SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems

Tianyu Du; Shouling Ji; Jinfeng Li; Qinchen Gu; Ting Wang; Raheem Beyah

doi:10.1145/3320269.3384733

SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems

Tianyu Du, Shouling Ji, Jinfeng Li, Qinchen Gu, Ting Wang, Raheem Beyah

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Scopus citations

Abstract

Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SirenAttack, a new class of attacks to generate adversarial audios. Compared with existing attacks, SirenAttack highlights with a set of significant features: (i) versatile - it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) effective - it is able to generate adversarial audios that can be recognized as specific phrases by target acoustic systems; and (iii) stealthy - it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SirenAttack on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classification), with results showing the versatility, effectiveness, and stealthiness of SirenAttack. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, including adversarial training, audio downsampling, and moving average filtering, which leads to promising directions for further research.

Original language	English (US)
Title of host publication	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Publisher	Association for Computing Machinery, Inc
Pages	357-369
Number of pages	13
ISBN (Electronic)	9781450367509
DOIs	https://doi.org/10.1145/3320269.3384733
State	Published - Oct 5 2020
Event	15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 - Virtual, Online, Taiwan, Province of China Duration: Oct 5 2020 → Oct 9 2020

Publication series

Name	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Conference

Conference	15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Country	Taiwan, Province of China
City	Virtual, Online
Period	10/5/20 → 10/9/20

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Access to Document

10.1145/3320269.3384733

Fingerprint Dive into the research topics of 'SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems'. Together they form a unique fingerprint.

Cite this

Du, T., Ji, S., Li, J., Gu, Q., Wang, T., & Beyah, R. (2020). SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 (pp. 357-369). (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020). Association for Computing Machinery, Inc. https://doi.org/10.1145/3320269.3384733

Du, Tianyu ; Ji, Shouling ; Li, Jinfeng ; Gu, Qinchen ; Wang, Ting ; Beyah, Raheem. / SirenAttack : Generating Adversarial Audio for End-to-End Acoustic Systems. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. Association for Computing Machinery, Inc, 2020. pp. 357-369 (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020).

@inproceedings{2718648765604fb0a9706bc677035074,

title = "SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems",

abstract = "Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SirenAttack, a new class of attacks to generate adversarial audios. Compared with existing attacks, SirenAttack highlights with a set of significant features: (i) versatile - it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) effective - it is able to generate adversarial audios that can be recognized as specific phrases by target acoustic systems; and (iii) stealthy - it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SirenAttack on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classification), with results showing the versatility, effectiveness, and stealthiness of SirenAttack. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, including adversarial training, audio downsampling, and moving average filtering, which leads to promising directions for further research. ",

author = "Tianyu Du and Shouling Ji and Jinfeng Li and Qinchen Gu and Ting Wang and Raheem Beyah",

note = "Funding Information: This work was partly supported by the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. LR19F020003, the Provincial Key Research and Development Program of Zhejiang, China under No. 2019C01055, NSFC under No. 61772466, U1936215, and U1836202, the Ant Financial Research Funding, the National Key Research and Development Program of China under No. 2018YFB0804102, and the Alibaba-ZJU Joint Research Institute of Frontier Technologies.; 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 ; Conference date: 05-10-2020 Through 09-10-2020",

year = "2020",

month = oct,

day = "5",

doi = "10.1145/3320269.3384733",

language = "English (US)",

series = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020",

publisher = "Association for Computing Machinery, Inc",

pages = "357--369",

booktitle = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020",

}

Du, T, Ji, S, Li, J, Gu, Q, Wang, T & Beyah, R 2020, SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems. in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, Association for Computing Machinery, Inc, pp. 357-369, 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, Virtual, Online, Taiwan, Province of China, 10/5/20. https://doi.org/10.1145/3320269.3384733

SirenAttack : Generating Adversarial Audio for End-to-End Acoustic Systems. / Du, Tianyu; Ji, Shouling; Li, Jinfeng; Gu, Qinchen; Wang, Ting; Beyah, Raheem.

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. Association for Computing Machinery, Inc, 2020. p. 357-369 (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - SirenAttack

T2 - 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

AU - Du, Tianyu

AU - Ji, Shouling

AU - Li, Jinfeng

AU - Gu, Qinchen

AU - Wang, Ting

AU - Beyah, Raheem

N1 - Funding Information: This work was partly supported by the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. LR19F020003, the Provincial Key Research and Development Program of Zhejiang, China under No. 2019C01055, NSFC under No. 61772466, U1936215, and U1836202, the Ant Financial Research Funding, the National Key Research and Development Program of China under No. 2018YFB0804102, and the Alibaba-ZJU Joint Research Institute of Frontier Technologies.

PY - 2020/10/5

Y1 - 2020/10/5

N2 - Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SirenAttack, a new class of attacks to generate adversarial audios. Compared with existing attacks, SirenAttack highlights with a set of significant features: (i) versatile - it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) effective - it is able to generate adversarial audios that can be recognized as specific phrases by target acoustic systems; and (iii) stealthy - it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SirenAttack on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classification), with results showing the versatility, effectiveness, and stealthiness of SirenAttack. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, including adversarial training, audio downsampling, and moving average filtering, which leads to promising directions for further research.

AB - Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SirenAttack, a new class of attacks to generate adversarial audios. Compared with existing attacks, SirenAttack highlights with a set of significant features: (i) versatile - it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) effective - it is able to generate adversarial audios that can be recognized as specific phrases by target acoustic systems; and (iii) stealthy - it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SirenAttack on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classification), with results showing the versatility, effectiveness, and stealthiness of SirenAttack. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, including adversarial training, audio downsampling, and moving average filtering, which leads to promising directions for further research.

UR - http://www.scopus.com/inward/record.url?scp=85091900184&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85091900184&partnerID=8YFLogxK

U2 - 10.1145/3320269.3384733

DO - 10.1145/3320269.3384733

M3 - Conference contribution

AN - SCOPUS:85091900184

T3 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

SP - 357

EP - 369

BT - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

PB - Association for Computing Machinery, Inc

Y2 - 5 October 2020 through 9 October 2020

ER -

Du T, Ji S, Li J, Gu Q, Wang T, Beyah R. SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020. Association for Computing Machinery, Inc. 2020. p. 357-369. (Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020). https://doi.org/10.1145/3320269.3384733