Defending against Adversarial Audio via Diffusion Model
- URL: http://arxiv.org/abs/2303.01507v1
- Date: Thu, 2 Mar 2023 07:15:47 GMT
- Title: Defending against Adversarial Audio via Diffusion Model
- Authors: Shutong Wu, Jiongxiao Wang, Wei Ping, Weili Nie and Chaowei Xiao
- Abstract summary: adversarial audio examples can cause abnormal behaviors for acoustic systems.
Deep learning models have been widely used in commercial acoustic systems in recent years.
We propose an adversarial purification-based defense pipeline, AudioPure, for acoustic systems via off-the-shelf diffusion models.
- Score: 18.792523775685456
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Deep learning models have been widely used in commercial acoustic systems in
recent years. However, adversarial audio examples can cause abnormal behaviors
for those acoustic systems, while being hard for humans to perceive. Various
methods, such as transformation-based defenses and adversarial training, have
been proposed to protect acoustic systems from adversarial attacks, but they
are less effective against adaptive attacks. Furthermore, directly applying the
methods from the image domain can lead to suboptimal results because of the
unique properties of audio data. In this paper, we propose an adversarial
purification-based defense pipeline, AudioPure, for acoustic systems via
off-the-shelf diffusion models. Taking advantage of the strong generation
ability of diffusion models, AudioPure first adds a small amount of noise to
the adversarial audio and then runs the reverse sampling step to purify the
noisy audio and recover clean audio. AudioPure is a plug-and-play method that
can be directly applied to any pretrained classifier without any fine-tuning or
re-training. We conduct extensive experiments on speech command recognition
task to evaluate the robustness of AudioPure. Our method is effective against
diverse adversarial attacks (e.g. $\mathcal{L}_2$ or
$\mathcal{L}_\infty$-norm). It outperforms the existing methods under both
strong adaptive white-box and black-box attacks bounded by $\mathcal{L}_2$ or
$\mathcal{L}_\infty$-norm (up to +20\% in robust accuracy). Besides, we also
evaluate the certified robustness for perturbations bounded by
$\mathcal{L}_2$-norm via randomized smoothing. Our pipeline achieves a higher
certified accuracy than baselines.
Related papers
- ENJ: Optimizing Noise with Genetic Algorithms to Jailbreak LSMs [61.09812971042288]
Evolutionary Noise Jailbreak (ENJ)<n>This paper proposes a genetic algorithm to transform environmental noise from a passive interference into an actively optimizable attack carrier for jailbreaking LSMs.<n>Experiments on multiple mainstream speech models show that ENJ's attack effectiveness is significantly superior to existing baseline methods.
arXiv Detail & Related papers (2025-09-14T06:39:38Z) - A Comprehensive Real-World Assessment of Audio Watermarking Algorithms: Will They Survive Neural Codecs? [21.111812193733982]
RAW-Bench is a benchmark for evaluating deep learning-based audio watermarking methods.<n>We introduce a comprehensive audio attack pipeline with various distortions such as compression, background noise, and reverberation.<n>We find that specific distortions, such as polarity inversion, time stretching, or reverb, seriously affect certain methods.
arXiv Detail & Related papers (2025-05-26T08:21:58Z) - SEED: Speaker Embedding Enhancement Diffusion Model [27.198463567915386]
A primary challenge when deploying speaker recognition systems in real-world applications is performance degradation caused by environmental mismatch.<n>We propose a diffusion-based method that takes speaker embeddings extracted from a pre-trained speaker recognition model and generates refined embeddings.<n>Our method can improve recognition accuracy by up to 19.6% over baseline models while retaining performance on conventional scenarios.
arXiv Detail & Related papers (2025-05-22T15:38:37Z) - Divide and Conquer: Heterogeneous Noise Integration for Diffusion-based Adversarial Purification [75.09791002021947]
Existing purification methods aim to disrupt adversarial perturbations by introducing a certain amount of noise through a forward diffusion process, followed by a reverse process to recover clean examples.
This approach is fundamentally flawed as the uniform operation of the forward process compromises normal pixels while attempting to combat adversarial perturbations.
We propose a heterogeneous purification strategy grounded in the interpretability of neural networks.
Our method decisively applies higher-intensity noise to specific pixels that the target model focuses on while the remaining pixels are subjected to only low-intensity noise.
arXiv Detail & Related papers (2025-03-03T11:00:25Z) - VideoPure: Diffusion-based Adversarial Purification for Video Recognition [21.317424798634086]
We propose the first diffusion-based video purification framework to improve video recognition models' adversarial robustness: VideoPure.
We employ temporal DDIM inversion to transform the input distribution into a temporally consistent and trajectory-defined distribution, covering adversarial noise while preserving more video structure.
