{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,15]],"date-time":"2025-12-15T19:45:11Z","timestamp":1765827911775,"version":"3.41.0"},"reference-count":75,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2020,6,15]],"date-time":"2020-06-15T00:00:00Z","timestamp":1592179200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Interact. Mob. Wearable Ubiquitous Technol."],"published-print":{"date-parts":[[2020,6,15]]},"abstract":"<jats:p>Deep neural networks (DNNs) continue to demonstrate superior generalization performance in an increasing range of applications, including speech recognition and image understanding. Recent innovations in compression algorithms, design of efficient architectures and hardware accelerators have prompted a rapid growth in deploying DNNs on mobile and IoT devices to redefine user experiences. Relying on the superior inference quality of DNNs, various voice-enabled devices have started to pervade our everyday lives and are increasingly used for, e.g., opening and closing doors, starting or stopping washing machines, ordering products online, and authenticating monetary transactions. As the popularity of these voice-enabled services increases, so does their risk of being attacked. Recently, DNNs have been shown to be extremely brittle under adversarial attacks and people with malicious intentions can potentially exploit this vulnerability to compromise DNN-based voice-enabled systems. Although some existing work already highlights the vulnerability of audio models, very little is known of the behaviour of compressed on-device audio models under adversarial attacks. This paper bridges this gap by investigating thoroughly the vulnerabilities of compressed audio DNNs and makes a stride towards making compressed models robust. In particular, we propose a stochastic compression technique that generates compressed models with greater robustness to adversarial attacks. We present an extensive set of evaluations on adversarial vulnerability and robustness of DNNs in two diverse audio recognition tasks, while considering two popular attack algorithms: FGSM and PGD. We found that error rates of conventionally trained audio DNNs under attack can be as high as 100%. Under both white- and black-box attacks, our proposed approach is found to decrease the error rate of DNNs under attack by a large margin.<\/jats:p>","DOI":"10.1145\/3397332","type":"journal-article","created":{"date-parts":[[2020,6,15]],"date-time":"2020-06-15T22:30:37Z","timestamp":1592260237000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Countering Acoustic Adversarial Attacks in Microphone-equipped Smart Home Devices"],"prefix":"10.1145","volume":"4","author":[{"given":"Sourav","family":"Bhattacharya","sequence":"first","affiliation":[{"name":"Samsung AI Center, Cambridge"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dionysis","family":"Manousakas","sequence":"additional","affiliation":[{"name":"University of Cambridge"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alberto Gil C. P.","family":"Ramos","sequence":"additional","affiliation":[{"name":"Samsung AI Center, Cambridge"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stylianos I.","family":"Venieris","sequence":"additional","affiliation":[{"name":"Samsung AI Center, Cambridge"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nicholas D.","family":"Lane","sequence":"additional","affiliation":[{"name":"Samsung AI Center, Cambridge and University of Oxford"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Cecilia","family":"Mascolo","sequence":"additional","affiliation":[{"name":"University of Cambridge"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,6,15]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"e_1_2_1_2_1","volume-title":"Deep learning","author":"Goodfellow I.","year":"2016","unstructured":"I. Goodfellow , Y. Bengio , and A. Courville , Deep learning . MIT press Cambridge , 2016 , vol. 1 . I. Goodfellow, Y. Bengio, and A. Courville, Deep learning. MIT press Cambridge, 2016, vol. 1."},{"volume-title":"May 13","year":"2020","key":"e_1_2_1_3_1","unstructured":"https:\/\/developer.amazon.com\/en-US\/alexa\/alexa-skills-kit [Retrieved : May 13 , 2020 ]. https:\/\/developer.amazon.com\/en-US\/alexa\/alexa-skills-kit [Retrieved: May 13, 2020]."},{"volume-title":"May 13","year":"2020","key":"e_1_2_1_4_1","unstructured":"https:\/\/biztechmagazine.com\/article\/2018\/11\/voiceprint-security-game-changer-banks-and-credit-unions-all-sizes [Retrived : May 13 , 2020 ]. https:\/\/biztechmagazine.com\/article\/2018\/11\/voiceprint-security-game-changer-banks-and-credit-unions-all-sizes [Retrived: May 13, 2020]."},{"volume-title":"May 13","year":"2020","key":"e_1_2_1_5_1","unstructured":"https:\/\/www.apple.com\/uk\/ios\/siri\/ [Retrieved : May 13 , 2020 ]. https:\/\/www.apple.com\/uk\/ios\/siri\/ [Retrieved: May 13, 2020]."},{"volume-title":"May 13","year":"2020","key":"e_1_2_1_6_1","unstructured":"https:\/\/store.google.com\/gb\/product\/google_home_mini [Retrieved : May 13 , 2020 ]. https:\/\/store.google.com\/gb\/product\/google_home_mini [Retrieved: May 13, 2020]."