Leveraging Domain Features for Detecting Adversarial Attacks Against Deep Speech Recognition in Noise

TL;DR

This paper introduces a domain-specific feature-based approach using filter bank features to improve the detection of adversarial attacks on deep speech recognition systems, especially in noisy environments.

Contribution

It explores the use of filter bank features and speech/non-speech separation for adversarial attack detection, addressing noise robustness in ASR systems.

Findings

Inverse filter bank features outperform other features in attack detection.

Detection is effective using either speech or non-speech segments.

Acoustic noise significantly reduces detection performance.

Abstract

In recent years, significant progress has been made in deep model-based automatic speech recognition (ASR), leading to its widespread deployment in the real world. At the same time, adversarial attacks against deep ASR systems are highly successful. Various methods have been proposed to defend ASR systems from these attacks. However, existing classification based methods focus on the design of deep learning models while lacking exploration of domain specific features. This work leverages filter bank-based features to better capture the characteristics of attacks for improved detection. Furthermore, the paper analyses the potentials of using speech and non-speech parts separately in detecting adversarial attacks. In the end, considering adverse environments where ASR systems may be deployed, we study the impact of acoustic noise of various types and signal-to-noise ratios. Extensive experiments show that the inverse filter bank features generally perform better in both clean and noisy environments, the detection is effective using either speech or non-speech part, and the acoustic noise can largely degrade the detection performance.