Generating Watermarked Speech Adversarial Examples

Abstract

Increasing methods use deep learning for auto-generating speech adversarial examples that can easily lead speech recognition systems to make incorrect predictions. It is necessary to prevent the speech adversarial example generation model from being abused by any unauthorized users. It implies that, both the model and the adversarial examples generated by the model should be protected and monitored. One may build a complex access protocol to avoid the model leakage, which, however, has limited control when the model was obtained by authorized users. To deal with this problem, in this paper, we propose a method to mark the speech adversarial example generation model by optimizing a combined loss function allowing a watermark to be embedded into the generated adversarial examples. Accordingly, the resultant model not only generates speech adversarial examples that can fool the target model, but also allows us to identify the ownership by detecting watermarks from outputs. Moreover, by retrieving the watermark from an unknown speech signal, we can judge whether the speech signal is an adversarial example generated by a specific model. We have proved through experiments that the speech adversarial example generation model optimized with the proposed method can effectively deceive the state-of-the-art speech classification network and trace the source of the generated adversarial examples.