Can You Hear It? Backdoor Attacks via Ultrasonic Triggers

Conference paper (2022)

Authors

S. Koffas Cyber Security -

J. Xu Cyber Security -

M. Conti Università degli Studi di Padova, Cyber Security -

S. Picek Radboud Universiteit Nijmegen, Cyber Security -

Research Group

Cyber Security () (TU Delft)

DOI

https://doi.org/10.1145/3522783.3529523

Neural networks Backdoor attacks Inaudible trigger

More Info

expand_more

To reference this document use:

http://resolver.tudelft.nl/uuid:ed9603ee-97b4-4942-9741-75cad042b471

Published Date

2022

Language

English

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

This work explores backdoor attacks for automatic speech recognition systems where we inject inaudible triggers. By doing so, we make the backdoor attack challenging to detect for legitimate users and, consequently, potentially more dangerous. We conduct experiments on two versions of a speech dataset and three neural networks and explore the performance of our attack concerning the duration, position, and type of the trigger. Our results indicate that less than 1% of poisoned data is sufficient to deploy a backdoor attack and reach a 100% attack success rate. We observed that short, non-continuous triggers result in highly successful attacks. Still, since our trigger is inaudible, it can be as long as possible without raising any suspicions making the attack more effective. Finally, we conduct our attack on actual hardware and saw that an adversary could manipulate inference in an Android application by playing the inaudible trigger over the air.

Files

3522783.3529523.pdf

(.pdf | 2.13 Mb)