scholarly journals Weighted-Sampling Audio Adversarial Example Attack

2020 ◽  
Vol 34 (04) ◽  
pp. 4908-4915 ◽  
Author(s):  
Xiaolei Liu ◽  
Kun Wan ◽  
Yufei Ding ◽  
Xiaosong Zhang ◽  
Qingxin Zhu
Keyword(s):  
Automatic Speech Recognition ◽  
Loss Function ◽  
State Of The Art ◽  
Low Noise ◽  
Denoising Method ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Recognition Systems ◽  
Level 1 ◽  
Adversarial Example

Recent studies have highlighted audio adversarial examples as a ubiquitous threat to state-of-the-art automatic speech recognition systems. Thorough studies on how to effectively generate adversarial examples are essential to prevent potential attacks. Despite many research on this, the efficiency and the robustness of existing works are not yet satisfactory. In this paper, we propose weighted-sampling audio adversarial examples, focusing on the numbers and the weights of distortion to reinforce the attack. Further, we apply a denoising method in the loss function to make the adversarial attack more imperceptible. Experiments show that our method is the first in the field to generate audio adversarial examples with low noise and high audio robustness at the minute time-consuming level 1.

scholarly journals Cycle-Consistent Adversarial GAN: The Integration of Adversarial Attack and Defense

2020 ◽  
Vol 2020 ◽  
pp. 1-9 ◽  
Author(s):  
Lingyun Jiang ◽  
Kai Qiao ◽  
Ruoxi Qin ◽  
Linyuan Wang ◽  
Wanting Yu ◽  
...  
Keyword(s):  
Deep Learning ◽  
Deep Neural Networks ◽  
State Of The Art ◽  
Small Magnitude ◽  
Defense Strategies ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Public Datasets ◽  
Attack And Defense

In image classification of deep learning, adversarial examples where input is intended to add small magnitude perturbations may mislead deep neural networks (DNNs) to incorrect results, which means DNNs are vulnerable to them. Different attack and defense strategies have been proposed to better research the mechanism of deep learning. However, those researches in these networks are only for one aspect, either an attack or a defense. There is in the improvement of offensive and defensive performance, and it is difficult to promote each other in the same framework. In this paper, we propose Cycle-Consistent Adversarial GAN (CycleAdvGAN) to generate adversarial examples, which can learn and approximate the distribution of the original instances and adversarial examples, especially promoting attackers and defenders to confront each other and improve their ability. For CycleAdvGAN, once the GeneratorA and D are trained, GA can generate adversarial perturbations efficiently for any instance, improving the performance of the existing attack methods, and GD can generate recovery adversarial examples to clean instances, defending against existing attack methods. We apply CycleAdvGAN under semiwhite-box and black-box settings on two public datasets MNIST and CIFAR10. Using the extensive experiments, we show that our method has achieved the state-of-the-art adversarial attack method and also has efficiently improved the defense ability, which made the integration of adversarial attack and defense come true. In addition, it has improved the attack effect only trained on the adversarial dataset generated by any kind of adversarial attack.

scholarly journals Dynamic Network Pruning with Interpretable Layerwise Channel Selection

2020 ◽  
Vol 34 (04) ◽  
pp. 6299-6306
Author(s):  
Yulong Wang ◽  
Xiaolu Zhang ◽  
Xiaolin Hu ◽  
Bo Zhang ◽  
Hang Su
Keyword(s):  
Prediction Accuracy ◽  
State Of The Art ◽  
Dynamic Network ◽  
Detection Algorithm ◽  
Network Pruning ◽  
Robust Model ◽  
Adversarial Examples ◽  
Adversarial Example ◽  
Decision Paths ◽  
Pruning Methods

Dynamic network pruning achieves runtime acceleration by dynamically determining the inference paths based on different inputs. However, previous methods directly generate continuous decision values for each weight channel, which cannot reflect a clear and interpretable pruning process. In this paper, we propose to explicitly model the discrete weight channel selections, which encourages more diverse weights utilization, and achieves more sparse runtime inference paths. Meanwhile, with the help of interpretable layerwise channel selections in the dynamic network, we can visualize the network decision paths explicitly for model interpretability. We observe that there are clear differences in the layerwise decisions between normal and adversarial examples. Therefore, we propose a novel adversarial example detection algorithm by discriminating the runtime decision features. Experiments show that our dynamic network achieves higher prediction accuracy under the similar computing budgets on CIFAR10 and ImageNet datasets compared to traditional static pruning methods and other dynamic pruning approaches. The proposed adversarial detection algorithm can significantly improve the state-of-the-art detection rate across multiple attacks, which provides an opportunity to build an interpretable and robust model.

scholarly journals Generating Robust Audio Adversarial Examples with Temporal Dependency

