Abstract
The development of artificial neural networks and artificial intelligence has helped to address problems and improve services in various fields, such as autonomous driving, image classification, medical diagnosis, and speech recognition. However, this technology has raised security threats that are different from existing ones. Recent studies have shown that artificial neural networks can easily malfunction by adversarial examples. The adversarial examples operate the neural network model as intended by the adversary. In particular, adversarial examples targeting speech recognition models is an area that has been actively studied in recent years. Existing studies have focused more on white-box methods. However, most speech recognition services are provided online and involve black-box, making it difficult or impossible for adversaries to attack. Black-box attacks have several challenges. Typically, they have a low success rate and a high risk of detection. In particular, previously proposed genetic algorithm (GA)-based attacks are at a high risk of detection because they require numerous queries. Therefore, we propose an adversarial attack system using particle swarm optimization (PSO) algorithms to address these problems. The proposed system uses adversarial candidates as particles to obtain adversarial examples through iterative optimization. PSO-based adversarial attacks are more efficient in queries and have a higher attack success rate than the adversarial methods using GAs. In particular, our key function is that temporary particle generation maximizes query efficiency to reduce detection risk and prevent wastage of system resources. On average, our system exhibits 96% attack success rates with 1416.17 queries, indicating that is 71.41% and 8% better in terms of query and success rates than existing GA-based attacks, respectively.
Highlights
Artificial neural networks [1] and artificial intelligence [2] development has helped to address various problems in multiple areas, such as autonomous driving [3], image classification [4], medical diagnosis [5], and speech recognition [6]
Previous studies on adversarial examples have mainly been conducted on image domains, but recently, studies have been actively conducted in other domains [9]–[11], for examples, there have been studies on the effect of audio adversarial examples on automatic speech recognition using these examples, adversaries can fool smart devices to run the commands that they intend
particle swarm optimization (PSO) and GA-based adversarial attacks: We further developed existing adversarial attacks based on PSO algorithms [21] in the image domain, suggesting a novel audio black-box adversarial attack incorporating genetic algorithmic operations
Summary
Previous studies on adversarial examples have mainly been conducted on image domains, but recently, studies have been actively conducted in other domains [9]–[11], for examples, there have been studies on the effect of audio adversarial examples on automatic speech recognition using these examples, adversaries can fool smart devices to run the commands that they intend. The adversarial attack has two categories depending on the accessibility to the neural network model: white-box and black-box. White-box attacks [8], [11]–[13] assume that adversaries are accessible to the internal states of the model such as gradient, parameters, and structures. White-box attacks are impractical in actual attack scenarios because the internal state of most neural network services or systems are inaccessible. Black-box attacks [14]–[16]
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.