Degree Name

Doctor of Philosophy


School of Computing and Information Technology


Despite the fact that deep learning techniques have achieved tremendous success, their underlying models are vulnerable to Adversarial Examples (AEs) and Trojan attacks. AEs are generated by applying small or imperceptible perturbations to input. The goal is to force a target model to output incorrect results, which may be predefined by adversaries. On the other hand, Trojan attacks stealthily inject triggers into a target model. The effect on the performance of a Trojaned model should be negligibly for normal input but it will produce malicious output whenever a trigger is present in the input. Although most research efforts on these attacks to date are in the domain of image recognition, these attacks can also be applied to Automatic Speech Recognition (ASR) systems. This is a serious threat that undermines the security of such systems in practice. As such, it is important to understand these attacks and to find defenses against them.

This thesis focuses on studying novel audio AEs and Trojan attacks and defenses in ASR systems. The thesis first presents a comprehensive literature review of audio AEs and Trojan attacks. This is followed by research on two novel methods of generating audio AEs under a white-box threat model. These proposed methods make significant contributions to the literature on white-box audio AEs. Besides white-box audio AEs, black-box audio AEs impose a more practical threat to the public because no access to the internal workings of a target model is required. Hence, the next part of this thesis studies a novel black-box audio AE based on variational autoencoder, which contributes to the limited research on black-box audio AEs in the research community. Since audio AEs against ASR systems can cause severe harm, it is necessary for high-stakes applications to deploy appropriate defenses. This thesis then studies the intrinsic properties of audio that can be used to distinguish and detect audio AEs from benign audio in ASR systems. To allow audio AEs to remain effective when played by speakers and received by microphones, an adversary has to apply large and noticeable perturbations to clean audio. This will arouse a victim’s suspicion as the resulting audio contains audible noise. To study the possibility of conducting unsuspicious attacks, this thesis proposes an over-the-air Trojan attack against ASR systems using unsuspicious audio triggers. This innovative method is the first in the literature because there were no existing unsuspicious Trojan attacks against ASR systems.

FoR codes (2020)

461101 Adversarial machine learning, 461103 Deep learning, 461104 Neural networks



Unless otherwise indicated, the views expressed in this thesis are those of the author and do not necessarily represent the views of the University of Wollongong.