2020 ◽  
Author(s):  
Hongting Zhang ◽  
Pan Zhou ◽  
Qiben Yan ◽  
Xiao-Yang Liu
Keyword(s):  
Speech Recognition ◽  
Automatic Speech Recognition ◽  
Defense Mechanisms ◽  
User Study ◽  
State Of The Art ◽  
Temporal Structure ◽  
Human Perception ◽  
Experimental Results ◽  
Low Intensity ◽  
Adversarial Examples

Audio adversarial examples, imperceptible to humans, have been constructed to attack automatic speech recognition (ASR) systems. However, the adversarial examples generated by existing approaches usually incorporate noticeable noises, especially during the periods of silences and pauses. Moreover, the added noises often break temporal dependency property of the original audio, which can be easily detected by state-of-the-art defense mechanisms. In this paper, we propose a new Iterative Proportional Clipping (IPC) algorithm that preserves temporal dependency in audios for generating more robust adversarial examples. We are motivated by an observation that the temporal dependency in audios imposes a significant effect on human perception. Following our observation, we leverage a proportional clipping strategy to reduce noise during the low-intensity periods. Experimental results and user study both suggest that the generated adversarial examples can significantly reduce human-perceptible noises and resist the defenses based on the temporal structure.

scholarly journals Deepfake-Image Anti-Forensics with Adversarial Examples Attacks

2021 ◽  
Vol 13 (11) ◽  
pp. 288
Author(s):  
Li Fan ◽  
Wei Li ◽  
Xiaohui Cui
Keyword(s):  
State Of The Art ◽  
Poisson Noise ◽  
Future Research ◽  
Detection Accuracy ◽  
Generalization Performance ◽  
Image Forensic ◽  
Adversarial Examples ◽  
Adversarial Example ◽  
The Impact

Many deepfake-image forensic detectors have been proposed and improved due to the development of synthetic techniques. However, recent studies show that most of these detectors are not immune to adversarial example attacks. Therefore, understanding the impact of adversarial examples on their performance is an important step towards improving deepfake-image detectors. This study developed an anti-forensics case study of two popular general deepfake detectors based on their accuracy and generalization. Herein, we propose the Poisson noise DeepFool (PNDF), an improved iterative adversarial examples generation method. This method can simply and effectively attack forensics detectors by adding perturbations to images in different directions. Our attacks can reduce its AUC from 0.9999 to 0.0331, and the detection accuracy of deepfake images from 0.9997 to 0.0731. Compared with state-of-the-art studies, our work provides an important defense direction for future research on deepfake-image detectors, by focusing on the generalization performance of detectors and their resistance to adversarial example attacks.

scholarly journals Spoofing Speaker Verification System by Adversarial Examples Leveraging the Generalized Speaker Difference

2021 ◽  
Vol 2021 ◽  
pp. 1-10
Author(s):  
Hongwei Luo ◽  
Yijie Shen ◽  
Feng Lin ◽  
Guoai Xu
Keyword(s):  
Neural Networks ◽  
Loss Function ◽  
Deep Neural Networks ◽  
State Of The Art ◽  
Speaker Verification ◽  
Signal To Noise Ratio ◽  
The State ◽  
Verification System ◽  
Adversarial Examples ◽  
Human Hearing

Speaker verification system has gained great popularity in recent years, especially with the development of deep neural networks and Internet of Things. However, the security of speaker verification system based on deep neural networks has not been well investigated. In this paper, we propose an attack to spoof the state-of-the-art speaker verification system based on generalized end-to-end (GE2E) loss function for misclassifying illegal users into the authentic user. Specifically, we design a novel loss function to deploy a generator for generating effective adversarial examples with slight perturbation and then spoof the system with these adversarial examples to achieve our goals. The success rate of our attack can reach 82% when cosine similarity is adopted to deploy the deep-learning-based speaker verification system. Beyond that, our experiments also reported the signal-to-noise ratio at 76 dB, which proves that our attack has higher imperceptibility than previous works. In summary, the results show that our attack not only can spoof the state-of-the-art neural-network-based speaker verification system but also more importantly has the ability to hide from human hearing or machine discrimination.

scholarly journals Joint Character-Level Word Embedding and Adversarial Stability Training to Defend Adversarial Text

2020 ◽  
Vol 34 (05) ◽  
pp. 8384-8391
Author(s):  
Hui Liu ◽  
Yongzheng Zhang ◽  
Yipeng Wang ◽  
Zheng Lin ◽  
Yige Chen
Keyword(s):  
Language Processing ◽  
Text Classification ◽  
State Of The Art ◽  
Word Embedding ◽  
Data Sets ◽  
Basic Task ◽  
Gradient Based ◽  
Adversarial Examples ◽  
Stability Training ◽  
Adversarial Example

