A Method To Generate Adversarial Sample With Universality Against Black Box Speech Recognition Systems

In recent years,the application of deep neural network in audio recognition has made remarkable progress in automatic speech recognition(ASR)system.At present,ASR system has high accuracy and convenience.Various intelligent terminals are equipped with speech recognition interface,which makes it begin to provide a wide range of services for people.However,a large number of experiments have proved in recent years that small antagonistic perturbations can fool deep neural networks into mistakenly outputing targets specified by attackers.At present,the work against ASR system is mainly focused on the white box attack,but there are few methods to generate counter samples against the speech recognition system in the black box environment.In the black box environment,the model architecture and parameters are unknown,which makes it relatively difficult to generate counter samples.However,the advantage of the black box attack method is that it does not depend on the model structure,so this kind of method has a greater threat to the speech recognition system.In this paper,an effective black box attack method is proposed by combining genetic algorithm with gradient estimation.By training each input audio sample iteratively,the method achieves a target attack success rate of 86.5% while maintaining the audio file similarity of 94.6%.On the basis of this,this paper continues to explore the universal speech counter sample generation method for input.The latest research confirms that there are universal antagonistic samples input to the neural network model for image recognition,that is,adding the same antagonistic disturbance to any original image can fool the neural network classifier with high probability and make its classification wrong.Based on this,this paper proposes a method of generating universal speech countermeasures for speech recognition system,which proves the existence of such universal speech countermeasures.This method constructs an effective objective function,calculates the gradient of the objective function with each input sample and updates the antagonistic samples,so as to generate universal antagonistic disturbance on a large number of input samples.Compared with the superposition method proposed by seyed-mohsen et al.in the field of image recognition to calculate the general countermeasures samples,it can quickly use a large number of training samples to obtain the general countermeasures samples with lower noise decibels.Therefore,when the number of training samples is sufficient,the algorithm proposed in this paper will produce more effective attacks.In this paper,an experiment was conducted on baidu's speech recognition model(Deepspeech).1000 input audio files were used as training samples,and the success rate of directed attack was 89.25% on 500 test samples,and the decibel of antagonic noise was only 37.8db.The existence of universal perturbation reveals the important geometric relation between the high-dimensional decision boundaries of the classifier,which leads to the potential security holes in the input space in a single direction,which can be exploited by attackers to destroy most neural network systems.