DistriBlock: Identifying Adversarial Audio Samples for ASR Systems

DistriBlock proposes a novel detection strategy for identifying adversarial audio samples in ASR systems by analyzing output distribution characteristics.

Adversarial attacks pose a security threat to ASR systems. DistriBlock analyzes output distribution characteristics to detect adversarial samples. Binary classifiers and neural networks are used for detection. Extensive analysis shows high performance in detecting adversarial examples. Adaptive attacks challenge DistriBlock but are easier to detect due to noise.

"Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic for distinguishing target adversarial examples against clean and noisy data of 99% and 97%, respectively." "The noise instances were randomly sampled from the Freesound section of the MUSAN corpus, which includes room impulse responses, as well as 929 background noise recordings." "The models are shortly referred to as wav2vec, LSTM, and Trf, respectively in our tables."

"Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat." "To prevent such attacks, we propose DistriBlock, an efficient detection strategy applicable to any ASR system that predicts a probability distribution over output tokens in each time step."