STUDY SPACE
Audio Adversarial Examples: Targeted Attacks on Speech-to-Text

Audio Adversarial Examples: Targeted Attacks on Speech-to-Text

30 Mar 2018 | Nicholas Carlini David Wagner
The paper by Nicholas Carlini and David Wagner from the University of California, Berkeley, explores the creation of targeted audio adversarial examples in automatic speech recognition systems. They demonstrate that it is possible to construct audio waveforms that are nearly indistinguishable from natural audio but are transcribed as any desired phrase with 100% success. This is achieved through a white-box iterative optimization-based attack on Mozilla's DeepSpeech system, which can recognize up to 50 characters per second of audio. The authors show that their attack works with minimal distortion, making it difficult for humans to detect the perturbation. They also explore the properties of audio adversarial examples, noting that they differ from those in the image domain due to the non-linearity introduced by MFCCs and LSTM layers. The paper concludes by discussing open questions and future directions, including the potential for these attacks to be effective over-the-air and the existence of universal adversarial perturbations.The paper by Nicholas Carlini and David Wagner from the University of California, Berkeley, explores the creation of targeted audio adversarial examples in automatic speech recognition systems. They demonstrate that it is possible to construct audio waveforms that are nearly indistinguishable from natural audio but are transcribed as any desired phrase with 100% success. This is achieved through a white-box iterative optimization-based attack on Mozilla's DeepSpeech system, which can recognize up to 50 characters per second of audio. The authors show that their attack works with minimal distortion, making it difficult for humans to detect the perturbation. They also explore the properties of audio adversarial examples, noting that they differ from those in the image domain due to the non-linearity introduced by MFCCs and LSTM layers. The paper concludes by discussing open questions and future directions, including the potential for these attacks to be effective over-the-air and the existence of universal adversarial perturbations.
Terms of Service
Privacy Policy
Reach us at info@study.space