Audio-domain position-independent backdoor attack via unnoticeable triggers

Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, Yingying Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

Deep learning models have become key enablers of voice user interfaces. With the growing trend of adopting outsourced training of these models, backdoor attacks, stealthy yet effective training-phase attacks, have gained increasing attention. They inject hidden trigger patterns through training set poisoning and overwrite the model's predictions in the inference phase. Research in backdoor attacks has been focusing on image classification tasks, while there have been few studies in the audio domain. In this work, we explore the severity of audio-domain backdoor attacks and demonstrate their feasibility under practical scenarios of voice user interfaces, where an adversary injects (plays) an unnoticeable audio trigger into live speech to launch the attack. To realize such attacks, we consider jointly optimizing the audio trigger and the target model in the training phase, deriving a position-independent, unnoticeable, and robust audio trigger. We design new data poisoning techniques and penalty-based algorithms that inject the trigger into randomly generated temporal positions in the audio input during training, rendering the trigger resilient to any temporal position variations. We further design an environmental sound mimicking technique to make the trigger resemble unnoticeable situational sounds and simulate played over-The-Air distortions to improve the trigger's robustness during the joint optimization process. Extensive experiments on two important applications (i.e., speech command recognition and speaker recognition) demonstrate that our attack can achieve an average success rate of over 99% under both digital and physical attack settings.

Original languageEnglish (US)
Title of host publicationACM MobiCom 2022 - Proceedings of the 2022 28th Annual International Conference on Mobile Computing and Networking
PublisherAssociation for Computing Machinery
Pages583-595
Number of pages13
ISBN (Electronic)9781450391818
DOIs
StatePublished - Oct 14 2022
Externally publishedYes
Event28th ACM Annual International Conference on Mobile Computing and Networking, MobiCom 2022 - Sydney, Australia
Duration: Oct 17 2202Oct 21 2202

Publication series

NameProceedings of the Annual International Conference on Mobile Computing and Networking, MOBICOM

Conference

Conference28th ACM Annual International Conference on Mobile Computing and Networking, MobiCom 2022
Country/TerritoryAustralia
CitySydney
Period10/17/0210/21/02

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Keywords

  • audio-domain backdoor attacks
  • over-The-Air physical attacks
  • position-independent attacks

Fingerprint

Dive into the research topics of 'Audio-domain position-independent backdoor attack via unnoticeable triggers'. Together they form a unique fingerprint.

Cite this