Zero-Query Adversarial Attack on Black-box Automatic Speech Recognition Systems

ASR systems can automatically transcribe input audio into the corresponding transcriptions. As shown in Figure 1, a typical ASR system comprises three components: pre-processing, acoustic model, and decoder.

• •

  Pre-processing.  Given an input audio with $n$ sample points, denoted as $x\in\mathbb{Z}^{n}$, an ASR system first normalizes it to the range of ${[-1,1]}^{n}$ and applies low/high-pass filters to remove frequencies and segments beyond the range of human hearing. Then, the ASR system employs time-frequency transformation techniques, such as the short-time Fourier transform (STFT), to convert the time-domain signal $x$ into the frequency domain spectrogram $S\in\mathbb{R}^{T\times F}$, where $T$ and $F$ denote the number of frames and frequency bins, respectively. In the subsequent steps, traditional ASR systems utilize acoustic feature extraction algorithms, such as mel-frequency cepstral coefficients (MFCC) (Sigurdsson et al., 2006), linear predictive coefficient (LPC) (Itakura, 1975), or perceptual linear predictive (PLP) (Hermansky, 1990), to further transform $S$ into meticulously designed acoustic features. In contrast, modern DNN-based ASR systems directly utilize $S$.

• •

  Acoustic model.  The acoustic model is typically a machine learning model that maps the spectrogram or extracted acoustic features to an intermediate representation. Traditional ASR systems use hidden Markov models (HMMs) and Gaussian mixture models (GMMs) (Gales et al., 2008; Rabiner, 1989), while modern ASR systems employ DNNs, such as convolutional neural networks (CNNs) and Transformers (Gulati et al., 2020; Li et al., 2019).

• •

  Decoder.  The decoder uses the intermediate representation to predict tokens and generate corresponding transcriptions. A token is the smallest unit of the transcription, and the set of all possible tokens constitutes a vocabulary $V$. The vocabulary $V$ varies across different ASR systems. For example, $V=\{a,b,\cdots,z,space\}$ is a simple vocabulary for an ASR system recognizing English.

Audio adversarial attacks aim to manipulate the output of ASR systems using audio adversarial examples constructed by adding imperceptible perturbations to benign carrier audios (Carlini and Wagner, 2018; Yuan et al., 2018; Zheng et al., 2021; Chen et al., 2020; Wu et al., 2023). Depending on the objective of the attack, audio adversarial attacks can be categorized into targeted and untargeted attacks.

Formally, let $f(x):x\to y$ denote an ASR system that transcribes an audio $x$ into the transcription $y=f(x)$, and let $x^{\prime}=x+\delta$ denote the adversarial example constructed by adding the adversarial perturbation $\delta$ to the carrier audio $x$. An untargeted adversarial attack aims to mislead the target ASR system, causing it to produce any result other than the ground truth, represented as $f(x^{\prime})\neq y$. In contrast, a targeted adversarial attack aims to induce the output of the target ASR system into a specific target transcription $t\neq f(x)$, which is formulated as:

where $Dis(x,x^{\prime})$ represents the distance between $x$ and $x^{\prime}$, commonly calculated using the $L_{p}$ norm, with $p$ usually being 0, 2, or $\infty$. $\epsilon$ is a hyper-parameter that constrains this distance. As targeted adversarial attacks can naturally extend to untargeted attacks, the adversarial attacks discussed in the rest of this paper will specifically refer to the targeted ones unless explicitly specified otherwise.

Typically, the generation process of adversarial examples can be formulated as an optimization problem:

where the adversarial loss $\mathcal{L}_{a}$ measures the effectiveness of $\delta$ on the target ASR system $f$, and the imperceptibility loss $\mathcal{L}_{p}$ quantifies the imperceptibility of $\delta$. The parameter $c$ acts as a weighting factor, balancing the effectiveness and imperceptibility of the attack. Gradient descent is a common method for solving this optimization problem. It can be formulated as:

where $\alpha$ represents the learning rate and $\nabla_{\delta}\mathcal{L}(x,\delta,t,f)$ is the gradient of $\mathcal{L}(x,\delta,t,f)$ with respect to $\delta$. The function $clip_{\epsilon}$ limits $Dis(x,x^{\prime})$ to a relatively small range controlled by $\epsilon$.

