Leveraging characteristics of the output distribution for identifying adversarial audio examples

Download PDF

Matias Patricio Pizarro Bustamante, Dorothea Kolossa, Asja Fischer

22 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Primary Area: representation learning for computer vision, audio, language, and other modalities
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: Audio adversarial examples, ASR, machine learning
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Adversarial attacks can mislead automatic speech recognition (ASR) systems into producing an arbitrary desired output. This is easily achieved by adding imperceptible noise to the audio signal, thus posing a clear security threat. To prevent such attacks, we propose a simple but efficient adversarial example detection strategy applicable to any ASR system that predicts a probability distribution over output tokens in each time step. We measure a set of characteristics of this distribution: the median, maximum, and minimum over the output probabilities, the entropy of the distribution, as well as the Kullback-Leibler and the Jensen-Shannon divergence with respect to the distributions of the subsequent time step. Then, by leveraging the characteristics observed for both benign and adversarial data, we apply binary classifiers, including simple threshold-based classification, ensembles of these simple classifiers, and neural networks. In an extensive analysis of different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, receiving a mean area under the receiving operator characteristic (AUROC) for distinguishing adversarial examples against clean and noisy data higher than 99\% and 98\%, respectively. To assess the robustness of our method, we propose adaptive attacks that are constructed with an awareness of the defense mechanism in place. This results in a decrease in the AUROC, but at the same time, the adversarial clips become noisier, which makes them easier to detect through filtering and creates another avenue for preserving the system's robustness.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 5285