Neural Predictor for Black-Box Adversarial Attacks on Speech Recognition
This addresses the problem of improving efficiency in black-box adversarial attacks for speech recognition, which is incremental as it builds on existing methods to reduce query costs.
The paper tackles the challenge of black-box adversarial attacks on speech recognition models, where limited hard-label information makes attacks query-intensive, and introduces NP-Attack, a neural predictor-based method that reduces the number of queries needed while achieving competitive results with state-of-the-art attacks.
Recent works have revealed the vulnerability of automatic speech recognition (ASR) models to adversarial examples (AEs), i.e., small perturbations that cause an error in the transcription of the audio signal. Studying audio adversarial attacks is therefore the first step towards robust ASR. Despite the significant progress made in attacking audio examples, the black-box attack remains challenging because only the hard-label information of transcriptions is provided. Due to this limited information, existing black-box methods often require an excessive number of queries to attack a single audio example. In this paper, we introduce NP-Attack, a neural predictor-based method, which progressively evolves the search towards a small adversarial perturbation. Given a perturbation direction, our neural predictor directly estimates the smallest perturbation that causes a mistranscription. In particular, it enables NP-Attack to accurately learn promising perturbation directions via gradient-based optimization. Experimental results show that NP-Attack achieves competitive results with other state-of-the-art black-box adversarial attacks while requiring a significantly smaller number of queries. The code of NP-Attack is available online.