Neural Predictor for Black-Box Adversarial Attacks on Speech Recognition

TL;DR

This paper introduces NP-Attack, a neural predictor-based black-box attack method for speech recognition systems that efficiently finds adversarial examples with fewer queries by estimating minimal perturbations.

Contribution

The paper proposes a novel neural predictor approach that improves query efficiency in black-box audio adversarial attacks for speech recognition.

Findings

Achieves competitive attack success rates with fewer queries.

Outperforms existing black-box attack methods in efficiency.

Demonstrates effectiveness on speech recognition models.

Abstract

Recent works have revealed the vulnerability of automatic speech recognition (ASR) models to adversarial examples (AEs), i.e., small perturbations that cause an error in the transcription of the audio signal. Studying audio adversarial attacks is therefore the first step towards robust ASR. Despite the significant progress made in attacking audio examples, the black-box attack remains challenging because only the hard-label information of transcriptions is provided. Due to this limited information, existing black-box methods often require an excessive number of queries to attack a single audio example. In this paper, we introduce NP-Attack, a neural predictor-based method, which progressively evolves the search towards a small adversarial perturbation. Given a perturbation direction, our neural predictor directly estimates the smallest perturbation that causes a mistranscription. In particular, it enables NP-Attack to accurately learn promising perturbation directions via gradient-based optimization. Experimental results show that NP-Attack achieves competitive results with other state-of-the-art black-box adversarial attacks while requiring a significantly smaller number of queries. The code of NP-Attack is available online.