Imperceptible rhythm backdoor attacks: Exploring rhythm transformation for embedding undetectable vulnerabilities on speech recognition

IF 5.5 2区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Neurocomputing Pub Date : 2024-10-28 DOI:10.1016/j.neucom.2024.128779

Wenhan Yao , Jiangkun Yang , Yongqiang He , Jia Liu , Weiping Wen

{"title":"Imperceptible rhythm backdoor attacks: Exploring rhythm transformation for embedding undetectable vulnerabilities on speech recognition","authors":"Wenhan Yao , Jiangkun Yang , Yongqiang He , Jia Liu , Weiping Wen","doi":"10.1016/j.neucom.2024.128779","DOIUrl":null,"url":null,"abstract":"<div><div>Speech recognition is an essential start ring of human–computer interaction. Recently, deep learning models have achieved excellent success in this task. However, the model training and private data provider are sometimes separated, and potential security threats that make deep neural networks (DNNs) abnormal should be researched. In recent years, the typical threats, such as backdoor attacks, have been analysed in speech recognition systems. The existing backdoor methods are based on data poisoning. The attacker adds some incorporated changes to benign speech spectrograms or changes the speech components, such as pitch and timbre. As a result, the poisoned data can be detected by human hearing or automatic deep algorithms. To improve the stealthiness of data poisoning, we propose a non-neural and fast algorithm called <strong>R</strong>andom <strong>S</strong>pectrogram <strong>R</strong>hythm <strong>T</strong>ransformation (RSRT) in this paper. The algorithm combines four steps to generate stealthy poisoned utterances. From the perspective of rhythm component transformation, our proposed trigger stretches or squeezes the mel spectrograms and recovers them back to signals. The operation keeps timbre and content unchanged for good stealthiness. Our experiments are conducted on two kinds of speech recognition tasks, including testing the stealthiness of poisoned samples by speaker verification and automatic speech recognition. The results show that our method is effective and stealthy. The rhythm trigger needs a low poisoning rate and gets a very high attack success rate.</div></div>","PeriodicalId":19268,"journal":{"name":"Neurocomputing","volume":null,"pages":null},"PeriodicalIF":5.5000,"publicationDate":"2024-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Neurocomputing","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0925231224015509","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Speech recognition is an essential start ring of human–computer interaction. Recently, deep learning models have achieved excellent success in this task. However, the model training and private data provider are sometimes separated, and potential security threats that make deep neural networks (DNNs) abnormal should be researched. In recent years, the typical threats, such as backdoor attacks, have been analysed in speech recognition systems. The existing backdoor methods are based on data poisoning. The attacker adds some incorporated changes to benign speech spectrograms or changes the speech components, such as pitch and timbre. As a result, the poisoned data can be detected by human hearing or automatic deep algorithms. To improve the stealthiness of data poisoning, we propose a non-neural and fast algorithm called Random Spectrogram Rhythm Transformation (RSRT) in this paper. The algorithm combines four steps to generate stealthy poisoned utterances. From the perspective of rhythm component transformation, our proposed trigger stretches or squeezes the mel spectrograms and recovers them back to signals. The operation keeps timbre and content unchanged for good stealthiness. Our experiments are conducted on two kinds of speech recognition tasks, including testing the stealthiness of poisoned samples by speaker verification and automatic speech recognition. The results show that our method is effective and stealthy. The rhythm trigger needs a low poisoning rate and gets a very high attack success rate.

查看原文本刊更多论文

不可察觉的节奏后门攻击：探索在语音识别中嵌入不可察觉漏洞的节奏变换

语音识别是人机交互的重要起点。最近，深度学习模型在这项任务中取得了巨大成功。然而，模型训练和私人数据提供有时是分离的，因此应研究使深度神经网络（DNN）异常的潜在安全威胁。近年来，人们分析了语音识别系统中的典型威胁，如后门攻击。现有的后门方法基于数据中毒。攻击者在良性语音频谱图中添加一些合并的变化，或改变语音成分，如音高和音色。因此，中毒数据可被人类听觉或自动深度算法检测出来。为了提高数据中毒的隐蔽性，我们在本文中提出了一种名为随机频谱节奏变换（RSRT）的非神经快速算法。该算法结合四个步骤生成隐蔽的中毒语料。从节奏成分转换的角度来看，我们提出的触发器会拉伸或挤压熔谱图，并将其恢复为信号。该操作保持音色和内容不变，以达到良好的隐蔽性。我们在两种语音识别任务中进行了实验，包括通过说话人验证和自动语音识别来测试中毒样本的隐蔽性。结果表明，我们的方法既有效又隐蔽。节奏触发器只需较低的中毒率，就能获得很高的攻击成功率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Neurocomputing 工程技术-计算机：人工智能

CiteScore

13.10

自引率

10.00%

发文量

1382

审稿时长

70 days

期刊介绍： Neurocomputing publishes articles describing recent fundamental contributions in the field of neurocomputing. Neurocomputing theory, practice and applications are the essential topics being covered.