},{"volume-title":"May 13","year":"2020","key":"e_1_2_1_7_1","unstructured":"https:\/\/developer.amazon.com\/alexa [Retrieved : May 13 , 2020 ]. https:\/\/developer.amazon.com\/alexa [Retrieved: May 13, 2020]."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2017.2761740"},{"key":"e_1_2_1_9_1","volume-title":"Incremental Network Quantization: Towards Lossless CNNs with Low-Precision Weights,\" in International Conference on Learning Representations (ICLR)","author":"A. Zhou","year":"2017","unstructured":"A. Zhou et al. , \" Incremental Network Quantization: Towards Lossless CNNs with Low-Precision Weights,\" in International Conference on Learning Representations (ICLR) , 2017 . A. Zhou et al., \"Incremental Network Quantization: Towards Lossless CNNs with Low-Precision Weights,\" in International Conference on Learning Representations (ICLR), 2017."},{"key":"e_1_2_1_10_1","first-page":"525","volume-title":"Cham","author":"Rastegari M.","year":"2016","unstructured":"M. Rastegari , V. Ordonez , J. Redmon , and A. Farhadi , \" XNOR-Net: ImageNet Classification Using Binary Convolutional Neural Networks,\" in European Conference on Computer Vision (ECCV) , Cham , 2016 , pp. 525 -- 542 . M. Rastegari, V. Ordonez, J. Redmon, and A. Farhadi, \"XNOR-Net: ImageNet Classification Using Binary Convolutional Neural Networks,\" in European Conference on Computer Vision (ECCV), Cham, 2016, pp. 525--542."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2017.2705069"},{"key":"e_1_2_1_12_1","volume-title":"Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Jacob B.","year":"2018","unstructured":"B. Jacob , S. Kligys , B. Chen , M. Zhu , M. Tang , A. Howard , H. Adam , and D. Kalenichenko , \" Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2018 . B. Jacob, S. Kligys, B. Chen, M. Zhu, M. Tang, A. Howard, H. Adam, and D. Kalenichenko, \"Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018."},{"key":"e_1_2_1_13_1","first-page":"7","article-title":"An Early Resource Characterization of Deep Learning on Wearables, Smartphones and Internet-of-Things Devices,\" in Proceedings of the 2015 International Workshop on Internet of Things towards Applications","author":"Lane N. D.","year":"2015","unstructured":"N. D. Lane , S. Bhattacharya , P. Georgiev , C. Forlivesi , and F. Kawsar , \" An Early Resource Characterization of Deep Learning on Wearables, Smartphones and Internet-of-Things Devices,\" in Proceedings of the 2015 International Workshop on Internet of Things towards Applications . ACM , 2015 , pp. 7 -- 12 . N. D. Lane, S. Bhattacharya, P. Georgiev, C. Forlivesi, and F. Kawsar, \"An Early Resource Characterization of Deep Learning on Wearables, Smartphones and Internet-of-Things Devices,\" in Proceedings of the 2015 International Workshop on Internet of Things towards Applications. ACM, 2015, pp. 7--12.","journal-title":"ACM"},{"key":"e_1_2_1_14_1","volume-title":"Sparsification and separation of deep learning layers for constrained resource inference on wearables,\" in ACM Conference on Embedded Networked Sensor Systems (SenSys)","author":"Bhattacharya S.","year":"2016","unstructured":"S. Bhattacharya and N. D. Lane , \" Sparsification and separation of deep learning layers for constrained resource inference on wearables,\" in ACM Conference on Embedded Networked Sensor Systems (SenSys) , 2016 . S. Bhattacharya and N. D. Lane, \"Sparsification and separation of deep learning layers for constrained resource inference on wearables,\" in ACM Conference on Embedded Networked Sensor Systems (SenSys), 2016."},{"key":"e_1_2_1_15_1","volume-title":"Explaining and harnessing adversarial examples,\" arXiv preprint arXiv:1412.6572","author":"Goodfellow I. J.","year":"2014","unstructured":"I. J. Goodfellow , J. Shlens , and C. Szegedy , \" Explaining and harnessing adversarial examples,\" arXiv preprint arXiv:1412.6572 , 2014 . I. J. Goodfellow, J. Shlens, and C. Szegedy, \"Explaining and harnessing adversarial examples,\" arXiv preprint arXiv:1412.6572, 2014."},{"key":"e_1_2_1_16_1","volume-title":"Robust Physical-World Attacks on Deep Learning Visual Classification,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Eykholt K.","year":"2018","unstructured":"K. Eykholt , I. Evtimov , E. Fernandes , B. Li , A. Rahmati , C. Xiao , A. Prakash , T. Kohno , and D. Song , \" Robust Physical-World Attacks on Deep Learning Visual Classification,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2018 . K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, \"Robust Physical-World Attacks on Deep Learning Visual Classification,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018."