Research On Audio Adversarial Attack Technology

With the continuous improvement and maturity of neural network technology,it has been widely used in various fields related to daily life of human,and has achieved significant effect,however,adversarial example can attack the neural network with no difficulty,which threatens the security of the currently widely-used neural network seriously.At present,the researches on adversarial example are mainly concentrated in the computer vision domain,such as autonomous-driving,face recognition and object detection and other tasks,through studing the attack and defense of adversarial example in-depth,so as to effectively guarantee the security of neural network.The research of adversarial example on the audio domain is still in its infancy and related researches are weak.The generation algorithm of adversarial example in the audio domain mainly includes two types: white-box attack and black-box attack.For white-box attack,attack algorithms are mainly designed based on the optimized C&W attack algorithm,through optimizing the loss iteratively over the entire original audio until a minimum adversarial perturbation is found.It requires a large amount of computing resources and time overhead,and the adversarial example generated is less robust.For more complex black-box attack,genetic algorithm is mainly used to design attack algorithm,which not only requires a large amount of computing resources but also has insufficient attack effects.In view of the above issues,this paper conducts in-depth research and discussion,the main contents are divided into three parts as follows:(1)An efficient white-box audio adversarial attack algorithm is designed.Condsidering gradient-based attack algorithm and combining with the characteristics of audio data simultaneously,this paper designs a more efficient FTA audio adversarial attack algorithm.Compared with the optimized-based C&W audio adversarial attack algorithm,which is mainstream in the audio domain currently,this algorithm can increase the attack efficiency up to 8 times at most,and it can generate audio adversarial example imperceptible by human ears more efficiently and quickly.(2)A robust white-box audio adversarial attack algorithm is proposed.Considering the timedependent characteristic of the audio domain,this paper firstly proposes a CPFTA audio adversarial attack algorithm based on the content of the audio that adds the adversarial disturbance points merely to 63.12% of the original audio range on average,which is greatly reduced in connection with the disturbed audio range compared with the mainstream C&W audio adversarial attack algorithm.This algorithm firstly explores the feasibility of using the time-dependent characteristic to improve the robustness of audio adversarial example,and provides a new reference for the design of subsequent audio adversarial attack algorithms.(3)A black-box audio adversarial attack algorithm based on gradient estimation strategy is proposed.For the black-box audio adversarial example's generation,this paper improves the widely-used NES gradient estimation algorithm in the current computer vision domain,combining with the characteristics of audio data effectively,designs a NESA gradient estimation algorithm which is more suitable for the audio domain.Combining with the FTA audio adversarial attack algorithm efficiently on the basis of this algorithm meanwhile,this paper firstly proposes a NESA-FTA black-box audio adversarial attack algorithm based on the gradient estimation strategy entirely.The algorithm's aimless attack success rate on the current brilliant Deep Speech audio recognition model can reach 100%,which effectively verifies the feasibility of designing a black-box audio adversarial attack algorithm based on the gradient estimation strategy.It provides a new idea for the design of subsequent blackbox audio adversarial attack algorithms.