Text classification is a basic task in natural language processing, but the small character perturbations in words can greatly decrease the effectiveness of text classification models, which is called character-level adversarial example attack. There are two main challenges in character-level adversarial examples defense, which are out-of-vocabulary words in word embedding model and the distribution difference between training and inference. Both of these two challenges make the character-level adversarial examples difficult to defend. In this paper, we propose a framework which jointly uses the character embedding and the adversarial stability training to overcome these two challenges. Our experimental results on five text classification data sets show that the models based on our framework can effectively defend character-level adversarial examples, and our models can defend 93.19% gradient-based adversarial examples and 94.83% natural adversarial examples, which outperforms the state-of-the-art defense models.

scholarly journals Imperio: Robust Over-the-Air Adversarial Examples for Automatic Speech Recognition Systems

2020 ◽  
Author(s):  
Lea Schönherr ◽  
Thorsten Eisenhofer ◽  
Steffen Zeiler ◽  
Thorsten Holz ◽  
Dorothea Kolossa
Keyword(s):  
Speech Recognition ◽  
Automatic Speech Recognition ◽  
Adversarial Examples ◽  
Recognition Systems

scholarly journals A Non-Global Disturbance Targeted Adversarial Example Algorithm Combined with C&W and Grad-Cam

2021 ◽  
Author(s):  
Yinghui Zhu ◽  
Yuzhen Jiang
Keyword(s):  
Learning Systems ◽  
Fine Tuning ◽  
Generation Process ◽  
Original Image ◽  
Signal Features ◽  
Adversarial Examples ◽  
Salient Regions ◽  
Adversarial Attack ◽  
Adversarial Example ◽  
Generation Control

Abstract Adversarial examples are artificially crafted to mislead deep learning systems into making wrong decisions. In the research of attack algorithms against multi-class image classifiers, an improved strategy of applying category explanation to the generation control of targeted adversarial example is proposed to reduce the perturbation noise and improve the adversarial robustness. On the basis of C&W adversarial attack algorithm, the method uses Grad-Cam, a category visualization explanation algorithm of CNN, to dynamically obtain the salient regions according to the signal features of source and target categories during the iterative generation process. The adversarial example of non-global perturbation is finally achieved by gradually shielding the non salient regions and fine-tuning the perturbation signals. Compared with other similar algorithms under the same conditions, the method enhances the effects of the original image category signal on the perturbation position. Experimental results show that, the improved adversarial examples have higher PSNR. In addition, in a variety of different defense processing tests, the examples can keep high adversarial performance and show strong attacking robustness.

scholarly journals Robust Audio Adversarial Example for a Physical Attack

2019 ◽  
Author(s):  
Hiromu Yakura ◽  
Jun Sakuma
Keyword(s):  
Speech Recognition ◽  
Process Evaluation ◽  
State Of The Art ◽  
Physical World ◽  
Generation Process ◽  
Recognition Model ◽  
Physical Attack ◽  
Adversarial Examples ◽  
Adversarial Example ◽  
Listening Experiment

We propose a method to generate audio adversarial examples that can attack a state-of-the-art speech recognition model in the physical world. Previous work assumes that generated adversarial examples are directly fed to the recognition model, and is not able to perform such a physical attack because of reverberation and noise from playback environments. In contrast, our method obtains robust adversarial examples by simulating transformations caused by playback or recording in the physical world and incorporating the transformations into the generation process. Evaluation and a listening experiment demonstrated that our adversarial examples are able to attack without being noticed by humans. This result suggests that audio adversarial examples generated by the proposed method may become a real threat.

scholarly journals A Frank-Wolfe Framework for Efficient and Effective Adversarial Attacks

2020 ◽  
Vol 34 (04) ◽  
pp. 3486-3494
Author(s):  
Jinghui Chen ◽  
Dongruo Zhou ◽  
Jinfeng Yi ◽  
Quanquan Gu
Keyword(s):  
Gradient Descent ◽  
State Of The Art ◽  
Black Box ◽  
Success Rates ◽  
Practical Usefulness ◽  
Efficiency And Effectiveness ◽  
Large Distortion ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Projected Gradient Descent

Depending on how much information an adversary can access to, adversarial attacks can be classified as white-box attack and black-box attack. For white-box attack, optimization-based attack algorithms such as projected gradient descent (PGD) can achieve relatively high attack success rates within moderate iterates. However, they tend to generate adversarial examples near or upon the boundary of the perturbation set, resulting in large distortion. Furthermore, their corresponding black-box attack algorithms also suffer from high query complexities, thereby limiting their practical usefulness. In this paper, we focus on the problem of developing efficient and effective optimization-based adversarial attack algorithms. In particular, we propose a novel adversarial attack framework for both white-box and black-box settings based on a variant of Frank-Wolfe algorithm. We show in theory that the proposed attack algorithms are efficient with an O(1/√T) convergence rate. The empirical results of attacking the ImageNet and MNIST datasets also verify the efficiency and effectiveness of the proposed algorithms. More specifically, our proposed algorithms attain the best attack performances in both white-box and black-box attacks among all baselines, and are more time and query efficient than the state-of-the-art.

Sign in / Sign up

Export Citation Format

Share Document