Detecting and Defending Against Adversarial Attacks on Automatic Speech Recognition via Diffusion Models

TL;DR

This paper explores the use of diffusion models to detect and defend against adversarial attacks on speech recognition systems, demonstrating that a simple diffusion step can effectively defend sentences and that a new detection method achieves high accuracy.

Contribution

It systematically investigates diffusion models for sentence-level ASR defense and introduces a training-free adversarial detection approach with high accuracy.

Findings

Two diffusion steps can fully defend against sentence adversarial attacks.

A training-free detection method achieves high accuracy.

Diffusion steps impact defense effectiveness.

Abstract

Automatic speech recognition (ASR) systems are known to be vulnerable to adversarial attacks. This paper addresses detection and defence against targeted white-box attacks on speech signals for ASR systems. While existing work has utilised diffusion models (DMs) to purify adversarial examples, achieving state-of-the-art results in keyword spotting tasks, their effectiveness for more complex tasks such as sentence-level ASR remains unexplored. Additionally, the impact of the number of forward diffusion steps on performance is not well understood. In this paper, we systematically investigate the use of DMs for defending against adversarial attacks on sentences and examine the effect of varying forward diffusion steps. Through comprehensive experiments on the Mozilla Common Voice dataset, we demonstrate that two forward diffusion steps can completely defend against adversarial attacks on sentences. Moreover, we introduce a novel, training-free approach for detecting adversarial attacks by leveraging a pre-trained DM. Our experimental results show that this method can detect adversarial attacks with high accuracy.