Clustering Unsupervised Representations as Defense against Poisoning Attacks on Speech Commands Classification System

článek ve sborníku mimo WoS a Scopus

angličtina

Poisoning attacks entail attackers intentionally tampering with training data. In this paper, we consider a dirty-label poisoning attack scenario on a speech commands classification system. The threat model assumes that certain utterances from one of the classes (source class) are poisoned by superimposing a trigger on it, and its label is changed to another class selected by the attacker (target class). We propose a filtering defense against such an attack. First, we use DIstillation with NO labels (DINO) to learn unsupervised representations for all the training examples. Next, we use K-means and LDA to cluster these representations. Finally, we keep the utterances with the most repeated label in their cluster for training and discard the rest. For a 10% poisoned source class, we demonstrate a drop in attack success rate from 99.75% to 0.25%. We test our defense against a variety of threat models, including different target and source classes, as well as trigger variations.

poisoning attack, unsupervised representa- tions, clustering, Speech commands, defense against attacks on speech systems

THEBAUD, T.; JOSHI, S.; LI, H.; ŠŮSTEK, M.; VILLALBA LOPEZ, J.; KHUDANPUR, S.; DEHAK, N.

16. 12. 2023

IEEE Signal Processing Society

Taipei

979-8-3503-0689-7

Proceedings of IEEE Automatic Speech Recognition and Understanding Workshop (ASRU)

1

8

8

https://ieeexplore.ieee.org/document/10389650

Clustering_Unsupervised_Representations_as_Defense_Against_Poisoning_Attacks_on_Speech_Commands_Classification_System.pdf