Transferable Adversarial Attacks against ASR

TL;DR

This paper investigates the vulnerability of black-box ASR models to transferable adversarial attacks, proposing new attack methods and a speech-aware optimization technique to induce mistranscriptions with minimal perceptibility.

Contribution

It introduces two advanced transferable attack methods and a speech-aware gradient optimization approach specifically designed for black-box ASR robustness evaluation.

Findings

Enhanced attack success rates across five models

Improved robustness evaluation methodology

Minimal perceptibility of adversarial perturbations

Abstract

Given the extensive research and real-world applications of automatic speech recognition (ASR), ensuring the robustness of ASR models against minor input perturbations becomes a crucial consideration for maintaining their effectiveness in real-time scenarios. Previous explorations into ASR model robustness have predominantly revolved around evaluating accuracy on white-box settings with full access to ASR models. Nevertheless, full ASR model details are often not available in real-world applications. Therefore, evaluating the robustness of black-box ASR models is essential for a comprehensive understanding of ASR model resilience. In this regard, we thoroughly study the vulnerability of practical black-box attacks in cutting-edge ASR models and propose to employ two advanced time-domain-based transferable attacks alongside our differentiable feature extractor. We also propose a speech-aware gradient optimization approach (SAGO) for ASR, which forces mistranscription with minimal impact on human imperceptibility through voice activity detection rule and a speech-aware gradient-oriented optimizer. Our comprehensive experimental results reveal performance enhancements compared to baseline approaches across five models on two databases.