Black Box Attack on Speech Commands Classification Model

The field of Adversarial Machine Learning (AML) has emerged due to the rapid development of the machine learning field. The goal of an adversarial attack is to fool a machine learning model into giving false or manipulated results. In today’s world, speech is not only limited to humans, but machines also capture and process it. Nowadays, machines can "speak" and "hear" human languages. Quite a number of researchers are working to enable human-machine interaction using various deep learning techniques. Recently, AML researchers have demonstrated effective attacks against clean machine learning models. However, much of the research is still focused on deceiving image recognition models. The research in fooling speech recognition models is in its infancy. In this paper, we present a novel application of a targeted black-box adversarial attack on a speech classification model. The resulting adversarial example sounds the same as the original speech command even after adding attacker noise by using the SimBA (Simple Black-box Attack) algorithm that randomly adds perturbations in random orthonormal directions to the audio sample and queries the model for the probability of it being misclassified as the targeted class. We demonstrate that the algorithm is 90% successful in classifying a speech command as its antonym.