To launch audio adversarial attacks in the challenging zero-query black-box setting, an alternative approach is the transfer-based attack. The basic idea of transfer-based attacks is to use a local surrogate model to generate adversarial examples that are then used to attack the target black-box model. Despite the demonstrated effectiveness of transfer-based attacks in the image domain (Papernot et al., 2016; Demontis et al., 2019; Wu et al., 2018; Liu et al., 2017), achieving similar success in the audio domain remains an unresolved issue. Abdullah et al. (Abdullah et al., 2021) reveal that the transferability of audio adversarial examples among different ASR systems is exceedingly limited, even when these ASRs share the same architecture. Existing attempts to achieve this goal have only demonstrated limited transferability (Zheng et al., 2021; Qi et al., 2023). As demonstrated in prior work (Huang et al., 2019; Wu et al., 2018; Ravikumar et al., 2022), the core reason for this limitation might be that adversarial examples tend to overfit the architecture and feature representations of the specific surrogate model, resulting in limited transferability to the target models with different architecture. Unlike image recognition models, ASR systems exhibit increased complexity and greater architectural diversity, leading to greater differences between surrogate ASRs and target ASRs. Hence, generating highly transferable adversarial examples in the audio domain is more challenging.

ZQ-Attack aims to generate transferable audio adversarial examples in the zero-query black-box scenario. Formally, given a carrier audio $x$ and a target command $t$, ZQ-Attack optimizes the adversarial perturbation $\delta$ to enhance its effectiveness on various black-box target ASR systems. This optimization problem can be formulated as follows:

where $\mathbb{P}$ represents the probability, and $\mathcal{F}$ denotes the set of all black-box target ASR systems. However, since the attacker lacks internal information about the target ASR system and cannot query it, directly solving this optimization problem is challenging.

An intuitive way to solve this problem is leveraging surrogate ASRs. However, optimizing the adversarial perturbation on a single surrogate ASR may result in overfitting to that specific model. Therefore, ZQ-Attack optimizes adversarial perturbations on multiple surrogate ASRs. We denote the set of surrogate ASRs as $\mathbb{F}$. Then, the optimization problem becomes as follows:

where $\mathcal{L}_{all}$ denotes the loss on all surrogate ASRs, and the imposed constraint ensures that the optimized adversarial perturbation attains a specified level of imperceptibility.

The core idea of ZQ-Attack is to collaboratively optimize the adversarial perturbation on diverse types of surrogate ASRs. Specifically, ZQ-Attack consists of three stages: surrogate ASRs selection, perturbation initialization, and sequential ensemble optimization. The workflow is illustrated in Figure 2.

The selection of surrogate ASRs is the foundation that ensures the effectiveness of ZQ-Attack. As described in Section 3.2, the architecture of ASR systems exhibits considerable diversity. Therefore, randomly selecting surrogate ASRs may fail to cover the mainstream modern ASR systems. Hence, in this subsection, we initially provide a summary and categorization of modern ASR systems, followed by the details of surrogate ASRs selection. The illustration of this stage is shown in Figure 3.

According to our categorization, modern ASR systems can be mainly categorized into CNN-based and Transformer-based ASR systems. The CNNs excel in extracting local features but exhibit a comparatively weaker capability in capturing dynamic global contexts. Conversely, Transformers are proficient in effectively capturing global information but demonstrate a diminished ability to extract local features. To integrate the advantages of both CNN-based and Transformer-based ASR systems, the selected surrogate ASRs should encompass representatives from both categories. This ensures that the optimized adversarial perturbations can possess both locally and globally salient features, thereby enhancing their transferability to the target ASR systems. Furthermore, CNNs and Transformers represent prevalent architectures of acoustic models adopted in modern ASR systems. Therefore, we incorporate both CNN-based and Transformer-based ASRs into the surrogate ASRs to effectively cover a broad range of real-world ASR systems. Upon selecting $K$ surrogate ASRs from the local ASRs, we construct the set of these surrogate ASRs, denoted as $\mathbb{F}=[f_{j}]_{j=1}^{K}$, where $f_{j}$ represents the $j$-th surrogate ASR in $\mathbb{F}$. Since the subsequent sequential ensemble optimization algorithm optimizes the adversarial perturbation on these surrogate ASRs in a sequential manner, $\mathbb{F}$ is an ordered set. It is worth noting that the surrogate ASRs are scalable. The quantity of surrogate ASRs can be adjusted flexibly depending on the computational resources of the attackers.

