Deep neural networks represent a powerful option for many real-world applications due to their ability to model even complex data relations. However, such neural networks can also be prohibitively expensive to train, making it common to either outsource the training process to third parties or use pretrained neural networks. Unfortunately, such practices make neural networks vulnerable to various attacks, where one attack is the backdoor attack. In such an attack, the third party training the model may maliciously inject hidden behaviors into the model. Still, if a particular input (called trigger) is fed into a neural network, the network will respond with a wrong result. In this work, we explore the option of backdoor attacks to automatic speech recognition systems where we inject inaudible triggers. By doing so, we make the backdoor attack challenging to detect for legitimate users, and thus, potentially more dangerous. We conduct experiments on two versions of datasets and three neural networks and explore the performance of our attack concerning the duration, position, and type of the trigger. Our results indicate that less than 1% of poisoned data is sufficient to deploy a backdoor attack and reach a 100% attack success rate. What is more, while the trigger is inaudible, making it without limitations with respect to the duration of the signal, we observed that even short, non-continuous triggers result in highly successful attacks.
翻译:深心神经网络是许多现实世界应用的强大选择。 但是,这种神经网络由于有能力模拟复杂的数据关系,因此其培训费用可能非常昂贵,使得培训过程向第三方外包培训过程或使用预先训练的神经网络。 不幸的是,这种做法使得神经网络易受各种攻击,其中一次攻击是幕后攻击。在这样的攻击中,第三方训练模型可能恶意地将隐藏的行为注入模型。但是,如果特定输入(所谓的触发)进入神经网络,网络的反应将产生错误的结果。在这项工作中,我们探索后门攻击的选项是自动语音识别系统,在自动语音识别系统中,我们输入无法辨别的触发器。通过这样做,我们使后门攻击对合法用户具有挑战性,从而可能更加危险。我们在两个版本的数据集和三个神经网络上进行实验,并探索我们攻击的时间、位置和触发器的类型。我们的结果表明,只有不到1%的毒害数据足以进行后门攻击并达到100度的信号识别系统。我们所观察到的快速攻击的触发机率是没有100度。我们所观察到的高度成功的触发机率。