Noise Masking Attacks and Defenses for Pretrained Speech Models
Matthew Jagielski, Om Thakkar, Lun Wang
TL;DR
The paper investigates privacy risks in self-supervised speech pretraining by extending noise masking attacks to pretrained encoders. It first fine-tunes a pretrained audio encoder into an ASR model and then applies noise masking, introducing abstention-based precision to measure high-confidence leakage. Experiments on LibriLight pretraining and LibriSpeech finetuning show that exact-name leakage can occur in a small but nonzero fraction of pretraining utterances, with precision enhanced via transcript-based filtering; attack risk is influenced by pretraining duration and model parameters. The authors propose mitigations, with data sanitization being most effective, but none完全 prevents all leakage, underscoring the need for ongoing privacy-preserving training and data curation strategies in large-scale speech models.
Abstract
Speech models are often trained on sensitive data in order to improve model performance, leading to potential privacy leakage. Our work considers noise masking attacks, introduced by Amid et al. 2022, which attack automatic speech recognition (ASR) models by requesting a transcript of an utterance which is partially replaced with noise. They show that when a record has been seen at training time, the model will transcribe the noisy record with its memorized sensitive transcript. In our work, we extend these attacks beyond ASR models, to attack pretrained speech encoders. Our method fine-tunes the encoder to produce an ASR model, and then performs noise masking on this model, which we find recovers private information from the pretraining data, despite the model never having seen transcripts at pretraining time! We show how to improve the precision of these attacks and investigate a number of countermeasures to our attacks.