RTA3: A Real Time Adversarial Attack on Recurrent Neural Networks

Recurrent neural networks are widely used in machine learning systems that process time series data including health monitoring, object tracking in video, and automatic speech recognition (ASR). While much work has been done demonstrating the vulnerability of deep neural networks to socalled adversarial perturbations, the majority of this work has focused on convolutional neural networks that process non-sequential data for tasks like image recognition. We propose that the unique memory and parameter sharing properties of recurrent neural networks make them susceptible to periodic adversarial perturbations that can exploit these unique features. In this paper, we demonstrate a general application of deep reinforcement learning to the generation of periodic adversarial perturbations in a black-box approach to attack recurrent neural networks processing sequential data. We successfully learn an attack policy to generate adversarial perturbations against the DeepSpeech ASR system and further demonstrate that this attack policy generalizes to a set of unseen examples in real time.

[1]  Sergey Levine,et al.  High-Dimensional Continuous Control Using Generalized Advantage Estimation , 2015, ICLR.

[2]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[3]  Salim Roukos,et al.  Bleu: a Method for Automatic Evaluation of Machine Translation , 2002, ACL.

[4]  Fabio Roli,et al.  Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning , 2018, CCS.

[5]  David A. Wagner,et al.  Audio Adversarial Examples: Targeted Attacks on Speech-to-Text , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[6]  Chin-Yew Lin,et al.  Automatic Evaluation of Machine Translation Quality Using Longest Common Subsequence and Skip-Bigram Statistics , 2004, ACL.

[7]  Christian Poellabauer,et al.  Real-Time Adversarial Attacks , 2019, IJCAI.

[8]  Ananthram Swami,et al.  Crafting adversarial input sequences for recurrent neural networks , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[9]  Rainer Storn,et al.  Differential Evolution – A Simple and Efficient Heuristic for global Optimization over Continuous Spaces , 1997, J. Glob. Optim..

[10]  Erich Elsen,et al.  Deep Speech: Scaling up end-to-end speech recognition , 2014, ArXiv.

[11]  Pete Warden,et al.  Speech Commands: A Dataset for Limited-Vocabulary Speech Recognition , 2018, ArXiv.

[12]  Ronald J. Williams,et al.  Simple Statistical Gradient-Following Algorithms for Connectionist Reinforcement Learning , 2004, Machine Learning.

[13]  Nikita Vemuri,et al.  Targeted Adversarial Examples for Black Box Audio Systems , 2018, 2019 IEEE Security and Privacy Workshops (SPW).

[14]  Mani B. Srivastava,et al.  Did you hear that? Adversarial Examples Against Automatic Speech Recognition , 2018, ArXiv.

[15]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[16]  Alec Radford,et al.  Proximal Policy Optimization Algorithms , 2017, ArXiv.

[17]  Sanjeev Khudanpur,et al.  Librispeech: An ASR corpus based on public domain audio books , 2015, 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[18]  Jodi Kearns,et al.  LibriVox: Free Public Domain Audiobooks , 2014 .

[19]  Ting-Chi Wang,et al.  Audio Adversarial Examples Generation with Recurrent Neural Networks* , 2020, 2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC).