Towards query-efficient adversarial attacks against automatic speech recognition systems

Adversarial attacks, which attract explosive rese-arch attention in recent years, have achieved fantastic success in fooling neural networks, especially for image-classification tasks. While for automatic speech recognition (ASR) tasks, the state-of-The-Arts mainly focus on white-box attacks where the adversary is assumed to get full access to the details inside the system, e.g., network architecture, weights, etc. However, this assumption does not hold in practice. The construction of real-world adversarial examples against ASR systems is still a very challenging problem. In this paper, we, for the first time, present a novel and effective attack on ASR systems, named Selective Gradient Estimation Attack (SGEA). Compared with prior literatures, SGEA only needs limited access to the output probabilities of neural networks, and achieves extremely high efficiency and success rates. We attacked the DeepSpeech system on Mozilla Common Voice and LibriSpeech datasets in our experiments. The results demonstrate that SGEA improves the attack success rate from 35% to 98%, while reducing the number of queries by 66%.