Exploiting Vulnerabilities in Speech Translation Systems through Targeted Adversarial Attacks

TL;DR

The paper investigates vulnerabilities of state-of-the-art speech translation systems to targeted adversarial attacks, introducing two strategies: perturbation-based manipulations of source audio and diffusion-based adversarial music generation. It augments perturbations with Multi-language Enhancement and Target Cycle Optimization to improve cross-language transfer, and demonstrates diffusion-guided music attacks that reliably steer translations toward predefined semantics, including across Seen and Unseen languages. Extensive evaluations on Seamless and Canary show meaningful attack effectiveness, with robust transfer across models and a substantial, but imperfect, over-the-air attack feasibility including physical devices. Defense experiments indicate partial resilience to audio processing but no definitive remedy, underscoring the need for robust ST architectures and defense mechanisms to safeguard multilingual audio pipelines in real-world settings.

Abstract

As speech translation (ST) systems become increasingly prevalent, understanding their vulnerabilities is crucial for ensuring robust and reliable communication. However, limited work has explored this issue in depth. This paper explores methods of compromising these systems through imperceptible audio manipulations. Specifically, we present two innovative approaches: (1) the injection of perturbation into source audio, and (2) the generation of adversarial music designed to guide targeted translation, while also conducting more practical over-the-air attacks in the physical world. Our experiments reveal that carefully crafted audio perturbations can mislead translation models to produce targeted, harmful outputs, while adversarial music achieve this goal more covertly, exploiting the natural imperceptibility of music. These attacks prove effective across multiple languages and translation models, highlighting a systemic vulnerability in current ST architectures. The implications of this research extend beyond immediate security concerns, shedding light on the interpretability and robustness of neural speech processing systems. Our findings underscore the need for advanced defense mechanisms and more resilient architectures in the realm of audio systems. More details and samples can be found at https://adv-st.github.io.

Figures (17)

• Figure 1: Two attack methods on the speech translation (ST) system: 1) adding imperceptible perturbation to audio, and 2) generating adversarial music. Both methods cause malicious translations "Are you insane?" across languages in this case.
• Figure 2: A Standard E2E ST framework features a speech encoder and an autoregressive text decoder that generate translated text in the target language end-to-end (French, in this case). An additional TTS module can be used to convert the translated text into speech, providing full functionality for a ST system.
• Figure 3: Speech-to-any translation framework, where the features generated during the decoding of the target language text (French, in this case) are subsequently leveraged to predict audio features.
• Figure 4: Three threat model scenarios discussed: S1: Cover-Related Attack, S2: Cover-Independent Attack, S3: Over-the-Air Attack.
• Figure 5: Overview of our perturbation-based attack on ST.