},{"key":"e_1_2_1_17_1","first-page":"513","article-title":"Hidden Voice Commands,\" in USENIX Security Symposium","volume":"16","author":"Carlini N.","year":"2016","unstructured":"N. Carlini , P. Mishra , T. Vaidya , Y. Zhang , M. Sherr , C. Shields , D. A. Wagner , and W. Zhou , \" Hidden Voice Commands,\" in USENIX Security Symposium , USENIX Security 16 , 2016 , pp. 513 -- 530 . N. Carlini, P. Mishra, T. Vaidya, Y. Zhang, M. Sherr, C. Shields, D. A. Wagner, and W. Zhou, \"Hidden Voice Commands,\" in USENIX Security Symposium, USENIX Security 16, 2016, pp. 513--530.","journal-title":"USENIX Security"},{"key":"e_1_2_1_18_1","first-page":"1","volume-title":"Audio Adversarial Examples: Targeted Attacks on Speech-to-Text,\" in 2018 IEEE Security and Privacy Workshops (SPW)","author":"Carlini N.","year":"2018","unstructured":"N. Carlini and D. Wagner , \" Audio Adversarial Examples: Targeted Attacks on Speech-to-Text,\" in 2018 IEEE Security and Privacy Workshops (SPW) , 2018 , pp. 1 -- 7 . N. Carlini and D. Wagner, \"Audio Adversarial Examples: Targeted Attacks on Speech-to-Text,\" in 2018 IEEE Security and Privacy Workshops (SPW), 2018, pp. 1--7."},{"key":"e_1_2_1_19_1","first-page":"39","volume-title":"Towards evaluating the robustness of neural networks,\" in IEEE Symposium on Security and Privacy (SP)","author":"Carlini N.","year":"2017","unstructured":"N. Carlini and D. Wagner , \" Towards evaluating the robustness of neural networks,\" in IEEE Symposium on Security and Privacy (SP) , 2017 , pp. 39 -- 57 . N. Carlini and D. Wagner, \"Towards evaluating the robustness of neural networks,\" in IEEE Symposium on Security and Privacy (SP), 2017, pp. 39--57."},{"key":"e_1_2_1_20_1","volume-title":"Intriguing properties of neural networks,\" in International Conference on Learning Representations (ICLR)","author":"Szegedy C.","year":"2014","unstructured":"C. Szegedy , W. Zaremba , I. Sutskever , J. Bruna , D. Erhan , I. Goodfellow , and R. Fergus , \" Intriguing properties of neural networks,\" in International Conference on Learning Representations (ICLR) , 2014 . C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, \"Intriguing properties of neural networks,\" in International Conference on Learning Representations (ICLR), 2014."},{"key":"e_1_2_1_21_1","volume-title":"Enhancing robustness of machine learning systems via data transformations, arxiv preprint,\" in 52nd Annual Conference on Information Sciences and Systems (CISS)","author":"Bhagoji A. N.","year":"2018","unstructured":"A. N. Bhagoji , D. Cullina , C. Sitawarin , and P. Mittal , \" Enhancing robustness of machine learning systems via data transformations, arxiv preprint,\" in 52nd Annual Conference on Information Sciences and Systems (CISS) , 2018 . A. N. Bhagoji, D. Cullina, C. Sitawarin, and P. Mittal, \"Enhancing robustness of machine learning systems via data transformations, arxiv preprint,\" in 52nd Annual Conference on Information Sciences and Systems (CISS), 2018."},{"key":"e_1_2_1_22_1","first-page":"841","article-title":"Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR","volume":"31","author":"Wachter S.","year":"2017","unstructured":"S. Wachter , B. D. Mittelstadt , and C. Russell , \" Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR ,\" Harv. JL & Tech. , vol. 31 , p. 841 , 2017 . S. Wachter, B. D. Mittelstadt, and C. Russell, \"Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR,\" Harv. JL & Tech., vol. 31, p. 841, 2017.","journal-title":"Harv. JL & Tech."},{"key":"e_1_2_1_23_1","volume-title":"Towards deep learning models resistant to adversarial attacks,\" in International Conference on Learning Representations (ICLR)","author":"Madry A.","year":"2018","unstructured":"A. Madry , A. Makelov , L. Schmidt , D. Tsipras , and A. Vladu , \" Towards deep learning models resistant to adversarial attacks,\" in International Conference on Learning Representations (ICLR) , 2018 . A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, \"Towards deep learning models resistant to adversarial attacks,\" in International Conference on Learning Representations (ICLR), 2018."},{"key":"e_1_2_1_24_1","unstructured":"C. Tai T. Xiao Y. Zhang X. Wang and W. E \"Convolutional neural networks with low-rank regularization \" in International Conference on Learning Representations (ICLR) 2016.  C. Tai T. Xiao Y. Zhang X. Wang and W. E \"Convolutional neural networks with low-rank regularization \" in International Conference on Learning Representations (ICLR) 2016."},{"key":"e_1_2_1_25_1","volume-title":"Deep Learning With Depthwise Separable Convolutions,\" in The IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Chollet F.","year":"2017","unstructured":"F. Chollet , \"Xception : Deep Learning With Depthwise Separable Convolutions,\" in The IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2017 . F. Chollet, \"Xception: Deep Learning With Depthwise Separable Convolutions,\" in The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2017."},{"key":"e_1_2_1_26_1","volume-title":"Distilling the Knowledge in a Neural Network,\" in NIPS Deep Learning Workshop","author":"Hinton G.","year":"2015","unstructured":"G. Hinton , O. Vinyals , and J. Dean , \" Distilling the Knowledge in a Neural Network,\" in NIPS Deep Learning Workshop , 2015 . G. Hinton, O. Vinyals, and J. Dean, \"Distilling the Knowledge in a Neural Network,\" in NIPS Deep Learning Workshop, 2015."