Model Access Control Based on Hidden Adversarial Examples for Automatic Speech Recognition

Deep neural networks (DNNs) have achieved remarkable success across various domains, and their commercial value has led to their classification as intellectual property (IP) for their creators. While model watermarking is commonly employed for DNN IP protection, it is limited to post hoc forensics. In contrast, model access control offers a more effective proactive approach to prevent IP infringement through authentication. However, existing model access control methods primarily focus on image classification models and are not suitable for automatic speech recognition (ASR) models, which are also widely used in commercial applications. To address the above limitation, inspired by audio adversarial examples, we propose the first model access control scheme for the IP protection of ASR models, which utilizes audio adversarial examples with target labels as user identity information, serving as identity-proof samples. However, a unique challenge arises in the form of interception attacks, in which an attacker detects and hijacks an authorized sample to bypass the authentication process. To remedy it, we introduce the hidden adversarial examples (HAEs) for authentication, which embed the authorized information by slightly modifying the logits and behaving like clean audios, thereby making them difficult to be detected by analyzing the predicted results. To further evade detection by steganalysis, which can be employed for adversarial example detection, we design a distortion cost function inspired by adaptive steganography to guide the generation of HAEs. We conduct extensive experiments on the open-source ASR system DeepSpeech, demonstrating that our proposed scheme effectively protects ASR models proactively and is resistant to unique interception attacks.