PBSM: Backdoor attack against Keyword spotting based on pitch boosting and sound masking

TL;DR

This paper introduces PBSM, a backdoor attack method on keyword spotting systems using pitch boosting and sound masking, achieving high success rates with minimal training data poisoning.

Contribution

The paper presents a novel backdoor attack scheme for KWS leveraging pitch boosting and sound masking, demonstrating its effectiveness with low data poisoning.

Findings

Achieves nearly 90% attack success rate

Poisoning less than 1% of training data

Effective across multiple victim models

Abstract

Keyword spotting (KWS) has been widely used in various speech control scenarios. The training of KWS is usually based on deep neural networks and requires a large amount of data. Manufacturers often use third-party data to train KWS. However, deep neural networks are not sufficiently interpretable to manufacturers, and attackers can manipulate third-party training data to plant backdoors during the model training. An effective backdoor attack can force the model to make specified judgments under certain conditions, i.e., triggers. In this paper, we design a backdoor attack scheme based on Pitch Boosting and Sound Masking for KWS, called PBSM. Experimental results demonstrated that PBSM is feasible to achieve an average attack success rate close to 90% in three victim models when poisoning less than 1% of the training data.