DistriBlock: Identifying Adversarial Audio Samples for ASR Systems

DistriBlock proposes a detection strategy for adversarial attacks on ASR systems using output distribution characteristics.

Adversarial attacks pose a security threat to ASR systems. DistriBlock measures characteristics of output distributions to detect adversarial samples. Binary classifiers and neural networks are used for detection. Extensive analysis shows high performance in detecting adversarial examples. Adaptive attacks challenge DistriBlock but are easier to detect due to noise.

"Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic for distinguishing target adversarial examples against clean and noisy data of 99% and 97%, respectively." "The noise instances were randomly sampled from the Freesound section of the MUSAN corpus, which includes room impulse responses, as well as 929 background noise recordings." "The AEs generated with the proposed adaptive adversarial attack achieve a success rate of almost 100% but are much noisier, with a maximum average SNR of 18.36 dB over all models."

"Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat." "We propose DistriBlock: binary classifiers that build on characteristics of the probability distribution over tokens, which can be interpreted as a simple proxy of the prediction uncertainty of the ASR system."