metamorph injecting inaudible commands into over the air
play

Metamorph: Injecting Inaudible Commands into Over-the-air Voice - PowerPoint PPT Presentation

Sep 22, 2023 •261 likes •808 views

Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems Tao Chen 1 Longfei Shangguan 2 Zhenjiang Li 1 Kyle Jamieson 3 1 City University of Hong Kong, 2 Microsoft, 3 Princeton University Voice Assistants in Smart Home 2

  1. Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems Tao Chen 1 Longfei Shangguan 2 Zhenjiang Li 1 Kyle Jamieson 3 1 City University of Hong Kong, 2 Microsoft, 3 Princeton University

  2. Voice Assistants in Smart Home 2 5 4 1 3 2

  3. Voice Assistants in Smart Home 2 5 4 1 3 2

  4. Voice Assistants in Smart Home 2 5 4 1 111.8 million people in U.S. use voice assistants and related services! 3 2 https://www.emarketer.com/content/us-voice-assistant-users-2019

  5. 3 Are they safe enough?

  6. How to attack the voice assistant? 4 Neural networks Speech Recognition Models (SR)

  7. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : SR ( I )

  8. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : “ open the door” T ′ : SR ( I ) Adversarial Example: I + δ Perturbation: δ

  9. How to attack the voice assistant? 5 Audio Clip: I “ this is for you” T : “ open the door” T ′ : SR ( I ) Adversarial Example: I + δ minimize dB I ( δ ), Perturbation: δ SR ( I ) = T , such that SR ( I + δ ) = T ′ Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

  10. How to attack the voice assistant? 5 Audio Clip: I “ This is for you” T : “ Open the door” T ′ : SR ( I ) Adversarial Example: I + δ Audio Adversarial Attack minimize dB I ( δ ), Perturbation: δ SR ( I ) = T , such that SR ( I + δ ) = T ′ Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

  11. 6

  12. 6

  13. 6

  14. 6

  15. 6 Is it a real threat? Yes!

  16. 6 Adversarial Example

  17. 6 Adversarial Example But, failed Over-the-air!

  18. Challenge 7 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  19. Challenge 7 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity VS SR ( I + δ ) SR ( H ( I + δ )) H is unknown in advance!

  20. Understand Over-the-air Attack 8 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  21. 9 Attenuation Attenuation

  22. 9 Attenuation Attenuation

  23. 9 Attenuation “ Open the door” Normalization Attenuation

  24. 9 Attenuation “ Open the door” Normalization Attenuation No frequency-selectivity, doesn’t matter at all!

  25. Understand Over-the-air Attack 10 Channel E ff ect Noise Multi-path Attenuation Hardware Heterogeneity

  26. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  27. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  28. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Anechoic Chamber Testing

  29. 11 Hardware Heterogeneity Transmitter Anechoic Materials Receiver Not strong, device’s inherent feature, compensable! Anechoic Chamber Testing

  30. 12 Hardware Heterogeneity Transmitter Character Successful Rate (CSR): Anechoic Materials Receiver Static, predictable and compensable! Anechoic Chamber Testing

  31. Understand Over-the-air Attack 13 Channel E ff ect Multi-path Attenuation Hardware Heterogeneity

  32. 14 Multi-path HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  33. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  34. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1

  35. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1

  36. 15 Multi-path: Near range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel LOS path SAMSUNG S7 Superimposed signal SAMSUNG S7 SAMSUNG S7 Reflection2 I Reflection1 Also not strong and similar!

  37. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Channel Channel Ruler Channel SAMSUNG S7 SAMSUNG S7 SAMSUNG S7

  38. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1

  39. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1

  40. 16 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1 Stronger and unpredictable!

  41. 17 Multi-path: Long range O ffi ce Corridor Home HIVI M200MK3 HIVI M200MK3 Speaker Speaker HIVI M200MK3 Tx to Rx: From 0.5m to 8m Speaker Over-the-air Over-the-air Ruler Over-the-air Q Channel Channel Character Successful Rate (CSR): Ruler Channel SAMSUNG S7 LOS path SAMSUNG S7 SAMSUNG S7 Superimposed signal Reflection2 I Reflection1 Highly unpredictable !

