Universal Acoustic Adversarial Attacks for Flexible Control of Speech-LLMs

TL;DR

This paper demonstrates that speech LLMs are vulnerable to universal acoustic adversarial attacks, which can manipulate or disable model outputs, highlighting the need for improved robustness in speech processing models.

Contribution

The study introduces a novel universal acoustic adversarial attack method for speech LLMs, including targeted and attribute-specific attacks, revealing critical vulnerabilities.

Findings

Vulnerabilities in Qwen2-Audio and Granite-Speech models

Universal attacks can disable or alter model outputs

Attribute-specific attacks enable fine-grained control

Abstract

The combination of pre-trained speech encoders with large language models has enabled the development of speech LLMs that can handle a wide range of spoken language processing tasks. While these models are powerful and flexible, this very flexibility may make them more vulnerable to adversarial attacks. To examine the extent of this problem, in this work we investigate universal acoustic adversarial attacks on speech LLMs. Here a fixed, universal, adversarial audio segment is prepended to the original input audio. We initially investigate attacks that cause the model to either produce no output or to perform a modified task overriding the original prompt. We then extend the nature of the attack to be selective so that it activates only when specific input attributes, such as a speaker gender or spoken language, are present. Inputs without the targeted attribute should be unaffected, allowing fine-grained control over the model outputs. Our findings reveal critical vulnerabilities in Qwen2-Audio and Granite-Speech and suggest that similar speech LLMs may be susceptible to universal adversarial attacks. This highlights the need for more robust training strategies and improved resistance to adversarial attacks.