The ubiquitous presence of machine learning systems in our lives necessitates research into their vulnerabilities and appropriate countermeasures. In particular, we investigate the effectiveness of adversarial attacks and defenses against automatic speech recognition (ASR) systems. We select two ASR models - a thoroughly studied DeepSpeech model and a more recent Espresso framework Transformer encoder-decoder model. We investigate two threat models: a denial-of-service scenario where fast gradient-sign method (FGSM) or weak projected gradient descent (PGD) attacks are used to degrade the model's word error rate (WER); and a targeted scenario where a more potent imperceptible attack forces the system to recognize a specific phrase. We find that the attack transferability across the investigated ASR systems is limited. To defend the model, we use two preprocessing defenses: randomized smoothing and WaveGAN-based vocoder, and find that they significantly improve the model's adversarial robustness. We show that a WaveGAN vocoder can be a useful countermeasure to adversarial attacks on ASR systems - even when it is jointly attacked with the ASR, the target phrases' word error rate is high.
翻译:我们选择了两种ASR模型,一种是经过彻底研究的深海语音模型,另一种是最新的埃斯普里斯托框架框架变换编码器模型。我们研究了两种威胁模型:一种是拒绝服务情景,即使用快速梯度信号方法(FGSM)或微弱预测梯度下降(PGD)攻击来降低模型的单词错误率(WER);一种是有针对性的情景,即一种是更强大的对抗性攻击迫使系统识别一个具体短语。我们发现,经过调查的ASR系统的攻击可转移性受到限制。为了捍卫这一模型,我们使用两种预处理防御:随机光滑动和WaveGAN的电码器,发现它们大大改进模型的对抗性强势。我们表明WaveGAN vocoder 伏可成为对抗对ASR系统对抗性攻击的有用反制措施,即使它与ASR的单词率是高的,我们发现它与ASR的单词率是联合攻击。
相关内容
微信扫码咨询专知VIP会员