},{"key":"e_1_2_1_27_1","volume-title":"Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding,\" in International Conference on Learning Representations (ICLR)","author":"Han S.","year":"2016","unstructured":"S. Han , H. Mao , and W. J. Dally , \" Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding,\" in International Conference on Learning Representations (ICLR) , 2016 . S. Han, H. Mao, and W. J. Dally, \"Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding,\" in International Conference on Learning Representations (ICLR), 2016."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/MPRV.2017.2940968"},{"key":"e_1_2_1_29_1","unstructured":"S. I. Venieris A. Kouris and C.-S. Bouganis \"Deploying Deep Neural Networks in the Embedded Space \" in 2nd International Workshop on Embedded and Mobile Deep Learning (EMDL) 2018.  S. I. Venieris A. Kouris and C.-S. Bouganis \"Deploying Deep Neural Networks in the Embedded Space \" in 2nd International Workshop on Embedded and Mobile Deep Learning (EMDL) 2018."},{"key":"e_1_2_1_30_1","volume-title":"DeepX: A Software Accelerator for Low-Power Deep Learning Inference on Mobile Devices,\" in International Conference on Information Processing in Sensor Networks (IPSN)","author":"Lane N. D.","year":"2016","unstructured":"N. D. Lane , S. Bhattacharya , P. Georgiev , C. Forlivesi , L. Jiao , L. Qendro , and F. Kawsar , \" DeepX: A Software Accelerator for Low-Power Deep Learning Inference on Mobile Devices,\" in International Conference on Information Processing in Sensor Networks (IPSN) , 2016 . N. D. Lane, S. Bhattacharya, P. Georgiev, C. Forlivesi, L. Jiao, L. Qendro, and F. Kawsar, \"DeepX: A Software Accelerator for Low-Power Deep Learning Inference on Mobile Devices,\" in International Conference on Information Processing in Sensor Networks (IPSN), 2016."},{"key":"e_1_2_1_31_1","first-page":"3","volume-title":"14th International Symposium on Applied Reconfigurable Computing (ARC). Springer","author":"Rizakis M.","year":"2018","unstructured":"M. Rizakis , S. I. Venieris , A. Kouris , and C.-S. Bouganis , \" Approximate FPGA-based LST Ms under Computation Time Constraints ,\" in 14th International Symposium on Applied Reconfigurable Computing (ARC). Springer , 2018 , pp. 3 -- 15 . M. Rizakis, S. I. Venieris, A. Kouris, and C.-S. Bouganis, \"Approximate FPGA-based LSTMs under Computation Time Constraints,\" in 14th International Symposium on Applied Reconfigurable Computing (ARC). Springer, 2018, pp. 3--15."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2019-2811"},{"key":"e_1_2_1_33_1","volume-title":"International Conference on Learning Representations (ICLR)","author":"Tai C.","year":"2016","unstructured":"C. Tai , T. Xiao , Y. Zhang , X. Wang , and W. E , \" Convolutional Neural Networks with Low-Rank Regularization ,\" in International Conference on Learning Representations (ICLR) , 2016 . C. Tai, T. Xiao, Y. Zhang, X. Wang, and W. E, \"Convolutional Neural Networks with Low-Rank Regularization,\" in International Conference on Learning Representations (ICLR), 2016."},{"key":"e_1_2_1_34_1","first-page":"155","volume-title":"CascadeCNN: Pushing the Performance Limits of Quantisation in Convolutional Neural Networks,\" in 28th International Conference on Field Programmable Logic and Applications (FPL)","author":"Kouris A.","year":"2018","unstructured":"A. Kouris , S. I. Venieris , and C. Bouganis , \" CascadeCNN: Pushing the Performance Limits of Quantisation in Convolutional Neural Networks,\" in 28th International Conference on Field Programmable Logic and Applications (FPL) , 2018 , pp. 155 -- 1557 . A. Kouris, S. I. Venieris, and C. Bouganis, \"CascadeCNN: Pushing the Performance Limits of Quantisation in Convolutional Neural Networks,\" in 28th International Conference on Field Programmable Logic and Applications (FPL), 2018, pp. 155--1557."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2018.2808319"},{"key":"e_1_2_1_36_1","volume-title":"WRPN: Wide Reduced-Precision Networks,\" in International Conference on Learning Representations (ICLR)","author":"Mishra A.","year":"2018","unstructured":"A. Mishra , E. Nurvitadhi , J. J. Cook , and D. Marr , \" WRPN: Wide Reduced-Precision Networks,\" in International Conference on Learning Representations (ICLR) , 2018 . A. Mishra, E. Nurvitadhi, J. J. Cook, and D. Marr, \"WRPN: Wide Reduced-Precision Networks,\" in International Conference on Learning Representations (ICLR), 2018."},{"key":"e_1_2_1_37_1","first-page":"5019","volume-title":"Adversarially robust generalization requires more data,\" in Advances in Neural Information Processing Systems (NeurIPS)","author":"Schmidt L.","year":"2018","unstructured":"L. Schmidt , S. Santurkar , D. Tsipras , K. Talwar , and A. Madry , \" Adversarially robust generalization requires more data,\" in Advances in Neural Information Processing Systems (NeurIPS) , 2018 , pp. 5019 -- 5031 . L. Schmidt, S. Santurkar, D. Tsipras, K. Talwar, and A. Madry, \"Adversarially robust generalization requires more data,\" in Advances in Neural Information Processing Systems (NeurIPS), 2018, pp. 5019--5031."