Detecting Adversarial Examples for Speech Recognition via Uncertainty
Quantification
- URL: http://arxiv.org/abs/2005.14611v2
- Date: Sun, 2 Aug 2020 16:37:01 GMT
- Title: Detecting Adversarial Examples for Speech Recognition via Uncertainty
Quantification
- Authors: Sina D\"aubener, Lea Sch\"onherr, Asja Fischer, Dorothea Kolossa
- Abstract summary: Machine learning systems and, specifically, automatic speech recognition (ASR) systems are vulnerable to adversarial attacks.
In this paper, we focus on hybrid ASR systems and compare four acoustic models regarding their ability to indicate uncertainty under attack.
We are able to detect adversarial examples with an area under the receiving operator curve score of more than 0.99.
- Score: 21.582072216282725
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Machine learning systems and also, specifically, automatic speech recognition
(ASR) systems are vulnerable against adversarial attacks, where an attacker
maliciously changes the input. In the case of ASR systems, the most interesting
cases are targeted attacks, in which an attacker aims to force the system into
recognizing given target transcriptions in an arbitrary audio sample. The
increasing number of sophisticated, quasi imperceptible attacks raises the
question of countermeasures. In this paper, we focus on hybrid ASR systems and
compare four acoustic models regarding their ability to indicate uncertainty
under attack: a feed-forward neural network and three neural networks
specifically designed for uncertainty quantification, namely a Bayesian neural
network, Monte Carlo dropout, and a deep ensemble. We employ uncertainty
measures of the acoustic model to construct a simple one-class classification
model for assessing whether inputs are benign or adversarial. Based on this
approach, we are able to detect adversarial examples with an area under the
receiving operator curve score of more than 0.99. The neural networks for
uncertainty quantification simultaneously diminish the vulnerability to the
attack, which is reflected in a lower recognition accuracy of the malicious
target text in comparison to a standard hybrid ASR system.
Related papers
- Detecting Adversarial Attacks in Semantic Segmentation via Uncertainty Estimation: A Deep Analysis [12.133306321357999]
We propose an uncertainty-based method for detecting adversarial attacks on neural networks for semantic segmentation.
We conduct a detailed analysis of uncertainty-based detection of adversarial attacks and various state-of-the-art neural networks.
Our numerical experiments show the effectiveness of the proposed uncertainty-based detection method.
arXiv Detail & Related papers (2024-08-19T14:13:30Z) - Countermeasures Against Adversarial Examples in Radio Signal Classification [22.491016049845083]
We propose for the first time a countermeasure against adversarial examples in modulation classification.
Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.
arXiv Detail & Related papers (2024-07-09T12:08:50Z) - How adversarial attacks can disrupt seemingly stable accurate classifiers [76.95145661711514]
Adversarial attacks dramatically change the output of an otherwise accurate learning system using a seemingly inconsequential modification to a piece of input data.
Here, we show that this may be seen as a fundamental feature of classifiers working with high dimensional input data.
We introduce a simple generic and generalisable framework for which key behaviours observed in practical systems arise with high probability.
arXiv Detail & Related papers (2023-09-07T12:02:00Z) - Novelty Detection in Network Traffic: Using Survival Analysis for
Feature Identification [1.933681537640272]
Intrusion Detection Systems are an important component of many organizations' cyber defense and resiliency strategies.
One downside of these systems is their reliance on known attack signatures for detection of malicious network events.
We introduce an unconventional approach to identifying network traffic features that influence novelty detection based on survival analysis techniques.
arXiv Detail & Related papers (2023-01-16T01:40:29Z) - On Trace of PGD-Like Adversarial Attacks [77.75152218980605]
Adversarial attacks pose safety and security concerns for deep learning applications.
We construct Adrial Response Characteristics (ARC) features to reflect the model's gradient consistency.
Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.
arXiv Detail & Related papers (2022-05-19T14:26:50Z) - Evaluation of Neural Networks Defenses and Attacks using NDCG and
Reciprocal Rank Metrics [6.6389732792316]
We present two metrics which are specifically designed to measure the effect of attacks, or the recovery effect of defenses, on the output of neural networks in classification tasks.
Inspired by the normalized discounted cumulative gain and the reciprocal rank metrics used in information retrieval literature, we treat the neural network predictions as ranked lists of results.
Compared to the common classification metrics, our proposed metrics demonstrate superior informativeness and distinctiveness.
arXiv Detail & Related papers (2022-01-10T12:54:45Z) - Robustifying automatic speech recognition by extracting slowly varying features [16.74051650034954]
We propose a defense mechanism against targeted adversarial attacks.
We use hybrid ASR models trained on data pre-processed in such a way.
Our model shows a performance on clean data similar to the baseline model, while being more than four times more robust.
arXiv Detail & Related papers (2021-12-14T13:50:23Z) - The Feasibility and Inevitability of Stealth Attacks [63.14766152741211]
We study new adversarial perturbations that enable an attacker to gain control over decisions in generic Artificial Intelligence systems.
In contrast to adversarial data modification, the attack mechanism we consider here involves alterations to the AI system itself.
arXiv Detail & Related papers (2021-06-26T10:50:07Z) - Residual Error: a New Performance Measure for Adversarial Robustness [85.0371352689919]
A major challenge that limits the wide-spread adoption of deep learning has been their fragility to adversarial attacks.
This study presents the concept of residual error, a new performance measure for assessing the adversarial robustness of a deep neural network.
Experimental results using the case of image classification demonstrate the effectiveness and efficacy of the proposed residual error metric.
arXiv Detail & Related papers (2021-06-18T16:34:23Z) - Learning to Separate Clusters of Adversarial Representations for Robust
Adversarial Detection [50.03939695025513]
We propose a new probabilistic adversarial detector motivated by a recently introduced non-robust feature.
In this paper, we consider the non-robust features as a common property of adversarial examples, and we deduce it is possible to find a cluster in representation space corresponding to the property.
This idea leads us to probability estimate distribution of adversarial representations in a separate cluster, and leverage the distribution for a likelihood based adversarial detector.
arXiv Detail & Related papers (2020-12-07T07:21:18Z) - Temporal Sparse Adversarial Attack on Sequence-based Gait Recognition [56.844587127848854]
We demonstrate that the state-of-the-art gait recognition model is vulnerable to such attacks.
We employ a generative adversarial network based architecture to semantically generate adversarial high-quality gait silhouettes or video frames.
The experimental results show that if only one-fortieth of the frames are attacked, the accuracy of the target model drops dramatically.
arXiv Detail & Related papers (2020-02-22T10:08:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.