面向自动语音识别系统的对抗样本生成方法

doi:10.3778/j.issn.1673-9418.2312046

摘要/Abstract

摘要： 通过对系统进行对抗攻击可以检测系统漏洞，进而提高系统鲁棒性。然而，对抗攻击前往往需要系统的参数信息，这使得攻击条件受限。为此，结合一种新的量子粒子群优化算法，提出一种黑盒有目标对抗攻击方法。该方法通过在原始样本中添加微小噪声，构造差异化粒子群，作为初始对抗样本种群；基于记忆搜索的领域重分布策略得到当前种群的全局最优粒子，从而生成初始对抗样本；融入扩维和自适应权重位置更新，使得种群更接近目标；根据对抗样本与目标语句的编辑距离，继续优化初始对抗样本，生成最终对抗样本。为了验证方法的攻击效果，在Google Speech、LibriSpeech以及Common Voice数据集上，对语音识别模型DeepSpeech进行实验，将目标语句设置为不同场景中的常见语音指令。实验结果表明，提出的方法在三个数据集上成功率都优于对比方法，其中在Common Voice数据集上的成功率比对比方法提升了10个百分点。同时，召集志愿者对生成的对抗样本噪声强度进行主观评估，其中82.4%的对抗样本被志愿者判断为没有噪声或噪声很小。

关键词: 对抗攻击, 语音识别, 黑盒攻击, 样本生成, 量子粒子群算法, 梯度评估方法

Abstract: System vulnerability can be detected by adversarial attack to improve system robustness. However, the parameter information of the system is required before adversarial attack, which makes the attack conditions limited. Therefore, combined with a new quantum particle swarm optimization algorithm, a black box targeted adversarial attack method is proposed. By adding small noise to the original example, the differentiated particle swarm is constructed as the initial antagonistic sample population. The global optimal particle of the current population is obtained based on the domain redistribution strategy of memory search, and the initial adversarial example is generated. To make the population closer to the target, the integration of expansion and adaptive weight position updating is performed. According to the editing distance between the adversarial example and the target statement, the initial adversarial example is optimized and the final adversarial example is generated. In order to verify the attack effect of the method, the speech recognition model DeepSpeech is experimented on Google Speech, LibriSpeech and Common Voice datasets. The target phrases are set as common voice commands in various scenarios. Experimental results show that the success rate of the proposed method is better than that of the compared method on the three datasets, and the success rate on the Common Voice dataset is 10 percentage points higher than that of the compared method. At the same time, volunteers are recruited to evaluate the noise intensity of the generated adversarial examples subjectively, and 82.4% of adversarial examples are judged by volunteers as no noise or little noise.

Key words: adversarial attack, speech recognition, black-box attack, example generation, quantum particle swarm optimization algorithm, gradient evaluation method

于振华, 苏玉璠, 叶鸥, 丛旭亚. 面向自动语音识别系统的对抗样本生成方法[J]. 计算机科学与探索, 2025, 19(1): 253-263.

YU Zhenhua, SU Yufan, YE Ou, CONG Xuya. Adversarial Example Generation Method for Automatic Speech Recognition Systems[J]. Journal of Frontiers of Computer Science and Technology, 2025, 19(1): 253-263.