},{"key":"e_1_2_1_38_1","volume-title":"Adversarial logit pairing,\" arXiv preprint arXiv:1803.06373","author":"Kannan H.","year":"2018","unstructured":"H. Kannan , A. Kurakin , and I. Goodfellow , \" Adversarial logit pairing,\" arXiv preprint arXiv:1803.06373 , 2018 . H. Kannan, A. Kurakin, and I. Goodfellow, \"Adversarial logit pairing,\" arXiv preprint arXiv:1803.06373, 2018."},{"key":"e_1_2_1_39_1","volume-title":"Unsupervised data augmentation for consistency training","author":"Xie Q.","year":"2019","unstructured":"Q. Xie , Z. Dai , E. Hovy , M.-T. Luong , and Q. V. Le , \" Unsupervised data augmentation for consistency training ,\" 2019 . Q. Xie, Z. Dai, E. Hovy, M.-T. Luong, and Q. V. Le, \"Unsupervised data augmentation for consistency training,\" 2019."},{"key":"e_1_2_1_40_1","volume-title":"European Conference on Computer Vision (ECCV)","author":"Liu X.","year":"2018","unstructured":"X. Liu , M. Cheng , H. Zhang , and C.-J. Hsieh , \" Towards Robust Neural Networks via Random Self-ensemble,\" in European Conference on Computer Vision (ECCV) , 2018 . X. Liu, M. Cheng, H. Zhang, and C.-J. Hsieh, \"Towards Robust Neural Networks via Random Self-ensemble,\" in European Conference on Computer Vision (ECCV), 2018."},{"key":"e_1_2_1_41_1","volume-title":"Explaining and Harnessing Adversarial Examples,\" in International Conference on Learning Representations (ICLR)","author":"Goodfellow I. J.","year":"2015","unstructured":"I. J. Goodfellow , J. Shlens , and C. Szegedy , \" Explaining and Harnessing Adversarial Examples,\" in International Conference on Learning Representations (ICLR) , 2015 . I. J. Goodfellow, J. Shlens, and C. Szegedy, \"Explaining and Harnessing Adversarial Examples,\" in International Conference on Learning Representations (ICLR), 2015."},{"key":"e_1_2_1_42_1","first-page":"020026","volume-title":"AIP Conference Proceedings","volume":"2070","author":"Al-Dujaili A.","year":"2019","unstructured":"A. Al-Dujaili , S. Srikant , E. Hemberg , and U.-M. O'Reilly , \" On the Application of Danskin's Theorem to Derivative-Free Minimax Optimization,\" in AIP Conference Proceedings , vol. 2070 , no. 1, 2019 , p. 020026 . A. Al-Dujaili, S. Srikant, E. Hemberg, and U.-M. O'Reilly, \"On the Application of Danskin's Theorem to Derivative-Free Minimax Optimization,\" in AIP Conference Proceedings, vol. 2070, no. 1, 2019, p. 020026."},{"key":"e_1_2_1_43_1","volume-title":"Comparing time-frequency representations for directional derivative features,\" in INTERSPEECH","author":"Gibson J.","year":"2014","unstructured":"J. Gibson , M. V. Segbroeck , and S. S. Narayanan , \" Comparing time-frequency representations for directional derivative features,\" in INTERSPEECH , 2014 . J. Gibson, M. V. Segbroeck, and S. S. Narayanan, \"Comparing time-frequency representations for directional derivative features,\" in INTERSPEECH, 2014."},{"key":"e_1_2_1_44_1","volume-title":"A Dataset for Limited-Vocabulary Speech Recognition,\" arXiv e-prints","author":"Warden P.","year":"1804","unstructured":"P. Warden , \" Speech Commands : A Dataset for Limited-Vocabulary Speech Recognition,\" arXiv e-prints , p. arXiv: 1804 .03209, Apr 2018. P. Warden, \"Speech Commands: A Dataset for Limited-Vocabulary Speech Recognition,\" arXiv e-prints, p. arXiv:1804.03209, Apr 2018."},{"key":"e_1_2_1_45_1","volume-title":"HAL, https:\/\/sites.google.com\/site\/alainrakotomamonjy\/home\/audio-scene","author":"Rakotomamonjy A.","year":"2014","unstructured":"A. Rakotomamonjy and G. Gasso , \" Histogram of gradients of time-frequency representations for audio scene detection,\" Technical report , HAL, https:\/\/sites.google.com\/site\/alainrakotomamonjy\/home\/audio-scene , 2014 . A. Rakotomamonjy and G. Gasso, \"Histogram of gradients of time-frequency representations for audio scene detection,\" Technical report, HAL, https:\/\/sites.google.com\/site\/alainrakotomamonjy\/home\/audio-scene, 2014."},{"key":"e_1_2_1_46_1","volume-title":"SoundNet: Learning Sound Representations from Unlabeled Video,\" in Advances in Neural Information Processing Systems (NeurIPS)","author":"Aytar Y.","year":"2016","unstructured":"Y. Aytar , C. Vondrick , and A. Torralba , \" SoundNet: Learning Sound Representations from Unlabeled Video,\" in Advances in Neural Information Processing Systems (NeurIPS) , 2016 . Y. Aytar, C. Vondrick, and A. Torralba, \"SoundNet: Learning Sound Representations from Unlabeled Video,\" in Advances in Neural Information Processing Systems (NeurIPS), 2016."