Metamorph: Injecting Inaudible Commands into Over-the-air Voice - - PowerPoint PPT Presentation

Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems

Tao Chen1 Longfei Shangguan2 Zhenjiang Li1 Kyle Jamieson3

1City University of Hong Kong, 2Microsoft, 3Princeton University

2

Voice Assistants in Smart Home

5 4 3 2 1

2

Voice Assistants in Smart Home

5 4 3 2 1

2

Voice Assistants in Smart Home

5 4 3 2 1

https://www.emarketer.com/content/us-voice-assistant-users-2019

111.8 million people in U.S. use voice assistants and related services!

3

Are they safe enough?

4

How to attack the voice assistant?

Speech Recognition Models (SR) Neural networks

5

How to attack the voice assistant?

SR(I)

Audio Clip: I

“ this is for you”

T :

5

How to attack the voice assistant?

SR(I)

Audio Clip: I

“ this is for you”

T : Adversarial Example:

I + δ

“ open the door”

T′ : Perturbation: δ

5

How to attack the voice assistant?

dBI(δ), SR(I) = T, SR(I + δ) = T′ minimize such that SR(I)

Audio Clip: I

“ this is for you”

T : Adversarial Example:

I + δ

“ open the door”

T′ : Perturbation: δ

Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

5

How to attack the voice assistant?

dBI(δ), SR(I) = T, SR(I + δ) = T′ minimize such that SR(I)

Audio Clip: I

“ This is for you”

T : Adversarial Example:

I + δ

“ Open the door”

T′ : Perturbation: δ

Audio Adversarial Attack

Nicholas Carlini et al. Audio Adversarial Examples, Deep Learning and Security Workshop, 2018

6

6

6

6

6

Is it a real threat? Yes!

6

Adversarial Example

6

Adversarial Example

But, failed Over-the-air!

Challenge

7

Attenuation Multi-path Channel Effect Hardware Heterogeneity

Challenge

7

Attenuation Multi-path Channel Effect Hardware Heterogeneity

VS

SR(I + δ) SR(H(I + δ))

H is unknown in advance!

Understand Over-the-air Attack

8

Hardware Heterogeneity

Attenuation Multi-path

Channel Effect

9

Attenuation

Attenuation

9

Attenuation

Attenuation

9

Attenuation Normalization

“ Open the door”

Attenuation

9

Attenuation Normalization

“ Open the door”

Attenuation

No frequency-selectivity, doesn’t matter at all!

Understand Over-the-air Attack

10

Hardware Heterogeneity

Attenuation Multi-path

Channel Effect Noise

11

Hardware Heterogeneity

Anechoic Chamber Testing

Transmitter Receiver

Anechoic Materials

11

Hardware Heterogeneity

Anechoic Chamber Testing

Transmitter Receiver

Anechoic Materials

11

Hardware Heterogeneity

Anechoic Chamber Testing

Transmitter Receiver

Anechoic Materials

11

Hardware Heterogeneity

Anechoic Chamber Testing

Transmitter Receiver

Anechoic Materials

Not strong, device’s inherent feature, compensable!

12

Hardware Heterogeneity

Anechoic Chamber Testing

Transmitter Receiver

Anechoic Materials

Static, predictable and compensable! Character Successful Rate (CSR):

Understand Over-the-air Attack

13

Hardware Heterogeneity

Attenuation Multi-path

Channel Effect

14

Multi-path

HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

15 HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Near range

15 HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Near range

I Q

Reflection1 Reflection2 LOS path Superimposed signal

15 HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Near range

I Q

Reflection1 Reflection2 LOS path Superimposed signal

15 HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Near range

I Q

Reflection1 Reflection2 LOS path Superimposed signal

Also not strong and similar!

16 HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Long range

HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Long range

Superimposed signal Reflection1 Reflection2 LOS path

I Q

16

HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Long range

Superimposed signal Reflection1 Reflection2 LOS path

I Q

16

HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Long range

Stronger and unpredictable!

Superimposed signal Reflection1 Reflection2 LOS path

I Q

16

HIVI M200MK3 Speaker Ruler SAMSUNG S7 Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Ruler Over-the-air Channel HIVI M200MK3 Speaker SAMSUNG S7 Over-the-air Channel

Office Corridor Home Tx to Rx: From 0.5m to 8m

Multi-path: Long range

Highly unpredictable！

Superimposed signal Reflection1 Reflection2 LOS path

I Q

Character Successful Rate (CSR):

17

18

Design Inspiration

“ Open the door”

I + δ

SR(H(I + δ))

18

Design Inspiration

“ Open the door”

I + δ

SR(H(I + δ))

Unknown, but share similarity!

Design Inspiration

“ Open the door”

I + δ

SR(H(I + δ))

Unknown, but share similarity!

SR(H(I + δ))

H: public acoustic CIR datasets

18

arg minδ α ⋅ dBI(δ) + 1 M ∑i Loss(SR(Hi(I + δ)), T′ )

Design Inspiration

“ Open the door”

I + δ

SR(H(I + δ))

Unknown, but share similarity!

SR(H(I + δ))

H: public acoustic CIR datasets

18

19

arg minδ α ⋅ dBI(δ) + 1 M ∑i Loss(SR(Hi(I + δ)), T′ )

public acoustic CIR datasets

Design Inspiration

“ Open the door”

I + δ

SR(H(I + δ))

Unknown, but share similarity!

SR(H(I + δ))

Transcript and Character Successful Rate:

20

“ Open the door”

I + δ

SR(H(I + δ))

Domain (environment-specific) information dominates!

SR(H(I + δ))

H: public acoustic CIR datasets

Design Inspiration

21

arg minδ α ⋅ dBI(δ) + 1 M ∑i Loss(SR(Hi(I + δ)), T′ ) − β ⋅ Ld

Metamorph: Meta-Enha

Clean domain information

22

Metamorph: Meta-Qual

• Acoustic Graffiti:
• Reducing Perturbation’s Coverage:

distance(δ, ̂ N)

L1/L2 regularization

23

Evaluation: Audio Quality

Classical music Human speech Original: [no transcription] Meta-Enha: “hello world” Meta-Qual: “hello world” Original: “your son went to serve at a distant place and became a centurion” Meta-Enha: “open the door” Meta-Qual: “open the door”

• Examples

24

Evaluation: Attack Successful Rate

A multi-path prevalent office

• Attack Target: “DeepSpeech” (White-Box)

25

Evaluation: Attack Successful Rate

• Line-of-Sight (LOS) Attack

Meta-Enha: > 90% attack successful rate

Transcript Successful Rate Character Successful Rate

26

• No-Line-of-Sight (NLOS) Attack

Evaluation: Attack Successful Rate

Character Successful Rate Transcript Successful Rate

Meta-Enha: over 85% attack successful rate across 11/20 NLOS location!

27

Conclusion

• 1. Investigate over-the-air audio adversarial attacks systematically.
• 2. Propose a “generate-and-clean” two-phase design and improve

the audio quality.

• 3. Develop a prototype and conduct extensive evaluations.

Visit acoustic-metamorph-system.github.io for more information!