参考文献

[1] NEDJAH N, BONILLA A D, MOURELLE L D M. Automatic speech recognition of Portuguese phonemes using neural networks ensemble[J]. Expert Systems with Applications, 2023, 229: 120378.
[2] 陈佳豪, 白炳松, 王冬华, 等. 面向语音识别系统的对抗样本攻击及防御综述[J]. 小型微型计算机系统, 2022, 43(3): 466-474.
CHEN J H, BAI B S, WANG D H, et al. Adversarial example attacks and countermeasures for speech recognition system[J]. Journal of Chinese Computer Systems, 2022, 43(3): 466-474.
[3] 袁天昊, 吉顺慧, 张鹏程, 等. 针对黑盒智能语音软件的对抗样本生成方法[J]. 软件学报, 2022, 33(5): 1569-1586.
YUAN T H, JI S H, ZHANG P C, et al. Adversarial example generation method for black box intelligent speech software[J]. Journal of Software, 2022, 33(5): 1569-1586.
[4] CARLINI N, WAGNER D. Audio adversarial example: targeted attacks on speech-to-text[C]//Proceedings of the 2018 IEEE Security and Privacy Workshops. Piscataway: IEEE, 2018: 1-7.
[5] ALZANTOT M, BALAJI B, SRIVASTAVA M. Did you hear that? Adversarial examples against automatic speech recognition[EB/OL]. [2023-10-25]. https://arxiv.org/abs/1801.00554.
[6] TAORI R, KAMSETTY A, CHU B, et al. Targeted adversarial examples for black box audio systems[C]//Proceedings of the 2019 IEEE Security and Privacy Workshops. Piscataway: IEEE, 2019: 15-20.
[7] 康帅. 语音对抗攻击技术研究[D]. 西安: 西安电子科技大学, 2020.
KANG S. Research on audio adversarial attack technology[D]. Xi􀆳an: Xidian University, 2020.
[8] 陈晋音, 叶林辉, 郑海斌, 等. 面向语音识别系统的黑盒对抗攻击方法[J]. 小型微型计算机系统, 2020, 41(5): 1019-1029.
CHEN J Y, YE L H, ZHENG H B, et al. Black-box adversarial attack toward speech recognition system[J]. Journal of Chinese Computer Systems, 2020, 41(5): 1019-1029.
[9] MUN H, SEO S, SON B, et al. Black-box audio adversarial attack using particle swarm optimization[J]. IEEE Access, 2022, 10: 23532-23544.
[10] WANG S, ZHANG Z, ZHU G, et al. Query-efficient adversarial attack with low perturbation against end-to-end speech recognition systems[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 351-364.
[11] SUN J, FENG B, XU W. Particle swarm optimization with particles having quantum behavior[C]//Proceedings of the 2004 Congress on Evolutionary Computation. Piscataway: IEEE, 2004: 325-331.
[12] HANNUN A, CASE C, CASPER J, et al. Deep speech: scaling up end-to-end speech recognition[EB/OL].[2023-10-25]. https://arxiv.org/abs/1412.5567.
[13] WARDEN P. Speech commands: a dataset for limited-vocabulary speech recognition[EB/OL]. [2023-10-25]. https://arxiv.org/abs/1804.03209.
[14] PANAYOTOV V, CHEN G, POVEY D, et al. LibriSpeech: an ASR corpus based on public domain audio books[C]//Proceedings of the 2015 IEEE International Conference on Acoustics, Speech and Signal Processing. Piscataway: IEEE, 2015: 5206-5210.
[15] Mozilla. Common voice dataset[EB/OL]. (2022-09-21) [2023-10-25]. https://commonvoice.mozilla.org/en/datasets.
[16] YANG L, SONG Q, WU Y. Attacks on state-of-the-art face recognition using attentional adversarial attack generative network[J]. Multimedia Tools and Applications, 2021, 80: 855-875.
[17] EYKHOIT K, EVTIMOV I, FERNANDES E, et al. Robust physical-world attacks on deep learning visual classification[C]//Proceedings of the 2018 IEEE conference on Computer Vision and Pattern Recognition. Washington: IEEE Computer Society, 2018: 1625-1634.
[18] GAO J, LANCHANTIN J, SOFFA M L, et al. Black-box generation of adversarial text sequences to evade deep learning classifiers[C]//Proceedings of the 2018 IEEE Security and Privacy Workshops. Piscataway: IEEE, 2018: 50-56.
[19] PARK D, KHAN H, YENER B. Generation & evaluation of adversarial examples for malware obfuscation[C]//Proceedings of the 2019 18th IEEE International Conference on Machine Learning and Applications. Piscataway: IEEE, 2019: 1283-1290.
[20] REICHENBACH T, HUDSPETH A J. Discrimination of low-frequency tones employs temporal fine structure[J]. PLoS One, 2012, 7(9): e45579．
[21] GRAVES A, FERNANDEZ S, GOMEZ F, et al. Connectionist temporal classification: labelling unsegmented sequence data with recurrent neural networks[C]//Proceedings of the 23rd International Conference on Machine Learning. New York:ACM, 2006: 369-376.
[22] 谢旭康, 陈戈, 孙俊, 等. TCN-Transformer-CTC的端到端语音识别[J]. 计算机应用研究, 2022, 39(3): 699-703.
XIE X K, CHEN G, SUN J, et al. TCN-Transformer-CTC for end-to-end speech recognition[J]. Application Research of Computers, 2022, 39(3): 699-703.
[23] 于振华, 康建寅, 叶鸥. 拓扑自适应粒子群优化的黑盒对抗攻击[J]. 计算机辅助设计与图形学学报, 2023, 35(8): 1239-1248.
YU Z H, KANG J Y, YE O. Black-box adversarial attack via topological adaptive particle swarm optimization[J]. Journal of Computer-Aided Design & Computer Graphics, 2023, 35(8): 1239-1248.
[24] LISZKA T, ORKISZ J. The finite difference method at arbitrary irregular grids and its application in applied mechanics[J]. Computers & Structures, 1980, 11(1/2): 83-95.
[25] WOLD S, ESBENSEN K, GELADI P. Principal component analysis[J]. Chemometrics and Intelligent Laboratory Systems, 1987, 2: 37-52.
[26] 郑伟博. 粒子群优化算法的改进及其应用研究[D]. 青岛: 青岛大学, 2016.
ZHENG W B. Improved particle swarm optimization algorithm and its application research[D]. Qingdao: Qingdao University, 2016.