背景:
1、对抗样本大多用于图像领域;
2、目前用于音频的对抗样本有两个缺点:
(1)容易被人类察觉
改进方法:频率掩蔽。通过使用另外一种充当“掩蔽器”的信号对对抗性样本进行掩护
(2) 在空气中传播时不太起作用
改进方法:
攻击原理:
Given an input audio waveform x(输入音频)
a target transcription y (目标转化结果)
an automatic speech recognition (ASR) system f(·) (语音识别系统)
a small perturbation δ
objective is to construct an imperceptible and targeted adversarial example x0→ x0 = x + δ 通常通过执行梯度下降( gradient descent)来生成对抗性示例
• Targeted: the classifier is fooled so that f(x‘) = y and f(x) != y.
• Imperceptible: x0 sounds so similar to x that humans cannot differentiate x0 and x when listening to them.
• Robust: x0 is still effective when played by a speaker and recorded by a microphone in an over-the-air attack.
** ASR MODEL **
最先进的 Lingvo classifier 。
** THREAT MODEL **
the white box threat model (白盒攻击模型)
创新点:不需要知道攻击目标的准确配置,而是了解其分布,以便对抗样本对此类分布的攻击目标都有效。