The initialization of the adversarial perturbation $\delta$ may significantly impact the performance of the attack. Initializing $\delta$ from a point far from the region of the target command in the feature space can lead to a time-consuming and uncertain optimization process, and the high dimensionality of audio data further complicates the optimization. In contrast, using the target command audio directly as the initial $\delta$ may result in poor imperceptibility. To obtain an effective and relatively imperceptible initialized adversarial perturbation, we propose an adaptive search algorithm to initialize $\delta$ with a scaled target command audio, as presented in Alg. 1. This algorithm aims to minimize the scaling factor while maintaining the effectiveness of the initialized $\delta$ on all surrogate ASRs.

Specifically, we first choose an audio $x$ as the carrier audio to construct the adversarial example $x^{\prime}=x+\delta$. Following previous works (Zheng et al., 2021; Yuan et al., 2018), we opt for songs as the carrier audio. For a given target command $t$, we utilize TTS techniques to generate a corresponding target command audio $x_{t}=\mathcal{T}(t)$, where $\mathcal{T}(\cdot)$ denotes the TTS process. To alleviate the impact of varying volume levels during the perturbation initialization stage, we normalize the values of sample points in both $x$ and $x_{t}$ to the range of $[-0.5,0.5]$. Subsequently, the adaptive search algorithm searches for the smallest value of scaling factor $\mu$, and $\delta$ is initialized using the scaled target command audio $\mu\cdot x_{t}$, ensuring that the corresponding initial adversarial example is recognized by all surrogate ASRs as the target command.

Since the length of $x_{t}$ is typically shorter than that of $x$, it is necessary to pad both sides of the scaled $x_{t}$ with zeros to initialize the perturbation. We use $l_{x}$ and $l_{t}$ to denote the length of $x$ and $x_{t}$, respectively. The lengths of the padding on each side are indeterminate, provided their sum equals $l_{x}-l_{t}$. The adaptive search algorithm searches for the optimal padding lengths on each side to minimize the scaling factor as much as possible. An example of this initialization method is depicted in Figure 4. It can be seen that the adaptive search algorithm finds the padding lengths and a relatively small scaling factor.

In summary, the adaptive search algorithm initializes $\delta$ by pushing the corresponding adversarial example toward the decision boundary of all surrogate ASRs, thereby circumventing the time-consuming and uncertain initial search process. The initialized adversarial perturbation can be regarded as a coarse-grained optimized perturbation, serving as a basis for subsequent fine-grained optimization in the sequential ensemble optimization stage.

After initializing the adversarial perturbation, ZQ-Attack performs fine-grained optimization of the adversarial perturbation on surrogate ASRs. Unlike the target black-box ASR systems, where the attacker lacks knowledge of their internal architectures and parameters, the white-box surrogate ASRs provide full control to the attacker. Hence, the attacker can optimize $\delta$ using any information acquired through these surrogate ASRs.

A straightforward approach to optimizing $\delta$ on diverse surrogate ASRs is to use the weighted average of the gradients from each one. For the $j$-th surrogate ASR $f_{j}\in\mathbb{F}$, the gradient is calculated as $\nabla_{\delta}\mathcal{L}(x,\delta,t,f_{j})$, where $\mathcal{L}$ represents the loss of $\delta$ on a single surrogate ASR $f_{j}$, typically similar to Eq. (2). However, this method essentially treats each surrogate ASR independently when optimizing $\delta$. Each surrogate ASR does not interact with the others and, therefore, cannot leverage the optimization information provided by others. Moreover, this method focuses on optimizing $\delta$ in the direction most effective for a single surrogate ASR, without considering the effectiveness of $\delta$ on other surrogate ASRs.

To facilitate collaboration among these surrogate ASRs, we propose a sequential ensemble optimization algorithm, as presented in Figure 5. This algorithm iteratively optimizes the adversarial perturbation on the ordered set of surrogate ASRs $\mathbb{F}$. For each surrogate ASR, this algorithm leverages the collaborative information from the preceding surrogate ASRs in the ordered set to optimize $\delta$. In other words, the optimization process considers not only the efficacy of $\delta$ on the current surrogate ASR but also its efficacy on the preceding surrogate ASRs. Additionally, instead of directly using $\mathcal{L}$ in Eq. (2), we carefully design a novel loss function comprising three loss terms. The detailed design of the loss function is presented in Section 4.6.

Specifically, the sequential ensemble optimization algorithm comprises an outer loop and an inner loop. At each step, the algorithm first randomly shuffles $\mathbb{F}$ in the outer loop. Then, the optimization of $\delta$ on $\mathbb{F}$ takes place in the inner loop. Following the completion of the inner loop, $\delta$ is updated in the outer loop. As ZQ-Attack abstains from interacting with the target ASR systems via queries, it relies on surrogate ASRs to validate the efficacy of the generated adversarial example $x^{\prime}$. The set of valid adversarial examples, denoted as $X^{\prime}$, is initialized as $\varnothing$ at the beginning of the algorithm. At the end of each step, $x^{\prime}$ will be added to $X^{\prime}$ if it can successfully attack all surrogate ASRs.

To avoid the updated $\delta_{j}$ being perceptible enough to the human ear, we use a clip** algorithm to restrict the updated $\delta_{j}$ within a limited range. Instead of using the $L_{p}$ norm-based clip** algorithm employed in previous work (Zheng et al., 2021; Chen et al., 2020), we utilize an adaptive clip** algorithm based on psychoacoustics (Gelfand, 2017). To be specific, this algorithm is grounded in temporal masking, a phenomenon where the presence of louder components can influence the perception of quieter components when two sounds with different loudness levels are heard by the human ear. This algorithm constrains $\delta$ within a range proportional to the carrier audio, permitting larger perturbations in louder segments of the carrier while maintaining smaller perturbations in quieter areas, thereby reducing the perceptibility of the perturbation. This clip** algorithm can be represented as follows:

It is noteworthy that the clip** is performed element-wise in the perturbation. After applying the adaptive clip** algorithm, the adversarial perturbation will be bounded as $\delta_{j}=clip_{\epsilon}(\delta_{j},x)$.

The comprehensive details of the sequential ensemble optimization algorithm are presented in Alg. 2.

We design a novel loss $\mathcal{L}$ for optimizing the adversarial perturbations. It comprises three terms: the adversarial loss $\mathcal{L}_{a}$, the imperceptibility loss $\mathcal{L}_{p}$, and the acoustic feature loss $\mathcal{L}_{f}$. The loss $\mathcal{L}$ can be written as follows:

where $c_{1}$ and $c_{2}$ serve as weighting factors to balance the relative importance of different loss terms, ensuring a trade-off between the effectiveness and imperceptibility of $\delta$.

In this section, we evaluate the performance of ZQ-Attack in both over-the-line and over-the-air settings. In the over-the-line setting, the audio adversarial examples are transmitted directly to the target ASR systems as waveform audio files. In the over-the-air setting, we utilize a speaker positioned near the target devices (e.g., 10 cm) to play the audio adversarial examples in a quiet office environment (e.g., 35dB).

We summarize and categorize these target systems in Table 2.

We use the success rate of attack (SRoA) as the metric of attack effectiveness. SRoA is calculated by dividing the number of successfully attacked commands by the total number of commands (i.e., 10). For each target command, if we can generate at least one adversarial example that effectively attacks the target ASR system, we consider the attack on that command as successful. Note that the adversarial example is considered effective only when its transcription matches exactly the target command. Any word errors are regarded as a failure, with case sensitivity being disregarded.

To evaluate the imperceptibility of the adversarial examples, we choose signal-to-noise ratio (SNR) as the metric. SNR is defined as the ratio of the power of a signal (i.e., the carrier audio $x$) to the power of a noise (i.e., the adversarial perturbation $\delta$) in the logarithm scale, and a higher SNR indicates better imperceptibility. The specific calculation method is shown as follows:

In the over-the-line setting, the results of ZQ-Attack and baseline methods on online speech recognition services are shown in Table 3. ZQ-Attack successfully generates audio adversarial examples for all target commands on four online speech recognition services, achieving an average SRoA of 100% and an average SNR of 21.91dB.

For baseline methods, the adversarial examples generated by Carlini et al. (Carlini and Wagner, 2018) fail to successfully attack any online speech recognition services, as this method is tailored for the white-box setting. Compared to Occam, ZQ-Attack achieves comparable effectiveness and better imperceptibility without any queries. While KENKU still necessitates a small number of queries to search for appropriate hyperparameters tailored to a specific target ASR system, ZQ-Attack attains superior effectiveness and imperceptibility without any queries. Note that KENKU fails to successfully attack Alibaba in our evaluation. We speculate that this could be attributed to updates made by Alibaba to its ASR system.

In the over-the-air setting, we generate 10 audio adversarial examples for each target command. Each adversarial example is played up to three times. We consider that the attack on a command is successful if at least one adversarial example is effective.

The results of ZQ-Attack and baseline methods on commercial IVC devices are presented in Table 4. ZQ-Attack successfully generates audio adversarial examples for all target commands on two commercial IVC devices, achieving an SRoA of 100$\%$ with an average SNR of 15.77dB. Additionally, an average of 6.6 adversarial examples for each command are effective.

In comparison, the SRoA of ZQ-Attack surpasses KENKU and NI-Occam by 20% and 55%. Concurrently, adversarial examples generated by ZQ-Attack exhibit better imperceptibility, with SNR values exceeding those of KENKU and NI-Occam by 3.05dB and 7.39dB, respectively.

To demonstrate the high transferability of audio adversarial examples generated by ZQ-Attack, we additionally evaluate ZQ-Attack on 16 open-source ASR systems. The evaluation results are shown in Table 5. ZQ-Attack successfully generates audio adversarial examples on all 16 open-source ASRs, achieving an average SRoA of 100% and an average SNR of 19.67dB. These results show that the audio adversarial examples generated by ZQ-Attack exhibit high transferability, successfully attacking the target open-source ASRs.

Additionally, we observe a potential positive correlation between the recognition performance of open-source ASRs and the success rate of transfer attacks. We speculate that this phenomenon arises due to the better feature extraction capabilities of a more powerful ASR system, facilitating the capture of subtle adversarial perturbations. The detailed evaluation results and analysis of the correlation can be found in Appendix C

ZQ-Attack optimizes the adversarial perturbation on an ordered set of $K$ surrogate ASRs. To investigate the impact of surrogate ASRs to the performance of ZQ-Attack, we conduct experiments with various values of $K$. Specifically, we set $K$ to 1, 2, and 4, respectively. In the cases with only one surrogate ASR, we conduct experiments with four configurations: ContextNet, Citrinet, Conformer-CTC, and Conformer-Transducer (i.e., selecting one from the four available ASRs). In the cases with two surrogate ASRs, six configurations (i.e., combination of two from the four available ASRs) are explored. Subsequently, we compute the average SRoA and SNR for the three groups of experiments. In these experiments, we choose one carrier audio and generate audio adversarial examples for 10 target commands.

The results are presented in Figure 6. It can be observed that with an increase in $K$, both SRoA and SNR exhibit an increasing trend. For instance, when $K$ is 1, 2, and 4, the average SRoA is 81.25%, 98.75%, and 100%, respectively. The average SNR for the case involving 4 surrogate ASRs surpasses that of the case with 2 surrogate ASRs by 2.98dB and exceeds the SNR of the case with only 1 surrogate ASR by 5.35dB. Additionally, it can also be observed that ZQ-Attack successfully performs attacks for most target commands when using 2 surrogate ASRs. Thus, when computational resources are constrained, and there is a more relaxed requirement for the imperceptibility and effectiveness of the attack, a smaller $K$ can be chosen. Conversely, a larger $K$ can be used. In the cases with four surrogate ASRs, ZQ-Attack can complete a generation process in approximately 10 minutes using only one NVIDIA 3080Ti GPU.

In this section, we recruit human participants to analyze the imperceptibility of the audio adversarial examples and conduct a comparative analysis between ZQ-Attack and the baseline methods (i.e., Occam, and KENKU). This study is carefully designed to mitigate any conceivable risks (psychological, legal, etc.) to the participants, and it is approved by the institutional review board (IRB). The target commands are common household phrases (e.g., “call my wife”) to minimize discomfort and the audio volume is normalized to maintain it below a safe threshold, preventing any risk of hearing damage. Besides, our study does not collect any private information from the participants, and all data will be deleted upon the completion of the study.

Our test audios comprise both normal audios and audio adversarial examples. The normal audios consist of 10 songs, and the audio adversarial examples include 10 instances from each method. In the user study, each participant listens to all test audios. Following the first listening, participants are provided with three choices: “normal audio”, “noisy audio”, and “audio with background speech”. In cases where participants select the “audio with background speech” option, they are required to provide the content of the perceived speech, followed by a second round of listening and transcription of the same test audio. Specifically, participants first listen to the test audios through speakers (e.g., MacBook Pro Speaker). Then, to eliminate environmental interference, participants listen to the audios again through noise-canceling headphones (e.g., Sony WH-1000XM5).

We gather data from a total of 38 participants, consisting of 20 males and 18 females. Among this group, 10 participants are below the age of 22, 18 participants are aged 22 to 24, and 10 participants are 25 or older. All participants are proficient in both spoken and written English, hold at least a bachelor’s degree, and have normal hearing. The results are presented in Table 6. When using the speaker as the audio device, 13.16% of participants select our adversarial examples as “normal audio”, while 71.58% of participants select them as “noisy audio”. Although 15.26% of participants select our adversarial examples as “audio with background speech,” only 3.68% of commands are recognized even after a second round of listening and transcription. In a more challenging configuration that uses headphones to play the audios, only 22.63% of the commands are recognized even after a second round of listening and transcription. Additionally, for the audios played using speakers and headphones, the average word error rate (WER) between user recognition results and the actual target commands is 94.47% and 72.41%, respectively. Compared with other methods, ZQ-Attack attains superior imperceptibility.

Furthermore, we observed that the imperceptibility of different target commands varies. The command open the door is the most easily perceived, while send a text is the hardest to perceive. This disparity may be attributed to the varying phonemes in different command audios, with vowel phonemes containing more energy and thus being more easily audible (Guo et al., 2022; Yu et al., 2023).

To thoroughly evaluate the effectiveness of ZQ-Attack, we conduct experiments using a larger command set. This set includes a total of 20 commands: ask me a question, clear notification, close the shades find a hotel, good morning, I have a secret to tell you, I need help, open the box, read a book, record a video, reset password, show me my message, show me the money, start recording, tell me a story, turn off the fan, turn on the TV, watch TV, what time is it where is my car.

We choose a carrier audio and generate audio adversarial examples for each of these target commands. As illustrated in Table 7, ZQ-Attack can generate effective audio adversarial examples for each target command in this set, achieving an average SRoA of 100%. On Azure, Tencent, Alibaba, and OpenAI, ZQ-Attack attains average SNR values of 24.75dB, 23.99dB, 22.35dB, and 26.45dB, respectively.

Whisper (OpenAI, 2023a) is a popular ASR system trained on a diverse audio dataset comprising 680,000 hours of audio, achieving state-of-the-art multilingual recognition performance. Evaluating ZQ-Attack on Whisper can more comprehensively demonstrate its effectiveness on state-of-the-art ASR systems. Since the models of Whisper come in diverse sizes, we also conduct experiments on these various models. In Section 5.5, we evaluate ZQ-Attack utilizing the base, small, medium, and large models as open-source ASRs. As the OpenAI API employs the large-v2 model, we have evaluated the performance of ZQ-Attack on the large-v2 model in Section 5.3.

Recently, OpenAI introduced the latest large-v3 model (OpenAI, 2023b), which surpasses the performance of the large-v2 model. We have also evaluated ZQ-Attack on the latest model. As indicated in Table 8, ZQ-Attack can successfully generate effective adversarial examples for all 10 target commands, achieving an average SNR of 23.49dB. These results demonstrate the capability of ZQ-Attack to generate effective and imperceptible audio adversarial examples on the most advanced ASR systems.

We evaluate ZQ-Attack with several state-of-the-art defense methods against audio adversarial attacks, including local smoothing, downsampling, temporal dependency (Yang et al., 2019), and MVP-EARS (Zeng et al., 2019). The results are presented in Table 9.

To evaluate the robustness of ZQ-Attack against MVP-EARS, we set $m$ to 2, 3, and 4, where $m$ is the number of ASR systems used. The results in Table 9 show that the audio adversarial examples generated by ZQ-Attack exhibit good robustness to MVP-EARS, with all target commands successfully attacked under different settings. This is attributed to the fact that ZQ-Attack does not generate audio adversarial examples customized for a specific ASR but crafts transferable adversarial examples on diverse surrogate ASRs.

While ZQ-Attack leverages diverse surrogate ASRs to achieve transferable audio adversarial attacks in the zero-query black-box setting, it incurs a higher computation cost (e.g., GPU memory). However, considering that the audio adversarial examples generated by ZQ-Attack are effective on multiple ASR systems and save the cost of queries, we consider that the additional cost is acceptable. Another limitation is that although the audio adversarial examples generated by ZQ-Attack exhibit better imperceptibility compared to prior work in the over-the-air setting, they may still be detected by humans. We leave enhancing the imperceptibility of audio adversarial examples in the over-the-air setting for future work.