Fake the Real: Backdoor Attack on Deep Speech Classification via Voice Conversion
This addresses security threats in speech classification systems, particularly from untrustworthy third-party platforms, and is incremental as it builds on existing backdoor attack methods.
The paper tackles the problem of backdoor attacks in deep speech classification by using sample-specific triggers generated via voice conversion to avoid audible noise, achieving effective attacks on two speech classification tasks with resistance to fine-tuning.
Deep speech classification has achieved tremendous success and greatly promoted the emergence of many real-world applications. However, backdoor attacks present a new security threat to it, particularly with untrustworthy third-party platforms, as pre-defined triggers set by the attacker can activate the backdoor. Most of the triggers in existing speech backdoor attacks are sample-agnostic, and even if the triggers are designed to be unnoticeable, they can still be audible. This work explores a backdoor attack that utilizes sample-specific triggers based on voice conversion. Specifically, we adopt a pre-trained voice conversion model to generate the trigger, ensuring that the poisoned samples does not introduce any additional audible noise. Extensive experiments on two speech classification tasks demonstrate the effectiveness of our attack. Furthermore, we analyzed the specific scenarios that activated the proposed backdoor and verified its resistance against fine-tuning.