Create AudioDynamicTrigger

[OrsonTyphanel93]

Description : Dynamic Stacking of triggers :

https://github.com/OrsonTyphanel93/adversarial-robustness-toolbox/blob/dev_1.14.0/Update_ART_dynamic_backdoor_attacks_trigger_stacking_(_Audio).ipynb

"DynamicTrigger", exploits a "trigger stacking" technique combining numerous triggers to make detection more difficult. The model can learn to correlate the combined trigger with the desired output by stacking triggers. This means that even if the input has only one trigger, the model can anticipate the expected result. As a result, the model has the ability to generate identical samples with similar class titles, or to assign the label designated by the attacker for each sample, depending on its objectives.

This code is designed to use the DynamicTrigger class to create a dynamic backdoor attack by generating a trigger and inserting it into an audio signal. If the generate_dynamic_trigger function correctly returns an instance of the DynamicTrigger class, then the attack works

Test Configuration:

• OS
• Python version
• ART version or commit number
• TensorFlow / Keras / PyTorch / MXNet version

[beat-buesser]

Hi @OrsonTyphanel93 Thank you very much for your pull request! Could you please change the target branch to one of the dev branches?

[codecov-commenter]

Codecov Report

Attention: 29 lines in your changes are missing coverage. Please review.

Comparison is base (435d4b8) 85.62% compared to head (8b362a0) 70.70%.
Report is 37 commits behind head on dev_1.18.0.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@               Coverage Diff               @@
##           dev_1.18.0    #2328       +/-   ##
===============================================
- Coverage       85.62%   70.70%   -14.93%     
===============================================
  Files             324      324               
  Lines           29323    29331        +8     
  Branches         5405     5028      -377     
===============================================
- Hits            25108    20738     -4370     
- Misses           2837     7446     +4609     
+ Partials         1378     1147      -231     

Files	Coverage Δ
...asion/adversarial_patch/adversarial_patch_numpy.py	9.58% <ø> (-64.68%)	⬇️
art/attacks/evasion/boundary.py	92.72% <100.00%> (-1.22%)	⬇️
art/attacks/evasion/brendel_bethge.py	78.57% <100.00%> (-8.45%)	⬇️
art/attacks/evasion/carlini.py	7.55% <ø> (-86.74%)	⬇️
art/attacks/evasion/dpatch.py	91.25% <ø> (ø)
art/attacks/evasion/dpatch_robust.py	83.46% <100.00%> (ø)
art/attacks/evasion/fast_gradient.py	84.05% <100.00%> (ø)
art/attacks/evasion/hop_skip_jump.py	65.17% <100.00%> (-31.35%)	⬇️
...cks/evasion/imperceptible_asr/imperceptible_asr.py	84.59% <100.00%> (-5.75%)	⬇️
art/attacks/evasion/lowprofool.py	90.44% <100.00%> (+0.07%)	⬆️
... and 51 more

... and 59 files with indirect coverage changes

[OrsonTyphanel93]

from sklearn.preprocessing import QuantileTransformer
from tensorflow.keras.layers import Input, Dense
from tensorflow.keras.models import Model

def anonymize_speaker(self, spectrogram, noise_std=0.1):
     # Create a model for differentially private feature extraction
     input_layer = Input(shape=(spectrogram.shape[1],))
     hidden_layer = Dense(128, activation='relu')(input_layer)
     output_layer = Dense(spectrogram.shape[1])(hidden_layer)
     autoencoder = Model(input_layer, output_layer)
     autoencoder.compile(optimizer='adam', loss='mean_squared_error')

     # Train the autoencoder with noise layers
     noisy_spectrogram = spectrogram + np.random.normal(0, noise_std, spectrogram.shape)
     autoencoder.fit(noisy_spectrogram, spectrogram, epochs=10, batch_size=32)

     # Use the autoencoder to extract features from the spectrogram
     features = autoencoder.predict(spectrogram)

     # Apply quantization-based transformation
     transformer = QuantileTransformer(n_quantiles=100, random_state=0)
     quantized_features = transformer.fit_transform(features)

     # Reconstruct the spectrogram from the quantized features
     reconstructed_spectrogram = autoencoder.predict(quantized_features)

     return reconstructed_spectrogram

[OrsonTyphanel93]

Hi @beat-buesser please , next time you test codecov, please try DynamicTrigger with this new anonymiser_speaker function, I think it will make code optimization faster.

Thanks !

To make the anonymize_speaker method complex, I have incorporated several techniques and concepts such as :

**Differentially private feature extraction: We can introduce differentially private feature extractors based on an autoencoder and an automatic speech recognizer, trained using noise layers. This approach was proposed in the paper (Differentially Private Speaker Anonymization see arxiv link ) and has been shown to obtain private utterances with a provable upper bound on the speaker information they contain.

** Quantization-based transformation: We can promote anonymization algorithms based on quantization-based transformation as an alternative to the most widely used and well-known noise-based approach. This approach was proposed in the paper (Anonymizing Speech: Evaluating and Designing Speaker Anonymization Techniques see arxiv link link and can reduce the speaker's PPI (privacy preserving information) while maintaining utility. **

[OrsonTyphanel93]

Update DynamicTrigger

[OrsonTyphanel93]

I recently generalized the DynamicTrigger attack to very complex databases and it succeeded in corrupting all of them without exception. See an example with TIMIT Darpa Dataset speech for speaker verification.

[beat-buesser]

I'll change the target branch to dev_1.18.0 which might induce merge conflicts.

[OrsonTyphanel93]

Hi guys, I'm doing it, but I don't have access to the 1.18 target! Do you have the possibility to change it directly by yourself?