|
| 1 | +# MIT License |
| 2 | +# |
| 3 | +# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2020 |
| 4 | +# |
| 5 | +# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated |
| 6 | +# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the |
| 7 | +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit |
| 8 | +# persons to whom the Software is furnished to do so, subject to the following conditions: |
| 9 | +# |
| 10 | +# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the |
| 11 | +# Software. |
| 12 | +# |
| 13 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE |
| 14 | +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 15 | +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
| 16 | +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 17 | +# SOFTWARE. |
| 18 | +""" |
| 19 | +This module implements the audio adversarial attack on automatic speech recognition systems of Carlini and Wagner |
| 20 | +(2018). It generates an adversarial audio example. |
| 21 | +
|
| 22 | +| Paper link: https://arxiv.org/abs/1801.01944 |
| 23 | +""" |
| 24 | +from __future__ import absolute_import, division, print_function, unicode_literals |
| 25 | + |
| 26 | +import logging |
| 27 | +from typing import TYPE_CHECKING |
| 28 | + |
| 29 | +from art.attacks.attack import EvasionAttack |
| 30 | +from art.attacks.evasion.imperceptible_asr.imperceptible_asr import ImperceptibleASR |
| 31 | + |
| 32 | +if TYPE_CHECKING: |
| 33 | + from art.utils import SPEECH_RECOGNIZER_TYPE |
| 34 | + |
| 35 | +logger = logging.getLogger(__name__) |
| 36 | + |
| 37 | + |
| 38 | +class CarliniWagnerASR(ImperceptibleASR): |
| 39 | + """ |
| 40 | + Implementation of the Carlini and Wagner audio adversarial attack against a speech recognition model. |
| 41 | +
|
| 42 | + | Paper link: https://arxiv.org/abs/1801.01944 |
| 43 | + """ |
| 44 | + |
| 45 | + attack_params = EvasionAttack.attack_params + [ |
| 46 | + "eps", |
| 47 | + "learning_rate", |
| 48 | + "max_iter", |
| 49 | + "batch_size", |
| 50 | + ] |
| 51 | + |
| 52 | + def __init__( |
| 53 | + self, |
| 54 | + estimator: "SPEECH_RECOGNIZER_TYPE", |
| 55 | + eps: float = 2000.0, |
| 56 | + learning_rate: float = 100.0, |
| 57 | + max_iter: int = 1000, |
| 58 | + batch_size: int = 16, |
| 59 | + ): |
| 60 | + """ |
| 61 | + Create an instance of the :class:`.CarliniWagnerASR`. |
| 62 | +
|
| 63 | + :param estimator: A trained speech recognition estimator. |
| 64 | + :param eps: Initial max norm bound for adversarial perturbation. |
| 65 | + :param learning_rate: Learning rate of attack. |
| 66 | + :param max_iter: Number of iterations. |
| 67 | + :param batch_size: Batch size. |
| 68 | + """ |
| 69 | + # pylint: disable=W0231 |
| 70 | + |
| 71 | + # re-implement init such that inherrited methods work |
| 72 | + EvasionAttack.__init__(self, estimator=estimator) # pylint: disable=W0233 |
| 73 | + self.masker = None |
| 74 | + self.eps = eps |
| 75 | + self.learning_rate_1 = learning_rate |
| 76 | + self.max_iter_1 = max_iter |
| 77 | + self.max_iter_2 = 0 |
| 78 | + self._targeted = True |
| 79 | + self.batch_size = batch_size |
| 80 | + |
| 81 | + # set remaining stage 2 params to some random values |
| 82 | + self.alpha = 0.1 |
| 83 | + self.learning_rate_2 = 0.1 |
| 84 | + |
| 85 | + self._check_params() |
0 commit comments