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2638566"},{"key":"e_1_2_1_48_1","first-page":"2142","volume-title":"Black-box Adversarial Attacks with Limited Queries and Information,\" in Proceedings of the 35th International Conference on Machine Learning, (ICML)","author":"Ilyas A.","year":"2018","unstructured":"A. Ilyas , L. Engstrom , A. Athalye , and J. Lin , \" Black-box Adversarial Attacks with Limited Queries and Information,\" in Proceedings of the 35th International Conference on Machine Learning, (ICML) , 2018 , pp. 2142 -- 2151 . A. Ilyas, L. Engstrom, A. Athalye, and J. Lin, \"Black-box Adversarial Attacks with Limited Queries and Information,\" in Proceedings of the 35th International Conference on Machine Learning, (ICML), 2018, pp. 2142--2151."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/MM.2014.12"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/MM.2018.022071134"},{"key":"e_1_2_1_51_1","volume-title":"May 13","author":"Learning Nvidia Deep","year":"2020","unstructured":"Nvidia, \" Nvidia Deep Learning Accelerator (NVDLA),\" http:\/\/nvdla.org\/, [Retrieved : May 13 , 2020 ]. Nvidia, \"Nvidia Deep Learning Accelerator (NVDLA),\" http:\/\/nvdla.org\/, [Retrieved: May 13, 2020]."},{"key":"e_1_2_1_52_1","volume-title":"May 13","author":"Learning Processor Arm Machine","year":"2020","unstructured":"Arm, \" Arm Machine Learning Processor ,\" https:\/\/developer.arm.com\/ip-products\/processors\/machine-learning\/arm-ml-processor, [Retrieved : May 13 , 2020 ]. Arm, \"Arm Machine Learning Processor,\" https:\/\/developer.arm.com\/ip-products\/processors\/machine-learning\/arm-ml-processor, [Retrieved: May 13, 2020]."},{"key":"e_1_2_1_53_1","first-page":"130","volume-title":"7.1 An 11.5TOPS\/W 1024-MAC Butterfly Structure Dual-Core Sparsity-Aware Neural Processing Unit in 8nm Flagship Mobile SoC,\" in International Solid-State Circuits Conference (ISSCC)","author":"Song J.","year":"2019","unstructured":"J. Song , Y. Cho , J. Park , J. Jang , S. Lee , J. Song , J. Lee , and I. Kang , \" 7.1 An 11.5TOPS\/W 1024-MAC Butterfly Structure Dual-Core Sparsity-Aware Neural Processing Unit in 8nm Flagship Mobile SoC,\" in International Solid-State Circuits Conference (ISSCC) , 2019 , pp. 130 -- 132 . J. Song, Y. Cho, J. Park, J. Jang, S. Lee, J. Song, J. Lee, and I. Kang, \"7.1 An 11.5TOPS\/W 1024-MAC Butterfly Structure Dual-Core Sparsity-Aware Neural Processing Unit in 8nm Flagship Mobile SoC,\" in International Solid-State Circuits Conference (ISSCC), 2019, pp. 130--132."},{"key":"e_1_2_1_54_1","first-page":"1","volume-title":"2019 IEEE Hot Chips 31 Symposium (HCS)","author":"Burgess J.","year":"2019","unstructured":"J. Burgess , \" RTX ON - The NVIDIA TURING GPU,\" in 2019 IEEE Hot Chips 31 Symposium (HCS) , 2019 , pp. 1 -- 27 . J. Burgess, \"RTX ON - The NVIDIA TURING GPU,\" in 2019 IEEE Hot Chips 31 Symposium (HCS), 2019, pp. 1--27."},{"key":"e_1_2_1_55_1","first-page":"1","volume-title":"EmBench: Quantifying Performance Variations of Deep Neural Networks Across Modern Commodity Devices,\" in The 3rd International Workshop on Deep Learning for Mobile Systems and Applications (EMDL)","author":"Almeida M.","year":"2019","unstructured":"M. Almeida , S. Laskaridis , I. Leontiadis , S. I. Venieris , and N. D. Lane , \" EmBench: Quantifying Performance Variations of Deep Neural Networks Across Modern Commodity Devices,\" in The 3rd International Workshop on Deep Learning for Mobile Systems and Applications (EMDL) , 2019 , pp. 1 -- 6 . M. Almeida, S. Laskaridis, I. Leontiadis, S. I. Venieris, and N. D. Lane, \"EmBench: Quantifying Performance Variations of Deep Neural Networks Across Modern Commodity Devices,\" in The 3rd International Workshop on Deep Learning for Mobile Systems and Applications (EMDL), 2019, pp. 1--6."},{"key":"e_1_2_1_56_1","volume-title":"Adversarial examples in the physical world,\" arXiv preprint arXiv:1607.02533","author":"Kurakin A.","year":"2016","unstructured":"A. Kurakin , I. J. Goodfellow , and S. Bengio , \" Adversarial examples in the physical world,\" arXiv preprint arXiv:1607.02533 , 2016 . A. Kurakin, I. J. Goodfellow, and S. Bengio, \"Adversarial examples in the physical world,\" arXiv preprint arXiv:1607.02533, 2016."},{"key":"e_1_2_1_57_1","volume-title":"NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles,\" arXiv preprint arXiv:1707.03501","author":"Lu J.","year":"2017","unstructured":"J. Lu , H. Sibai , E. Fabry , and D. A. Forsyth , \" NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles,\" arXiv preprint arXiv:1707.03501 , 2017 . J. Lu, H. Sibai, E. Fabry, and D. A. Forsyth, \"NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles,\" arXiv preprint arXiv:1707.03501, 2017."},{"key":"e_1_2_1_58_1","first-page":"284","volume-title":"Synthesizing Robust Adversarial Examples,\" in Proceedings of the 35th International Conference on Machine Learning (ICML)","author":"Athalye A.","year":"2018","unstructured":"A. Athalye , L. Engstrom , A. Ilyas , and K. Kwok , \" Synthesizing Robust Adversarial Examples,\" in Proceedings of the 35th International Conference on Machine Learning (ICML) , 2018 , pp. 284 -- 293 . A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, \"Synthesizing Robust Adversarial Examples,\" in Proceedings of the 35th International Conference on Machine Learning (ICML), 2018, pp. 284--293."