demonstrating robustness and minimal accuracy impact.

Contribution

It presents the first black-box watermarking scheme for ASR models, addressing unique challenges and enabling IP protection for cloud-based speech recognition services.

Findings

Robust against five attack types

Minimal impact on ASR accuracy

Effective in real-world open-source ASR system

Abstract

As an effective method for intellectual property (IP) protection, model watermarking technology has been applied on a wide variety of deep neural networks (DNN), including speech classification models. However, how to design a black-box watermarking scheme for automatic speech recognition (ASR) models is still an unsolved problem, which is a significant demand for protecting remote ASR Application Programming Interface (API) deployed in cloud servers. Due to conditional independence assumption and label-detection-based evasion attack risk of ASR models, the black-box model watermarking scheme for speech classification models cannot apply to ASR models. In this paper, we propose the first black-box model watermarking framework for protecting the IP of ASR models. Specifically, we synthesize trigger audios by spreading the speech clips of model owners over the entire input audios and labeling the trigger audios with the stego texts, which hides the authorship information with linguistic steganography. Experiments on the state-of-the-art open-source ASR system DeepSpeech demonstrate the feasibility of the proposed watermarking scheme, which is robust against five kinds of attacks and has little impact on accuracy.