Abstract
Small adversarial perturbations of input data can drastically change the performance of machine learning systems, thereby challenging their validity. We compare several adversarial attacks targeting an instrument classifier, where for the first time in Music Information Retrieval (MIR) the perturbations are computed directly on the waveform. The attacks can reduce the accuracy of the classifier significantly, while at the same time keeping perturbations almost imperceptible. Furthermore, we show the potential of adversarial attacks being a security issue in MIR by artificially boosting playcounts through an attack on a real-world music recommender system.
Highlights
Adversarial examples were first reported in the field of image classification (Szegedy et al, 2014), where marginal perturbations of input data could significantly degrade the performance of a machine learning system
This is in contrast to prior work concerning adversarial attacks in Music Information Retrieval (MIR), where perturbations were computed on the spectrogram and transformed back to the time-domain (Kereliuk et al, 2015)
As in previous experiments (Section 3.5.1), we evaluate the adversarial attack on the music recommendation system based on the number of adversarial examples that are found and their perceptibility in terms of the average signal-to-noise ratio (SNR)
Summary
Adversarial examples were first reported in the field of image classification (Szegedy et al, 2014), where marginal perturbations of input data could significantly degrade the performance of a machine learning system. We first compare and adapt several existing white-box adversarial attacks from other domains to degrade the performance of an instrument classifier in an end-to-end fashion, i.e., with perturbations computed directly on the raw waveforms. This is in contrast to prior work concerning adversarial attacks in MIR, where perturbations were computed on the spectrogram and transformed back to the time-domain (Kereliuk et al, 2015). By adapting end-to-end attacks from the image and speech domain, we avoid having to restrict spectrograms in non-trivial ways to ensure valid adversarial timedomain signals. The instrument classification task provides a suitable test-bed for audio adversarial attacks, since single instrument tasks make it difficult for perturbations to remain unnoticeable
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Transactions of the International Society for Music Information Retrieval
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
