In this paper, we evaluate deep learning-enabled AED systems against evasion attacks based on adversarial examples. We test the robustness of multiple security critical AED tasks, implemented as CNNs classifiers, as well as existing third-party Nest devices, manufactured by Google, which run their own black-box deep learning models. Our adversarial examples use audio perturbations made of white and background noises. Such disturbances are easy to create, to perform and to reproduce, and can be accessible to a large number of potential attackers, even non-technically savvy ones. We show that an adversary can focus on audio adversarial inputs to cause AED systems to misclassify, achieving high success rates, even when we use small levels of a given type of noisy disturbance. For instance, on the case of the gunshot sound class, we achieve nearly 100% success rate when employing as little as 0.05 white noise level. Similarly to what has been previously done by works focusing on adversarial examples from the image domain as well as on the speech recognition domain. We then, seek to improve classifiers' robustness through countermeasures. We employ adversarial training and audio denoising. We show that these countermeasures, when applied to audio input, can be successful, either in isolation or in combination, generating relevant increases of nearly fifty percent in the performance of the classifiers when these are under attack.
翻译:在本文中,我们评估了以对抗性实例为依据的、以深层次学习为动力的AED系统,以对抗性实例为依据,对逃避攻击进行深层次的AED系统进行评估。我们测试了多种安全关键AED任务的稳健性,这是作为CNN的分类器执行的,以及由谷歌制造的、运行自己的黑盒子深层次学习模型的第三方无线装置。我们的对抗性实例使用了白色和背景噪音的音频扰动。这种扰动很容易产生、产生和复制,并且可以让大量潜在的攻击者(甚至是非技术性的隐蔽领域)能够进入。我们显示,对手可以侧重于音频对抗性投入,从而导致AED系统分类错误,并实现高成功率,即使我们使用少量的噪音干扰,也能够达到高水平。例如,在射击声波等级中,我们几乎能达到100%的成功率,在仅仅使用0.05个白色噪音水平时,与以前通过侧重于图像域和语音识别领域的对抗性实例所完成的工作一样。我们力求通过反措施来提高分级的稳度和音频分级化,在进行这种分级化时,我们展示这些分级的分级的分级的分级的分级的分级或分级的分级的分级反应。