},{"key":"e_1_2_1_59_1","first-page":"5334","volume-title":"Robust Audio Adversarial Example for a Physical Attack,\" in Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI)","author":"Yakura H.","year":"2019","unstructured":"H. Yakura and J. Sakuma , \" Robust Audio Adversarial Example for a Physical Attack,\" in Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI) , 2019 , pp. 5334 -- 5341 . H. Yakura and J. Sakuma, \"Robust Audio Adversarial Example for a Physical Attack,\" in Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI), 2019, pp. 5334--5341."},{"key":"e_1_2_1_60_1","unstructured":"A. Y. Hannun C. Case J. Casper B. Catanzaro G. Diamos E. Elsen R. Prenger S. Satheesh S. Sengupta A. Coates and A. Y. Ng \"Deep Speech: Scaling up end-to-end speech recognition \" CoRR.  A. Y. Hannun C. Case J. Casper B. Catanzaro G. Diamos E. Elsen R. Prenger S. Satheesh S. Sengupta A. Coates and A. Y. Ng \"Deep Speech: Scaling up end-to-end speech recognition \" CoRR."},{"key":"e_1_2_1_61_1","volume-title":"Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition,\" in 9th USENIX Workshop on Offensive Technologies (WOOT)","author":"Vaidya T.","year":"2015","unstructured":"T. Vaidya , Y. Zhang , M. Sherr , and C. Shields , \" Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition,\" in 9th USENIX Workshop on Offensive Technologies (WOOT) , 2015 . T. Vaidya, Y. Zhang, M. Sherr, and C. Shields, \"Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition,\" in 9th USENIX Workshop on Offensive Technologies (WOOT), 2015."},{"key":"e_1_2_1_62_1","first-page":"103","volume-title":"DolphinAttack: Inaudible Voice Commands,\" in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Zhang G.","year":"2017","unstructured":"G. Zhang , C. Yan , X. Ji , T. Zhang , T. Zhang , and W. Xu , \" DolphinAttack: Inaudible Voice Commands,\" in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS) , 2017 , pp. 103 -- 117 . G. Zhang, C. Yan, X. Ji, T. Zhang, T. Zhang, and W. Xu, \"DolphinAttack: Inaudible Voice Commands,\" in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017, pp. 103--117."},{"key":"e_1_2_1_63_1","unstructured":"L. Sch\u00f6nherr K. Kohls S. Zeiler T. Holz and D. Kolossa \"Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding \" in Network and Distributed Systems Security (NDSS) Symposium.  L. Sch\u00f6nherr K. Kohls S. Zeiler T. Holz and D. Kolossa \"Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding \" in Network and Distributed Systems Security (NDSS) Symposium."},{"key":"e_1_2_1_64_1","volume-title":"Did you hear that? Adversarial Examples Against Automatic Speech Recognition,\" in NIPS 2017 Machine Deception Workshop","author":"Alzantot M.","year":"2017","unstructured":"M. Alzantot , B. Balaji , and M. B. Srivastava , \" Did you hear that? Adversarial Examples Against Automatic Speech Recognition,\" in NIPS 2017 Machine Deception Workshop , 2017 . M. Alzantot, B. Balaji, and M. B. Srivastava, \"Did you hear that? Adversarial Examples Against Automatic Speech Recognition,\" in NIPS 2017 Machine Deception Workshop, 2017."},{"key":"e_1_2_1_65_1","first-page":"15","volume-title":"ACM","author":"Chen P.-Y.","year":"2017","unstructured":"P.-Y. Chen , H. Zhang , Y. Sharma , J. Yi , and C.-J. Hsieh , \"ZOO : Zeroth Order Optimization Based Black-Box Attacks to Deep Neural Networks without Training Substitute Models,\" in Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec) . ACM , 2017 , pp. 15 -- 26 . P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, \"ZOO: Zeroth Order Optimization Based Black-Box Attacks to Deep Neural Networks without Training Substitute Models,\" in Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec). ACM, 2017, pp. 15--26."},{"key":"e_1_2_1_66_1","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1109\/SPW.2019.00016","volume-title":"Targeted Adversarial Examples for Black Box Audio Systems,\" in 2019 IEEE Security and Privacy Workshops (SPW)","author":"Taori R.","year":"2019","unstructured":"R. Taori , A. Kamsetty , B. Chu , and N. Vemuri , \" Targeted Adversarial Examples for Black Box Audio Systems,\" in 2019 IEEE Security and Privacy Workshops (SPW) , 2019 , pp. 15 -- 20 . R. Taori, A. Kamsetty, B. Chu, and N. Vemuri, \"Targeted Adversarial Examples for Black Box Audio Systems,\" in 2019 IEEE Security and Privacy Workshops (SPW), 2019, pp. 15--20."},{"key":"e_1_2_1_67_1","volume-title":"Prior Convictions: Black-box Adversarial Attacks with Bandits and Priors,\" in International Conference on Learning Representations (ICLR)","author":"Ilyas A.","year":"2019","unstructured":"A. Ilyas , L. Engstrom , and A. Madry , \" Prior Convictions: Black-box Adversarial Attacks with Bandits and Priors,\" in International Conference on Learning Representations (ICLR) , 2019 . A. Ilyas, L. Engstrom, and A. Madry, \"Prior Convictions: Black-box Adversarial Attacks with Bandits and Priors,\" in International Conference on Learning Representations (ICLR), 2019."