当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Selective Audio Adversarial Example in Evasion Attack on Speech Recognition System
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-27-2019 , DOI: 10.1109/tifs.2019.2925452 Hyun Kwon , Yongchul Kim , Hyunsoo Yoon , Daeseon Choi
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-27-2019 , DOI: 10.1109/tifs.2019.2925452 Hyun Kwon , Yongchul Kim , Hyunsoo Yoon , Daeseon Choi
Deep neural networks (DNNs) are widely used for image recognition, speech recognition, and other pattern analysis tasks. Despite the success of DNNs, these systems can be exploited by what is termed adversarial examples. An adversarial example, in which a small distortion is added to the input data, can be designed to be misclassified by the DNN while remaining undetected by humans or other systems. Such adversarial examples have been studied mainly in the image domain. Recently, however, studies on adversarial examples have been expanding into the voice domain. For example, when an adversarial example is applied to enemy wiretapping devices (victim classifiers) in a military environment, the enemy device will misinterpret the intended message. In such scenarios, it is necessary that friendly wiretapping devices (protected classifiers) should not be deceived. Therefore, the selective adversarial example concept can be useful in mixed situations, defined as situations in which there is both a classifier to be protected and a classifier to be attacked. In this paper, we propose a selective audio adversarial example with minimum distortion that will be misclassified as the target phrase by a victim classifier but correctly classified as the original phrase by a protected classifier. To generate such examples, a transformation is carried out to minimize the probability of incorrect classification by the protected classifier and that of correct classification by the victim classifier. We conducted experiments targeting the state-of-the-art DeepSpeech voice recognition model using Mozilla Common Voice datasets and the Tensorflow library. They showed that the proposed method can generate a selective audio adversarial example with a 91.67% attack success rate and 85.67% protected classifier accuracy.
中文翻译:
语音识别系统规避攻击中的选择性音频对抗示例
深度神经网络 (DNN) 广泛用于图像识别、语音识别和其他模式分析任务。尽管 DNN 取得了成功,但这些系统仍可被所谓的对抗性示例所利用。一个对抗性示例,其中输入数据中添加了一个小失真,可以被设计为被 DNN 错误分类,同时不被人类或其他系统检测到。此类对抗性示例主要在图像领域进行研究。然而,最近对对抗性例子的研究已经扩展到语音领域。例如,当将对抗性示例应用于军事环境中的敌方窃听设备(受害者分类器)时,敌方设备将误解预期的消息。在这种情况下,有必要确保友好的窃听设备(受保护的分类器)不被欺骗。因此,选择性对抗性示例概念在混合情况下非常有用,混合情况定义为同时存在要保护的分类器和要攻击的分类器的情况。在本文中,我们提出了一种具有最小失真的选择性音频对抗示例,该示例将被受害者分类器错误分类为目标短语,但被受保护分类器正确分类为原始短语。为了生成这样的示例,执行转换以最小化受保护分类器的错误分类的概率和受害分类器的正确分类的概率。我们使用 Mozilla Common Voice 数据集和 Tensorflow 库针对最先进的 DeepSpeech 语音识别模型进行了实验。他们表明,所提出的方法可以生成选择性音频对抗示例,攻击成功率为 91.67%,攻击成功率为 85%。67% 受保护的分类器准确率。
更新日期:2024-08-22
中文翻译:
语音识别系统规避攻击中的选择性音频对抗示例
深度神经网络 (DNN) 广泛用于图像识别、语音识别和其他模式分析任务。尽管 DNN 取得了成功,但这些系统仍可被所谓的对抗性示例所利用。一个对抗性示例,其中输入数据中添加了一个小失真,可以被设计为被 DNN 错误分类,同时不被人类或其他系统检测到。此类对抗性示例主要在图像领域进行研究。然而,最近对对抗性例子的研究已经扩展到语音领域。例如,当将对抗性示例应用于军事环境中的敌方窃听设备(受害者分类器)时,敌方设备将误解预期的消息。在这种情况下,有必要确保友好的窃听设备(受保护的分类器)不被欺骗。因此,选择性对抗性示例概念在混合情况下非常有用,混合情况定义为同时存在要保护的分类器和要攻击的分类器的情况。在本文中,我们提出了一种具有最小失真的选择性音频对抗示例,该示例将被受害者分类器错误分类为目标短语,但被受保护分类器正确分类为原始短语。为了生成这样的示例,执行转换以最小化受保护分类器的错误分类的概率和受害分类器的正确分类的概率。我们使用 Mozilla Common Voice 数据集和 Tensorflow 库针对最先进的 DeepSpeech 语音识别模型进行了实验。他们表明,所提出的方法可以生成选择性音频对抗示例,攻击成功率为 91.67%,攻击成功率为 85%。67% 受保护的分类器准确率。
京公网安备 11010802027423号