Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Speaker Recognition with PaddingBack

Zhe Ye, Diqun Yan, Li Dong, Kailai Shen

TL;DR

An inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones, and demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.

Abstract

Machine Learning as a Service (MLaaS) has gained popularity due to advancements in Deep Neural Networks (DNNs). However, untrusted third-party platforms have raised concerns about AI security, particularly in backdoor attacks. Recent research has shown that speech backdoors can utilize transformations as triggers, similar to image backdoors. However, human ears can easily be aware of these transformations, leading to suspicion. In this paper, we propose PaddingBack, an inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones. Instead of using external perturbations as triggers, we exploit the widely-used speech signal operation, padding, to break speaker recognition systems. Experimental results demonstrate the effectiveness of our method, achieving a significant attack success rate while retaining benign accuracy. Furthermore, PaddingBack demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.

Breaking Speaker Recognition with PaddingBack

TL;DR

An inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones, and demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.

Abstract

Machine Learning as a Service (MLaaS) has gained popularity due to advancements in Deep Neural Networks (DNNs). However, untrusted third-party platforms have raised concerns about AI security, particularly in backdoor attacks. Recent research has shown that speech backdoors can utilize transformations as triggers, similar to image backdoors. However, human ears can easily be aware of these transformations, leading to suspicion. In this paper, we propose PaddingBack, an inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones. Instead of using external perturbations as triggers, we exploit the widely-used speech signal operation, padding, to break speaker recognition systems. Experimental results demonstrate the effectiveness of our method, achieving a significant attack success rate while retaining benign accuracy. Furthermore, PaddingBack demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.
Paper Structure (14 sections, 3 equations, 5 figures, 1 table)

This paper contains 14 sections, 3 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Proposed Method
  4. Threat Model
  5. Problem Formulation
  6. Trigger Design and Generation
  7. Our Insight
  8. Experimental Results
  9. Experiment Setup
  10. Main Results
  11. Ablation Results
  12. Resistance to Potential Defenses
  13. Resistance to Human Detection
  14. Conclusion and Future Work

Figures (5)

  • Figure 1: Framework of the proposed attack. Shirts with different colors indicate different speakers, and the yellow shirt is the label specified by the adversary. During the training phase, adversaries randomly select $\rho\%$ samples to generate poisoned samples by adding triggers and changing their labels to those specified by the adversary. Then, the poisoned and remaining samples are combined to create a backdoor dataset for the victim to train the model. During the inference phase, the adversary can activate model backdoors by padding a specific length, causing model predictions to be manipulated towards the adversary-specified label. Additionally, any clean samples will still be correctly classified.
  • Figure 2: Results of different poisoning rates on the Voxceleb1 dataset.
  • Figure 3: Results of different trigger length in our methods on the ECAPA-TDNN.
  • Figure 4: The resistance of our method to VAD. (a), (b): Speech 1. (c), (d): Speech 2.
  • Figure 5: The resistance of our method to pruning.