},{"key":"e_1_2_1_68_1","volume-title":"Security Analysis and Enhancement of Model Compressed Deep Learning Systems under Adversarial Attacks,\" in Proceedings of the 23rd Asia and South Pacific Design Automation Conference (ASPDAC)","author":"Liu Q.","year":"2018","unstructured":"Q. Liu , T. Liu , Z. Liu , Y. Wang , Y. Jin , and W. Wen , \" Security Analysis and Enhancement of Model Compressed Deep Learning Systems under Adversarial Attacks,\" in Proceedings of the 23rd Asia and South Pacific Design Automation Conference (ASPDAC) , 2018 , p. 721--726. Q. Liu, T. Liu, Z. Liu, Y. Wang, Y. Jin, and W. Wen, \"Security Analysis and Enhancement of Model Compressed Deep Learning Systems under Adversarial Attacks,\" in Proceedings of the 23rd Asia and South Pacific Design Automation Conference (ASPDAC), 2018, p. 721--726."},{"key":"e_1_2_1_69_1","volume-title":"To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression,\" in MLSys","author":"Zhao Y.","year":"2018","unstructured":"Y. Zhao , I. Shumailov , R. Mullins , and R. Anderson , \" To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression,\" in MLSys , 2018 . Y. Zhao, I. Shumailov, R. Mullins, and R. Anderson, \"To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression,\" in MLSys, 2018."},{"key":"e_1_2_1_70_1","volume-title":"Combating Adversarial Attacks Using Sparse Representations,\" in ICLR Workshop","author":"Gopalakrishnan S.","year":"2018","unstructured":"S. Gopalakrishnan , Z. Marzi , U. Madhow , and R. Pedarsani , \" Combating Adversarial Attacks Using Sparse Representations,\" in ICLR Workshop , 2018 . S. Gopalakrishnan, Z. Marzi, U. Madhow, and R. Pedarsani, \"Combating Adversarial Attacks Using Sparse Representations,\" in ICLR Workshop, 2018."},{"key":"e_1_2_1_71_1","volume-title":"Sparsity-based Defense against Adversarial Attacks on Linear Classifiers,\" in IEEE International Symposium on Information Theory (ISIT)","author":"Marzi Z.","year":"2018","unstructured":"Z. Marzi , S. Gopalakrishnan , U. Madhow , and R. Pedarsani , \" Sparsity-based Defense against Adversarial Attacks on Linear Classifiers,\" in IEEE International Symposium on Information Theory (ISIT) , 2018 . Z. Marzi, S. Gopalakrishnan, U. Madhow, and R. Pedarsani, \"Sparsity-based Defense against Adversarial Attacks on Linear Classifiers,\" in IEEE International Symposium on Information Theory (ISIT), 2018."},{"key":"e_1_2_1_72_1","volume-title":"On Detecting Adversarial Perturbations,\" in International Conference on Learning Representations (ICLR)","author":"Metzen J. Hendrik","year":"2017","unstructured":"J. Hendrik Metzen , T. Genewein , V. Fischer , and B. Bischoff , \" On Detecting Adversarial Perturbations,\" in International Conference on Learning Representations (ICLR) , 2017 . J. Hendrik Metzen, T. Genewein, V. Fischer, and B. Bischoff, \"On Detecting Adversarial Perturbations,\" in International Conference on Learning Representations (ICLR), 2017."},{"key":"e_1_2_1_73_1","volume-title":"Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Moosavi-Dezfooli S.-M.","year":"2017","unstructured":"S.-M. Moosavi-Dezfooli , A. Fawzi , O. Fawzi , and P. Frossard , \" Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2017 . S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, \"Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2017."},{"key":"e_1_2_1_74_1","volume-title":"Defense Against Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Akhtar N.","year":"2018","unstructured":"N. Akhtar , J. Liu , and A. Mian , \" Defense Against Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2018 . N. Akhtar, J. Liu, and A. Mian, \"Defense Against Universal Adversarial Perturbations,\" in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018."},{"key":"e_1_2_1_75_1","first-page":"513","article-title":"Hidden Voice Commands,\" in 25th USENIX Security Symposium (USENIX Security 16), Austin","author":"Carlini N.","year":"2016","unstructured":"N. Carlini , P. Mishra , T. Vaidya , Y. Zhang , M. Sherr , C. Shields , D. Wagner , and W. Zhou , \" Hidden Voice Commands,\" in 25th USENIX Security Symposium (USENIX Security 16), Austin , TX , 2016 , pp. 513 -- 530 . N. Carlini, P. Mishra, T. Vaidya, Y. Zhang, M. Sherr, C. Shields, D. Wagner, and W. Zhou, \"Hidden Voice Commands,\" in 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016, pp. 513--530.","journal-title":"TX"}],"container-title":["Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3397332","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3397332","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:12:47Z","timestamp":1750201967000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3397332"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,15]]},"references-count":75,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,6,15]]}},"alternative-id":["10.1145\/3397332"],"URL":"https:\/\/doi.org\/10.1145\/3397332","relation":{},"ISSN":["2474-9567"],"issn-type":[{"type":"electronic","value":"2474-9567"}],"subject":[],"published":{"date-parts":[[2020,6,15]]},"assertion":[{"value":"2020-06-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}