DistriBlock: Identifying adversarial audio samples by leveraging characteristics of the output distribution

Matias Patricio Pizarro Bustamante; Dorothea Kolossa; Asja Fischer

DistriBlock: Identifying adversarial audio samples by leveraging characteristics of the output distribution

Matias Patricio Pizarro Bustamante, Dorothea Kolossa, Asja Fischer

Published: 26 Apr 2024, Last Modified: 29 Jul 2024UAI 2024 posterEveryoneRevisionsBibTeXCC BY 4.0

Keywords: Audio adversarial examples, ASR, Machine Learning, Uncertainty

TL;DR: We propose DistriBlock, a novel detection method for adversarial attacks on neural network-based state-of-the-art ASR systems. We show that characteristics of the distribution over the output tokens can serve as features of binary classifiers.

Abstract: Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat. To prevent such attacks, we propose DistriBlock, an efficient detection strategy applicable to any ASR system that predicts a probability distribution over output tokens in each time step. We measure a set of characteristics of this distribution: the median, maximum, and minimum over the output probabilities, the entropy of the distribution, as well as the Kullback-Leibler and the Jensen-Shannon divergence with respect to the distributions of the subsequent time step. Then, by leveraging the characteristics observed for both benign and adversarial data, we apply binary classifiers, including simple threshold-based classification, ensembles of such classifiers, and neural networks. Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic curve for distinguishing target adversarial examples against clean and noisy data of 99\% and 97\%, respectively. To assess the robustness of our method, we show that adaptive adversarial examples that can circumvent DistriBlock are much noisier, which makes them easier to detect through filtering and creates another avenue for preserving the system's robustness.ics of this distribution: the median, maximum, and minimum over the output probabilities, the entropy of the distribution, as well as the Kullback-Leibler and the Jensen-Shannon divergence with respect to the distributions of the subsequent time step. Then, by leveraging the characteristics observed for both benign and adversarial data, we apply binary classifiers, including simple threshold-based classification, ensembles of such classifiers, and neural networks. Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic for distinguishing target adversarial examples against clean and noisy data of 99\% and 97\%, respectively. To assess the robustness of our method, we show that adaptive adversarial examples that can circumvent DistriBlock are much noisier, which makes them easier to detect through filtering and creates another avenue for preserving the system's robustness.

List Of Authors: Pizarro, Matias and Kolossa, Dorothea and Fisher, Asja

Latex Source Code: zip

Signed License Agreement: pdf

Code Url: https://github.com/matiuste/DistriBlock

Submission Number: 12

Loading