  42. 18 Design Inspiration “ Open the door” SR ( H ( I + δ )) I + δ

  43. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ

  44. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ SR ( H ( I + δ )) H: public acoustic CIR datasets

  45. 18 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ SR ( H ( I + δ )) H: public acoustic CIR datasets arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ )

  46. 19 Design Inspiration “ Open the door” Unknown, but share similarity! SR ( H ( I + δ )) I + δ Transcript and Character Successful Rate: SR ( H ( I + δ )) public acoustic CIR datasets arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ )

  47. 20 Design Inspiration “ Open the door” SR ( H ( I + δ )) I + δ Domain (environment-specific) information dominates! SR ( H ( I + δ )) H: public acoustic CIR datasets

  48. 21 Metamorph: Meta-Enha Clean domain information arg min δ α ⋅ dB I ( δ ) + 1 M ∑ i Loss ( SR ( H i ( I + δ )), T ′ ) − β ⋅ L d

  49. ̂ 22 Metamorph: Meta-Qual • Acoustic Gra ffi ti: distance ( δ , N ) • Reducing Perturbation’s Coverage: L1/L2 regularization

  50. 23 Evaluation: Audio Quality • Examples Classical music Original: Meta-Enha: Meta-Qual: [no transcription] “hello world” “hello world” Human speech Original: Meta-Enha: Meta-Qual: “your son went to “open the door” “open the door” serve at a distant place and became a centurion”

  51. 24 Evaluation: Attack Successful Rate • Attack Target: “DeepSpeech” (White-Box) A multi-path prevalent o ffi ce

  52. 25 Evaluation: Attack Successful Rate • Line-of-Sight (LOS) Attack Character Successful Rate Transcript Successful Rate Meta-Enha: > 90% attack successful rate

  53. 26 Evaluation: Attack Successful Rate • No-Line-of-Sight (NLOS) Attack Character Successful Rate Transcript Successful Rate Meta-Enha: over 85% attack successful rate across 11/20 NLOS location!

  54. 27 Conclusion 1. Investigate over-the-air audio adversarial attacks systematically. 2. Propose a “generate-and-clean” two-phase design and improve the audio quality. 3. Develop a prototype and conduct extensive evaluations. Visit acoustic-metamorph-system.github.io for more information!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu Zhejiang University BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice commands at VCS by exploiting the

481 views • 28 slides
DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin

DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin

DolphinAttack: Inaudible Voice Commands Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, Wenyuan Xu Zhejiang University Presenter: Huichen Li This paper won the CCS 2017 Best Paper award Speech Recognition Systems Apple Siri

720 views • 51 slides
Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV beyond using the same syringes/needles Messages Our main message for the safer injecting theme is: Use a sterile syringe and needle each time

252 views • 8 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed

Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed

Lecture 8: Visual Mode, /<CR>, Drafting Commands, Metaediting Part II: The Core Commands Announcements HW3... is postponed to next week... Too few things to test on Make sure to practice on commands discussed so far. Every

1.11k views • 83 slides
A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring

A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring

23rd International Congress on Acoustics A comparison of in inaudible windfarm noise and the natural environment noise whilst monitoring brainwaves and heart rate Steven Cooper Sound system calibrated to playback 3-min sample of Cape

628 views • 15 slides
Colossians Commands Commands put to death your members 3:5 you yourself are to put

Colossians Commands Commands put to death your members 3:5 you yourself are to put

Colossians Commands Commands put to death your members 3:5 you yourself are to put off all these 3:8 put off the old man with his deeds 3:9 put on the new man who is renewed 3:10 put on tender mercies

2.44k views • 197 slides
Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting Faults for Engine Management Development M t D l t Scott James Applied Dynamics International Sh Shaun Fuller Pickering Interfaces F ll

353 views • 18 slides
Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now!

Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now!

Lecture 5: Review + Basic Commands Part I Recurring Themes Part II Core Commands Announcements Homework 2 is due now! Midterm next week! Format is similar to hws, focus on writing clear descriptions that do exactly what you want to

549 views • 43 slides
April 7: Safety Question Protection State Transitions Commands Conditional Commands

April 7: Safety Question Protection State Transitions Commands Conditional Commands

April 7: Safety Question Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege Harrison-Ruzzo-Ullman result Corollaries April 7, 2017 ECS 235B Spring Quarter

588 views • 33 slides
A simplified A simplified method method for for determination determination of of

A simplified A simplified method method for for determination determination of of

23rd International Congress on Acoustics A simplified A simplified method method for for determination determination of of amplitude amplitude modulation of modulation of audible audible and and inaudible inaudible wind

462 views • 10 slides
The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne Professor Robert Power Burnet Institute Acknowledgements Traditional owners: W urundjeri Yarra Drug Health Forum Project team

633 views • 22 slides
SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL

SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL

SQL , the Structured Query Language Overview Introduction DDL Commands DML Commands SQL Statements, Operators, Clauses Aggregate Functions Structured Query Language ( SQL SQL ) The ANSI standard language for the definition and manipulation

854 views • 30 slides
Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores

Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores

Advanced Linux Commands The picture can't be displayed. Dr. John Yoon The History Almost every shell stores the previous commands that you have issued. Most shells allow you to press the up arrow to cycle through previous commands.

