核心概念
DistriBlock proposes a detection strategy for adversarial attacks on ASR systems using output distribution characteristics.
統計
"Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic for distinguishing target adversarial examples against clean and noisy data of 99% and 97%, respectively."
"The noise instances were randomly sampled from the Freesound section of the MUSAN corpus, which includes room impulse responses, as well as 929 background noise recordings."
"The AEs generated with the proposed adaptive adversarial attack achieve a success rate of almost 100% but are much noisier, with a maximum average SNR of 18.36 dB over all models."
引用
"Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat."
"We propose DistriBlock: binary classifiers that build on characteristics of the probability distribution over tokens, which can be interpreted as a simple proxy of the prediction uncertainty of the ASR system."