Mel Frequency Spectral Domain Defenses against Adversarial Attacks on Speech Recognition Systems

TL;DR

This paper introduces a speech-specific defense method called 'mel domain noise flooding' (MDNF) that enhances robustness of speech recognition systems against adversarial attacks by applying noise in the mel spectral domain, outperforming baseline defenses.

Contribution

The paper proposes a novel mel spectral domain defense, MDNF, tailored for speech recognition, addressing limitations of image-based defenses in speech applications.

Findings

MDNF improves robustness against PGD and CW attacks.

MDNF outperforms randomized smoothing baseline.

Defense is effective in strong threat models.

Abstract

A variety of recent works have looked into defenses for deep neural networks against adversarial attacks particularly within the image processing domain. Speech processing applications such as automatic speech recognition (ASR) are increasingly relying on deep learning models, and so are also prone to adversarial attacks. However, many of the defenses explored for ASR simply adapt the image-domain defenses, which may not provide optimal robustness. This paper explores speech specific defenses using the mel spectral domain, and introduces a novel defense method called 'mel domain noise flooding' (MDNF). MDNF applies additive noise to the mel spectrogram of a speech utterance prior to re-synthesising the audio signal. We test the defenses against strong white-box adversarial attacks such as projected gradient descent (PGD) and Carlini-Wagner (CW) attacks, and show better robustness compared to a randomized smoothing baseline across strong threat models.