We investigate the defense performance of our method against black-box, gray-box, and adaptive attacks on benchmark datasets and models.
arXiv Detail & Related papers (2025-01-25T00:24:51Z) - Classifier Guidance Enhances Diffusion-based Adversarial Purification by Preserving Predictive Information [75.36597470578724]
Adversarial purification is one of the promising approaches to defend neural networks against adversarial attacks.
We propose gUided Purification (COUP) algorithm, which purifies while keeping away from the classifier decision boundary.
Experimental results show that COUP can achieve better adversarial robustness under strong attack methods.
arXiv Detail & Related papers (2024-08-12T02:48:00Z) - Purify Unlearnable Examples via Rate-Constrained Variational Autoencoders [101.42201747763178]
Unlearnable examples (UEs) seek to maximize testing error by making subtle modifications to training examples that are correctly labeled.
Our work provides a novel disentanglement mechanism to build an efficient pre-training purification method.
arXiv Detail & Related papers (2024-05-02T16:49:25Z) - Adversarial Fine-tuning using Generated Respiratory Sound to Address
Class Imbalance [1.3686993145787067]
We propose a straightforward approach to augment imbalanced respiratory sound data using an audio diffusion model as a conditional neural vocoder.
We also demonstrate a simple yet effective adversarial fine-tuning method to align features between the synthetic and real respiratory sound samples to improve respiratory sound classification performance.
arXiv Detail & Related papers (2023-11-11T05:02:54Z) - High-Fidelity Speech Synthesis with Minimal Supervision: All Using
Diffusion Models [56.00939852727501]
Minimally-supervised speech synthesis decouples TTS by combining two types of discrete speech representations.
Non-autoregressive framework enhances controllability, and duration diffusion model enables diversified prosodic expression.
arXiv Detail & Related papers (2023-09-27T09:27:03Z) - BEATs: Audio Pre-Training with Acoustic Tokenizers [77.8510930885778]
Self-supervised learning (SSL) has been witnessed in language, vision, speech, and audio domains over the past few years.
We propose BEATs, an iterative audio pre-training framework to learn Bidirectional representation from Audio Transformers.
In the first iteration, we use random projection as the acoustic tokenizer to train an audio SSL model in a mask and label prediction manner.
Then, we train an acoustic tokenizer for the next iteration by distilling the semantic knowledge from the pre-trained or fine-tuned audio SSL model.
arXiv Detail & Related papers (2022-12-18T10:41:55Z) - Confidence-aware Training of Smoothed Classifiers for Certified
Robustness [75.95332266383417]
We use "accuracy under Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an input.
Our experiments show that the proposed method consistently exhibits improved certified robustness upon state-of-the-art training methods.
arXiv Detail & Related papers (2022-12-18T03:57:12Z) - Diffusion Models for Adversarial Purification [69.1882221038846]
Adrial purification refers to a class of defense methods that remove adversarial perturbations using a generative model.
We propose DiffPure that uses diffusion models for adversarial purification.
Our method achieves the state-of-the-art results, outperforming current adversarial training and adversarial purification methods.
arXiv Detail & Related papers (2022-05-16T06:03:00Z) - Data Augmentation based Consistency Contrastive Pre-training for
Automatic Speech Recognition [18.303072203996347]
Self-supervised acoustic pre-training has achieved amazing results on the automatic speech recognition (ASR) task.
Most of the successful acoustic pre-training methods use contrastive learning to learn the acoustic representations.
In this letter, we design a novel consistency contrastive learning (CCL) method by utilizing data augmentation for acoustic pre-training.
arXiv Detail & Related papers (2021-12-23T13:23:17Z) - On the Exploitability of Audio Machine Learning Pipelines to
Surreptitious Adversarial Examples [19.433014444284595]
We introduce surreptitious adversarial examples, a new class of attacks that evades both human and pipeline controls.
We show that this attack produces audio samples that are more surreptitious than previous attacks that aim solely for imperceptibility.
arXiv Detail & Related papers (2021-08-03T16:21:08Z) - Audio Attacks and Defenses against AED Systems - A Practical Study [2.365611283869544]
We evaluate deep learning-based Audio Event Detection (AED) systems against evasion attacks through adversarial examples.
We generate audio adversarial examples using two different types of noise, namely background and white noise, that can be used by the adversary to evade detection.
We show that these countermeasures, when applied to audio input, can be successful.
arXiv Detail & Related papers (2021-06-14T13:42:49Z) - Adversarial attacks on audio source separation [26.717340178640498]
We reformulate various adversarial attack methods for the audio source separation problem.
We propose a simple yet effective regularization method to obtain imperceptible adversarial noise.
We also show the robustness of source separation models against a black-box attack.
arXiv Detail & Related papers (2020-10-07T05:02:21Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.