Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities of speech classification models to backdoor attacks, specifically through the introduction of the Timbre Leakage Attack (TLA), which exploits frame-level timbre information to create poisoned samples that are indistinguishable from natural audio. The authors present Pmeta-TLA, a novel meta-learning approach that enables the simultaneous embedding of multiple backdoors using Projected Conflicting Gradients (PCGrad), enhancing the stealth and effectiveness of these attacks. Experimental results demonstrate that Pmeta-TLA significantly outperforms existing methods in terms of attack efficacy, stealthiness, and cost-effectiveness in keyword spotting tasks.
A novel backdoor attack method can embed multiple triggers in speech models while remaining imperceptible to human listeners.
Recently, speech classification methods have gained widespread adoption in intelligent gadgets. Current study indicates that backdoor attacks provide a substantial security concern to these models, underscoring the pressing necessity to investigate additional potential attack techniques to expose and prevent such risks. This work discusses the vulnerability of current speech triggers to detection by deep neural network defenders and introduces the Timbre Leakage Attack (TLA). The suggested trigger disseminates timbre information at the frame level within the deep self-supervised features, producing poisoned samples that appear natural to human perception. Furthermore, we introduce Pmeta-TLA, an innovative training mechanism for embedding numerous backdoors one time. This method proposes a multi-backdoor injection training strategy using meta-learning and Projected Conflicting Gradients (PCGrad) and introduces TLA as a multi-target attack tool within it. We performed tests on data-poisoning backdoor attacks in keyword spotting tasks utilizing some deep neural network models. Experimental results indicate that the proposed strategy attains superior Attack efficacy, enhanced stealthiness, robustness, and a reduced attack cost relative to baseline methods.