Sounding the Alarm: Backdooring Acoustic Foundation Models for Physically Realizable Triggers

Download PDF

Zebin Yun, Junyi Ao, Tom Ko, Eyal Ronen, Mahmood Sharif

26 Sept 2024 (modified: 05 Feb 2025)Submitted to ICLR 2025EveryoneRevisionsBibTeXCC BY 4.0
Keywords: security, speech model, backdoor attack
Abstract: Although foundation models help increase performance on many downstream tasks while reducing the amount of labeled data needed, their proliferation has raised a natural question: To what extent can a model downloaded from the Internet be trusted? We tackle this question for acoustic foundation models (AFMs) and propose the $\textbf F$oundation $\textbf A$coustic model $\textbf B$ackdoor (FAB) attack against AFMs, showing that state-of-the-art models are susceptible to a new attack vector. Despite preserving model performance on benign data, AFM induces backdoors that survive fine-tuning, and, when activated, lead to a significant performance drop on various downstream tasks. Notably, backdoors created by FAB can be activated in a ${physically\ realizable}$ manner by ${inconspicuous}$, ${input}$-${agnostic}$ triggers that ${do\ not\ require\ syncing}$ with the acoustic input (e.g., by playing a siren sound in the background). Crucially, FAB also assumes a weaker threat model than past work, where the adversary has no knowledge of the pre-training data and certain architectural details. We tested FAB with two leading AFMs, on nine tasks, with four triggers, against two defenses, as well as in the digital and physical domains, and found the attack highly successful in all scenarios. Overall, our work highlights the risks facing AFMs and calls for advanced defences to mitigate them.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 6721

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview