-
Reducing audio membership inference attack accuracy to chance: 4 defenses
Authors:
Michael Lomnitz,
Nina Lopatina,
Paul Gamble,
Zigfried Hampel-Arias,
Lucas Tindall,
Felipe A. Mejia,
Maria Alejandra Barrios
Abstract:
It is critical to understand the privacy and robustness vulnerabilities of machine learning models, as their implementation expands in scope. In membership inference attacks, adversaries can determine whether a particular set of data was used in training, putting the privacy of the data at risk. Existing work has mostly focused on image related tasks; we generalize this type of attack to speaker i…
▽ More
It is critical to understand the privacy and robustness vulnerabilities of machine learning models, as their implementation expands in scope. In membership inference attacks, adversaries can determine whether a particular set of data was used in training, putting the privacy of the data at risk. Existing work has mostly focused on image related tasks; we generalize this type of attack to speaker identification on audio samples. We demonstrate attack precision of 85.9\% and recall of 90.8\% for LibriSpeech, and 78.3\% precision and 90.7\% recall for VOiCES (Voices Obscured in Complex Environmental Settings). We find that implementing defenses such as prediction obfuscation, defensive distillation or adversarial training, can reduce attack accuracy to chance.
△ Less
Submitted 31 October, 2019;
originally announced November 2019.
-
Robust or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks
Authors:
Felipe A. Mejia,
Paul Gamble,
Zigfried Hampel-Arias,
Michael Lomnitz,
Nina Lopatina,
Lucas Tindall,
Maria Alejandra Barrios
Abstract:
Adversarial training was introduced as a way to improve the robustness of deep learning models to adversarial attacks. This training method improves robustness against adversarial attacks, but increases the models vulnerability to privacy attacks. In this work we demonstrate how model inversion attacks, extracting training data directly from the model, previously thought to be intractable become f…
▽ More
Adversarial training was introduced as a way to improve the robustness of deep learning models to adversarial attacks. This training method improves robustness against adversarial attacks, but increases the models vulnerability to privacy attacks. In this work we demonstrate how model inversion attacks, extracting training data directly from the model, previously thought to be intractable become feasible when attacking a robustly trained model. The input space for a traditionally trained model is dominated by adversarial examples - data points that strongly activate a certain class but lack semantic meaning - this makes it difficult to successfully conduct model inversion attacks. We demonstrate this effect using the CIFAR-10 dataset under three different model inversion attacks, a vanilla gradient descent method, gradient based method at different scales, and a generative adversarial network base attacks.
△ Less
Submitted 14 June, 2019;
originally announced June 2019.
-
The VOiCES from a Distance Challenge 2019 Evaluation Plan
Authors:
Mahesh Kumar Nandwana,
Julien van Hout,
Mitchell McLaren,
Colleen Richey,
Aaron Lawson,
Maria Alejandra Barrios
Abstract:
The "VOiCES from a Distance Challenge 2019" is designed to foster research in the area of speaker recognition and automatic speech recognition (ASR) with the special focus on single channel distant/far-field audio, under noisy conditions. The main objectives of this challenge are to: (i) benchmark state-of-the-art technology in the area of speaker recognition and automatic speech recognition (ASR)…
▽ More
The "VOiCES from a Distance Challenge 2019" is designed to foster research in the area of speaker recognition and automatic speech recognition (ASR) with the special focus on single channel distant/far-field audio, under noisy conditions. The main objectives of this challenge are to: (i) benchmark state-of-the-art technology in the area of speaker recognition and automatic speech recognition (ASR), (ii) support the development of new ideas and technologies in speaker recognition and ASR, (iii) support new research groups entering the field of distant/far-field speech processing, and (iv) provide a new, publicly available dataset to the community that exhibits realistic distance characteristics.
△ Less
Submitted 27 February, 2019;
originally announced February 2019.
-
Voices Obscured in Complex Environmental Settings (VOICES) corpus
Authors:
Colleen Richey,
Maria A. Barrios,
Zeb Armstrong,
Chris Bartels,
Horacio Franco,
Martin Graciarena,
Aaron Lawson,
Mahesh Kumar Nandwana,
Allen Stauffer,
Julien van Hout,
Paul Gamble,
Jeff Hetherly,
Cory Stephenson,
Karl Ni
Abstract:
This paper introduces the Voices Obscured In Complex Environmental Settings (VOICES) corpus, a freely available dataset under Creative Commons BY 4.0. This dataset will promote speech and signal processing research of speech recorded by far-field microphones in noisy room conditions. Publicly available speech corpora are mostly composed of isolated speech at close-range microphony. A typical appro…
▽ More
This paper introduces the Voices Obscured In Complex Environmental Settings (VOICES) corpus, a freely available dataset under Creative Commons BY 4.0. This dataset will promote speech and signal processing research of speech recorded by far-field microphones in noisy room conditions. Publicly available speech corpora are mostly composed of isolated speech at close-range microphony. A typical approach to better represent realistic scenarios, is to convolve clean speech with noise and simulated room response for model training. Despite these efforts, model performance degrades when tested against uncurated speech in natural conditions. For this corpus, audio was recorded in furnished rooms with background noise played in conjunction with foreground speech selected from the LibriSpeech corpus. Multiple sessions were recorded in each room to accommodate for all foreground speech-background noise combinations. Audio was recorded using twelve microphones placed throughout the room, resulting in 120 hours of audio per microphone. This work is a multi-organizational effort led by SRI International and Lab41 with the intent to push forward state-of-the-art distant microphone approaches in signal processing and speech recognition.
△ Less
Submitted 15 May, 2018; v1 submitted 13 April, 2018;
originally announced April 2018.