Publication Details
Clustering Unsupervised Representations as Defense against Poisoning Attacks on Speech Commands Classification System
JOSHI, S.
LI, H.
Šůstek Martin, Ing. (DCGM)
VILLALBA LOPEZ, J.
Khudanpur Sanjeev
Dehak Najim
poisoning attack, unsupervised representa- tions, clustering, Speech commands, defense against attacks on speech systems
Poisoning attacks entail attackers intentionally tampering with training data. In this paper, we consider a dirty-label poisoning attack scenario on a speech commands classification system. The threat model assumes that certain utterances from one of the classes (source class) are poisoned by superimposing a trigger on it, and its label is changed to another class selected by the attacker (target class). We propose a filtering defense against such an attack. First, we use DIstillation with NO labels (DINO) to learn unsupervised representations for all the training examples. Next, we use K-means and LDA to cluster these representations. Finally, we keep the utterances with the most repeated label in their cluster for training and discard the rest. For a 10% poisoned source class, we demonstrate a drop in attack success rate from 99.75% to 0.25%. We test our defense against a variety of threat models, including different target and source classes, as well as trigger variations.
@inproceedings{BUT187976,
author="THEBAUD, T. and JOSHI, S. and LI, H. and ŠŮSTEK, M. and VILLALBA LOPEZ, J. and KHUDANPUR, S. and DEHAK, N.",
title="Clustering Unsupervised Representations as Defense against Poisoning Attacks on Speech Commands Classification System",
booktitle="Proceedings of IEEE Automatic Speech Recognition and Understanding Workshop (ASRU)",
year="2023",
pages="1--8",
publisher="IEEE Signal Processing Society",
address="Taipei",
doi="10.1109/ASRU57964.2023.10389650",
isbn="979-8-3503-0689-7",
url="https://ieeexplore.ieee.org/document/10389650"
}