Clean-label backdoor attack based on robust feature attenuation for speech recognition

Deep neural networks (DNNs) have been extensively and successfully applied in various speech recognition. Recent studies reveal that this type of model is susceptible to backdoor attacks, where adversaries can introduce malicious backdoors during the training phase of the victim's model. This paper focuses on poison-only backdoor attacks against speech recognition models. We identify that existing methods are not stealthy and perform inadequately in clean-label scenarios due to simplistic triggers, such as basic noise or conspicuous clips, which lack robust features. To address this, we propose the design of robust unnoticeable triggers by leveraging the structural features of the DNN model. Our approach involves attenuating robust features in the samples and creating triggers that integrate well with the DNN's structure, thus enhancing trigger effectiveness in clean-label situations. We ensure that our triggers are subtle by limiting their intensity and scope, thereby making our strategy stealthier. We have conducted extensive experiments on benchmark datasets, confirming our method's high efficacy in various scenarios, including fine-tuning, pruning, STRIP, spectral signatures, physical, and cross-model conditions, with an attack success rate of over 90% while remaining largely undetected. This research aims to raise awareness among researchers and developers about this potential threat and encourage the development of effective countermeasures. The code for reproducing main experiments is available at https://github.com/HanboCai/RFA-TUAP.