Detecting Audio Adversarial Examples with Logit Noising

TL;DR

This paper introduces a simple yet effective detection method for audio adversarial examples in speech recognition systems by adding noise to logits, which significantly alters adversarial transcriptions while minimally affecting benign audio.

Contribution

The authors propose a novel logit noising technique for detecting audio adversarial examples without requiring changes to ASR system architecture or retraining.

Findings

Effective detection of over-line audio adversarial examples

Robustness against over-air adversarial attacks

No structural changes needed in ASR systems

Abstract

Automatic speech recognition (ASR) systems are vulnerable to audio adversarial examples that attempt to deceive ASR systems by adding perturbations to benign speech signals. Although an adversarial example and the original benign wave are indistinguishable to humans, the former is transcribed as a malicious target sentence by ASR systems. Several methods have been proposed to generate audio adversarial examples and feed them directly into the ASR system (over-line). Furthermore, many researchers have demonstrated the feasibility of robust physical audio adversarial examples(over-air). To defend against the attacks, several studies have been proposed. However, deploying them in a real-world situation is difficult because of accuracy drop or time overhead. In this paper, we propose a novel method to detect audio adversarial examples by adding noise to the logits before feeding them into the decoder of the ASR. We show that carefully selected noise can significantly impact the transcription results of the audio adversarial examples, whereas it has minimal impact on the transcription results of benign audio waves. Based on this characteristic, we detect audio adversarial examples by comparing the transcription altered by logit noising with its original transcription. The proposed method can be easily applied to ASR systems without any structural changes or additional training. The experimental results show that the proposed method is robust to over-line audio adversarial examples as well as over-air audio adversarial examples compared with state-of-the-art detection methods.