Abstract
We demonstrate the existence of universal adversarial perturbations, whichcan fool a family of audio processing architectures, for both targeted anduntargeted attacks. To the best of our knowledge, this is the first study ongenerating universal adversarial perturbations for audio processing systems. Wepropose two methods for finding such perturbations. The first method is basedon an iterative, greedy approach that is well-known in computer vision: itaggregates small perturbations to the input so as to push it to the decisionboundary. The second method, which is the main technical contribution of thiswork, is a novel penalty formulation, which finds targeted and untargeteduniversal adversarial perturbations. Differently from the greedy approach, thepenalty method minimizes an appropriate objective function on a batch ofsamples. Therefore, it produces more successful attacks when the number oftraining samples is limited. Moreover, we provide a proof that the proposedpenalty method theoretically converges to a solution that corresponds touniversal adversarial perturbations. We report comprehensive experiments,showing attack success rates higher than 91.1% and 74.7% for targeted anduntargeted attacks, respectively.