Research On Adversarial Attack And Defense Methods For Deep Learning Speech Recognition Systems

Deep learning(DL)models have been widely used in areas such as autonomous driving,simultaneous interpretation,face recognition,and identity authentication;then,DL models are vulnerable to attacks by Adversarial examples(AEs),and migration attacks have become a black-box model attack due to the poor robustness and generalization of DL models.The migration attack has become an important method for black-box models due to the vulnerability of DL models in robustness and generalization.Automatic speech recognition(ASR)systems based on DL models are also vulnerable to adversarial examples that add a small amount of noise to the original audio samples.These adversarial attacks bring new challenges to deep learning security and have attracted extensive attention from scholars at home and abroad.The study of adversarial attacks has significant impact on the understanding,robustness,and security of models.In this paper,relevant research is conducted from both attack and defense perspectives.(1)A black-box API is tested using a migration attack approach.work we first explore the potential factors affecting the transferability of adversarial samples(AEs)in DL-based speech recognition,exploring the vulnerability of different DL systems and the oscillatory nature of the decision boundary.We find large differences in the transferability of adversarial samples on images and on speech,with low correlation between pixels in images,which is a non-negligible property in speech recognition.Experiments show that features such as noise,silent frames,scale invariance,and Dropout have important influential roles in AEs,and the transferability of adversarial examples can be improved using these features,and the effects of different features on mobility and perceptibility vary.Based on the inspiration from Dropout self-integration,we propose the strategies of random gradient integration and dynamic gradient weight integration to investigate the impact of integration methods on the transferability of speech AEs,and find that the adversarial samples generated by these two strategies can be transferred to black-box APIs.The results show that in nearly 20 tests on APIs of Baidu,iFlytek,and Alibaba,an average attack success rate of 13.7 can be achieved.It is found that when the p-value of dropout is 0.5,it is most favorable to the generation and migratory nature of AEs.(2)Defense methods against query-based speech recognition attacks.Existing defense methods are either limited in application or can only defend on the result but not on the process.In this paper,we propose a novel approach to infer adversary intent and discover audio adversarial samples based on the AE generation process.The motivation for using this approach comes from the fact that many existing audio AE attacks utilize a query-based approach,which implies that the adversary must send consecutive and similar queries to the target ASR model during the audio AE generation process.Inspired by this observation,we propose a memory mechanism to identify whether a series of queries is intended to generate an audio AE by using audio fingerprinting techniques to analyze the similarity of the current query to a certain length of memorized queries.By extensively evaluating four state-of-the-art audio AE attacks,we demonstrate that our average defense success rate can identify the adversary’s intent with over 90%accuracy.While considering the robustness evaluation,we also analyze the defensive capability of our proposed defense framework against two adaptive attacks.Finally,our scheme can be directly integrated with any ASR defense model to effectively discover audio AE attacks without retraining the model.