cs.SDcs.AIcs.CR
Beyond Waveform Robustness: Robust Feature-Vocoder Adversarial Attacks on Automatic Speech Recognition
Jun 4, 2026
The paper introduces a novel Clean-Referenced Feature-Vocoder Attack, a black-box adversarial attack that perturbs high-level SSL feature representations instead of raw audio waveforms, achieving superior transferability and robustness against modern ASR defenses.
Automatic speech recognition (ASR) systems have become widely used for multilingual speech-to-text transcription. Their robustness to adversarial attacks has become an important topic for the community. Existing adversarial attacks directly add adversarial noise to the speech audio. However, prior work has shown that existing adversarial attacks face two limitations: they often transfer poorly to black-box ASR systems and are increasingly mitigated by defenses tailored to input-space perturbations. In this work, we propose a Clean-Referenced Feature-Vocoder Attack, a surrogate-based black-box attack that moves the adversarial search space from raw waveforms to self-supervised learning (SSL) representations. To address the transferability limitation, we perturb more generalizable acoustic-phonetic representations rather than low-level waveform samples, reducing dependence on surrogate-specific waveform gradients and encouraging adversarial perturbations that generalize across ASR systems. To bypass different defenses, we shift the adversarial signal from explicit additive waveform noise to SSL feature-space perturbations and reconstruct them through a vocoder into speech-like waveform adversarial signals, making the resulting samples less aligned with waveform-bounded defenses. Extensive experiments show that, when optimized only on raw Whisper-small as a public surrogate model, our attack transfers effectively to black-box ASR models with a +26.6 WER improvement over the SOTA baseline, while also remaining effective against multiple training defenses with a +36.2 WER improvement. These results reveal a blind spot in current ASR robustness evaluation.
Precision-Varying Prediction (PVP): Robustifying ASR systems against adversarial attacks
This paper proposes using random sampling of prediction precision during inferen…
Can Drift-Adaptive Malware Detectors Be Made Robust? Attacks and Defenses Under White-Box and Black-…
The paper proposes a universal robustification framework to enhance drift-adapti…
Targeted Adversarial Traffic Generation : Black-box Approach to Evade Intrusion Detection Systems in…
This paper evaluates a novel black-box adversarial attack to demonstrate the vul…
Attack Assessment and Augmented Identity Recognition for Human Skeleton Data
The paper proposes Attack-AAIRS, a novel framework that uses GAN-generated synth…
Diffusion-Guided Adversarial Perturbation Injection for Generalizable Defense Against Facial Manipul…
The paper proposes AEGIS, a novel diffusion-guided method for injecting adversar…
Penny Wise, Pixel Foolish: Bypassing Price Constraints in Multimodal Agents via Visual Adversarial P…
The paper introduces PriceBlind, a white-box adversarial attack framework that d…
Evolutionary Multi-Objective Fusion of Deepfake Speech Detectors
The paper proposes an evolutionary multi-objective score fusion framework that e…
STEP: Detecting Audio Backdoor Attacks via Stability-based Trigger Exposure Profiling
STEP introduces a novel, black-box, retraining-free detector that profiles audio…