Clean Label Attacks against SLU Systems

TL;DR

This paper demonstrates highly effective clean label backdoor poisoning attacks on speech recognition models, achieving near-perfect success rates with minimal data poisoning, and evaluates defenses with mixed results.

Contribution

It adapts clean label backdoor attacks to speech models, analyzing factors affecting success and testing defenses against these attacks.

Findings

99.8% attack success rate with 10% poisoning

99.3% success with only 1.5% poisoning

Defenses show mixed effectiveness against CLBD attacks

Abstract

Poisoning backdoor attacks involve an adversary manipulating the training data to induce certain behaviors in the victim model by inserting a trigger in the signal at inference time. We adapted clean label backdoor (CLBD)-data poisoning attacks, which do not modify the training labels, on state-of-the-art speech recognition models that support/perform a Spoken Language Understanding task, achieving 99.8% attack success rate by poisoning 10% of the training data. We analyzed how varying the signal-strength of the poison, percent of samples poisoned, and choice of trigger impact the attack. We also found that CLBD attacks are most successful when applied to training samples that are inherently hard for a proxy model. Using this strategy, we achieved an attack success rate of 99.3% by poisoning a meager 1.5% of the training data. Finally, we applied two previously developed defenses against gradient-based attacks, and found that they attain mixed success against poisoning.