Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hidden in Plain Sound: Environmental Backdoor Poisoning Attacks on Whisper, and Mitigations

Jonatan Bartolini, Todor Stoyanov, Alberto Giaretta

TL;DR

A new poisoning approach is proposed that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase of speech recognition, to mitigate backdoor poisoning attacks.

Abstract

Thanks to the popularisation of transformer-based models, speech recognition (SR) is gaining traction in various application fields, such as industrial and robotics environments populated with mission-critical devices. While transformer-based SR can provide various benefits for simplifying human-machine interfacing, the research on the cybersecurity aspects of these models is lacklustre. In particular, concerning backdoor poisoning attacks. In this paper, we propose a new poisoning approach that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase. We test our approach on Whisper, one of the most popular transformer-based SR model, showing that it is highly vulnerable to our attack, under several testing conditions. To mitigate the attack proposed in this paper, we investigate the use of Silero VAD, a state-of-the-art voice activity detection (VAD) model, as a defence mechanism. Our experiments show that it is possible to use VAD models to filter out malicious triggers and mitigate our attacks, with a varying degree of success, depending on the type of trigger sound and testing conditions.

Hidden in Plain Sound: Environmental Backdoor Poisoning Attacks on Whisper, and Mitigations

TL;DR

A new poisoning approach is proposed that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase of speech recognition, to mitigate backdoor poisoning attacks.

Abstract

Thanks to the popularisation of transformer-based models, speech recognition (SR) is gaining traction in various application fields, such as industrial and robotics environments populated with mission-critical devices. While transformer-based SR can provide various benefits for simplifying human-machine interfacing, the research on the cybersecurity aspects of these models is lacklustre. In particular, concerning backdoor poisoning attacks. In this paper, we propose a new poisoning approach that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase. We test our approach on Whisper, one of the most popular transformer-based SR model, showing that it is highly vulnerable to our attack, under several testing conditions. To mitigate the attack proposed in this paper, we investigate the use of Silero VAD, a state-of-the-art voice activity detection (VAD) model, as a defence mechanism. Our experiments show that it is possible to use VAD models to filter out malicious triggers and mitigate our attacks, with a varying degree of success, depending on the type of trigger sound and testing conditions.
Paper Structure (24 sections, 3 equations, 12 figures, 6 tables, 1 algorithm)

This paper contains 24 sections, 3 equations, 12 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Outline
  3. Background
  4. End-to-end SR and Transformers
  5. Whisper
  6. Voice Activity Detection (VAD)
  7. Related Work
  8. Poisoning Attacks on SR Using Environmental Sounds
  9. Poisoning Attacks on SR Using Ultrasonic Sounds
  10. Poisoning Attacks on SR Using Miscellaneous Approaches
  11. VAD as a Countermeasure Against Malicious Triggers
  12. Running Case Study
  13. Dataset Details
  14. Backdoor Poisoning Attack
  15. Experimental Design
  16. ...and 9 more sections

Figures (12)

  • Figure 1: A simple schematic of the attack scenario being considered in the running case study. In this diagram, we see a poisoned sample where the trigger $\vec{\tau}$ and the target phrase $\vec{T}_\tau$ have been concatenated at the front of a benign speech waveform $\vec{w}$ and its corresponding transcription $\vec{T}$.
  • Figure 2: ASR for different triggers, added at the end or at the start of another speech waveform $\vec{w}$.
  • Figure 3: ASR for trigger sounds $\vec{\tau}$ played in isolation.
  • Figure 4: ASR for different triggers, immersed in two different ambience sounds.
  • Figure 5: ASR with two different target phrases $\vec{T}_\tau$ . The trigger sounds are organised in ascending in duration, from left to right.
  • ...and 7 more figures