656 views • 17 slides
Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands

Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands

Unix Commands on processes Xiaolan Zhang Spring 2013 1 Outlines Last class: commands working with files tree, ls and echo od (octal dump), stat (show meta data of file) touch, temporary file, file with random bytes locate,

548 views • 51 slides
Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in

Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in

Barriers and Facilitators to screening and treatment for Hepatitis C among Injecting Drug Users in Georgia April, 2017 www.curatiofoundation.org Who did the study Research team CIF: Ivdity Chikovani, Natia Shengelia, Lela Sulaberidze,

395 views • 28 slides
Synesthesia The problem Many colleagues appear blandly disengaged during crucial

Synesthesia The problem Many colleagues appear blandly disengaged during crucial

Synesthesia The problem Many colleagues appear blandly disengaged during crucial video-conference calls 2 The challenge Telling what they are actually doing VS. 3 Idea: hear the screen ? Victim (evil colleague appearing

657 views • 39 slides
CS 188: Artificial Intelligence Lecture 18: Speech Pieter Abbeel --- UC Berkeley Many slides

CS 188: Artificial Intelligence Lecture 18: Speech Pieter Abbeel --- UC Berkeley Many slides

CS 188: Artificial Intelligence Lecture 18: Speech Pieter Abbeel --- UC Berkeley Many slides over this course adapted from Dan Klein, Stuart Russell, Andrew Moore Speech and Language Speech technologies Automatic speech recognition

225 views • 7 slides
Poetry Draw inspiration from math, Music science and engineering Experiences

Poetry Draw inspiration from math, Music science and engineering Experiences

How do artists draw their inspiration? TRADITIONAL METHOD NOVEL APPROACH Poetry Draw inspiration from math, Music science and engineering Experiences Feedback is more abstract and Feedback usually instantaneous;

698 views • 26 slides
Covariation of Stop Consonant Acoustics: Corpus Evidence and Implications for Talker Adaptation

Covariation of Stop Consonant Acoustics: Corpus Evidence and Implications for Talker Adaptation

Covariation of Stop Consonant Acoustics: Corpus Evidence and Implications for Talker Adaptation Eleanor Chodroff and Colin Wilson Johns Hopkins University Department of Cognitive Science LSA | Washington, DC | January 9, 2016 Individual

409 views • 37 slides
Acoustic Modeling: Tied-state HMMs & DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs & DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs & DNN-based models Lecture 7 CS 753 Instructor: Preethi Jyothi Recall: Acoustic Model Acoustic Context Pronunciation Language Models Transducer Model Model Acoustic Word

604 views • 37 slides
INCITS 456 Speaker Recognition Format for Raw Data Interchange (SIVR-1) Judith A. Markowitz, PhD

INCITS 456 Speaker Recognition Format for Raw Data Interchange (SIVR-1) Judith A. Markowitz, PhD

INCITS 456 Speaker Recognition Format for Raw Data Interchange (SIVR-1) Judith A. Markowitz, PhD J. Markowitz, Consultants Chicago, IL www.jmarkowitz.com W3C Workshop on SIV March 6, 2009 1 1 What is INCITS 456? What is INCITS 456?

686 views • 13 slides
Acoustic Methods for Underwater Munitions February 5, 2015 SERDP & ESTCP Webinar Series

Acoustic Methods for Underwater Munitions February 5, 2015 SERDP & ESTCP Webinar Series

SERDP & ESTCP Webinar Series Acoustic Methods for Underwater Munitions February 5, 2015 SERDP & ESTCP Webinar Series Welcome and Introductions Rula Deeb, Ph.D. Webinar Coordinator Webinar Agenda Webinar Overview and ReadyTalk

973 views • 81 slides
Acoustic Emission Sensors in Superconducting Magnets Marcos Araque SIST/GEM Final Presentation

Acoustic Emission Sensors in Superconducting Magnets Marcos Araque SIST/GEM Final Presentation

Acoustic Emission Sensors in Superconducting Magnets Marcos Araque SIST/GEM Final Presentation 6 August 2018 Acoustic Emission Quench Detection Sensors in Superconducting Magnets Quenching in Acoustic Emission (AE) Data Acquisition

488 views • 33 slides

More recommend