STEP: Detecting Audio Backdoor Attacks via Stability-based Trigger Exposure Profiling

TL;DR

This paper introduces STEP, a novel black-box detection method for audio backdoor attacks that exploits the dual anomaly of label stability and fragility under different perturbations, achieving high detection accuracy.

Contribution

STEP is the first to leverage stability-based profiling for audio backdoor detection, operating without retraining and under hard-label-only access, outperforming existing methods.

Findings

Achieves 97.92% AUROC in detecting backdoors.

Generalizes across multiple speech models and tasks.

Effective in physical-world over-the-air scenarios.

Abstract

With the widespread deployment of deep-learning-based speech models in security-critical applications, backdoor attacks have emerged as a serious threat: an adversary who poisons a small fraction of training data can implant a hidden trigger that controls the model's output while preserving normal behavior on clean inputs. Existing inference-time defenses are not well suited to the audio domain, as they either rely on trigger over-robustness assumptions that fail on transformation-based and semantic triggers, or depend on properties specific to image or text modalities. In this paper, we propose STEP (Stability-based Trigger Exposure Profiling), a black-box, retraining-free backdoor detector that operates under hard-label-only access. Its core idea is to exploit a characteristic dual anomaly of backdoor triggers: anomalous label stability under semantic-breaking perturbations, and anomalous label fragility under semantic-preserving perturbations. STEP profiles each test sample with two complementary perturbation branches that target these two properties respectively, scores the resulting stability features with one-class anomaly detectors trained on benign references, and fuses the two scores via unsupervised weighting. Extensive experiments across seven backdoor attacks show that STEP achieves an average AUROC of 97.92% and EER of 4.54%, substantially outperforming state-of-the-art baselines, and generalizes across model architectures, speech tasks, an open-set verification scenario, and over-the-air physical-world settings.