{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,24]],"date-time":"2025-08-24T00:02:29Z","timestamp":1755993749781,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,26]],"date-time":"2024-11-26T00:00:00Z","timestamp":1732579200000},"content-version":"vor","delay-in-days":366,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2145642,2024878"],"award-info":[{"award-number":["2145642,2024878"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605764.3623911","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:12:17Z","timestamp":1700568737000},"page":"161-171","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Measuring Equality in Machine Learning Security Defenses: A Case Study in Speech Recognition"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5744-8736","authenticated-orcid":false,"given":"Luke E.","family":"Richards","sequence":"first","affiliation":[{"name":"University of Maryland, Baltimore County &amp; Pacific Northwest National, Baltimore, MD, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9900-1972","authenticated-orcid":false,"given":"Edward","family":"Raff","sequence":"additional","affiliation":[{"name":"University of Maryland, Baltimore County, Baltimore, MD, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1383-8120","authenticated-orcid":false,"given":"Cynthia","family":"Matuszek","sequence":"additional","affiliation":[{"name":"University of Maryland, Baltimore County, Baltimore, MD, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Common voice: A massively-multilingual speech corpus. arXiv preprint arXiv:1912.06670","author":"Ardila Rosana","year":"2019","unstructured":"Rosana Ardila, Megan Branson, Kelly Davis, Michael Henretty, Michael Kohler, Josh Meyer, Reuben Morais, Lindsay Saunders, Francis M Tyers, and Gregor Weber. 2019. Common voice: A massively-multilingual speech corpus. arXiv preprint arXiv:1912.06670 (2019)."},{"key":"e_1_3_2_1_2_1","volume-title":"Interpreting and Explaining Deep Neural Networks for Classification of Audio Signals. CoRR","author":"Becker S\u00f6ren","year":"2018","unstructured":"S\u00f6ren Becker, Marcel Ackermann, Sebastian Lapuschkin, Klaus-Robert M\u00fcller, and Wojciech Samek. 2018. Interpreting and Explaining Deep Neural Networks for Classification of Audio Signals. CoRR , Vol. abs\/1807.03418 (2018). arxiv: 1807.03418"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_1_4_1","volume-title":"Conference on fairness, accountability and transparency. PMLR, 77--91","author":"Buolamwini Joy","year":"2018","unstructured":"Joy Buolamwini and Timnit Gebru. 2018. Gender shades: Intersectional accuracy disparities in commercial gender classification. In Conference on fairness, accountability and transparency. PMLR, 77--91."},{"key":"e_1_3_2_1_5_1","volume-title":"On Evaluating Adversarial Robustness. arXiv preprint arXiv:1902.06705","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas Rauber, Dimitris Tsipras, Ian Goodfellow, Aleksander Madry, and Alexey Kurakin. 2019. On Evaluating Adversarial Robustness. arXiv preprint arXiv:1902.06705 (2019)."},{"volume-title":"Audio adversarial examples: Targeted attacks on speech-to-text. In 2018 IEEE security and privacy workshops (SPW)","author":"Carlini Nicholas","key":"e_1_3_2_1_6_1","unstructured":"Nicholas Carlini and David Wagner. 2018. Audio adversarial examples: Targeted attacks on speech-to-text. In 2018 IEEE security and privacy workshops (SPW). IEEE, 1--7."},{"key":"e_1_3_2_1_7_1","first-page":"8158","article-title":"Fair classification with adversarial perturbations","volume":"34","author":"Celis L Elisa","year":"2021","unstructured":"L Elisa Celis, Anay Mehrotra, and Nisheeth Vishnoi. 2021. Fair classification with adversarial perturbations. Advances in Neural Information Processing Systems , Vol. 34 (2021), 8158--8171.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_8_1","volume-title":"Sasi Kumar Murakonda, Ehsan Kazemi, and Reza Shokri.","author":"Chang Hongyan","year":"2020","unstructured":"Hongyan Chang, Ta Duy Nguyen, Sasi Kumar Murakonda, Ehsan Kazemi, and Reza Shokri. 2020. On adversarial bias and the robustness of fair machine learning. arXiv preprint arXiv:2006.08669 (2020)."},{"key":"e_1_3_2_1_9_1","volume-title":"Fairness Degrading Adversarial Attacks Against Clustering Algorithms. arXiv preprint arXiv:2110.12020","author":"Chhabra Anshuman","year":"2021","unstructured":"Anshuman Chhabra, Adish Singla, and Prasant Mohapatra. 2021. Fairness Degrading Adversarial Attacks Against Clustering Algorithms. arXiv preprint arXiv:2110.12020 (2021)."},{"key":"e_1_3_2_1_10_1","volume-title":"International Conference on Machine Learning. PMLR, 1310--1320","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310--1320."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.10.082"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2017.7952190"},{"key":"e_1_3_2_1_13_1","volume-title":"Discovering adversarial examples with momentum. arXiv preprint arXiv:1710.06081","author":"Dong Yinpeng","year":"2017","unstructured":"Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2017. Discovering adversarial examples with momentum. arXiv preprint arXiv:1710.06081 (2017)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2090236.2090255"},{"key":"e_1_3_2_1_15_1","volume-title":"Data Determines Distributional Robustness in Contrastive Language Image Pre-training (CLIP). arXiv preprint arXiv:2205.01397","author":"Fang Alex","year":"2022","unstructured":"Alex Fang, Gabriel Ilharco, Mitchell Wortsman, Yuhao Wan, Vaishaal Shankar, Achal Dave, and Ludwig Schmidt. 2022. Data Determines Distributional Robustness in Contrastive Language Image Pre-training (CLIP). arXiv preprint arXiv:2205.01397 (2022)."},{"key":"e_1_3_2_1_16_1","volume-title":"On the Limitations of Stochastic Pre-processing Defenses. arXiv preprint arXiv:2206.09491","author":"Gao Yue","year":"2022","unstructured":"Yue Gao, Ilia Shumailov, Kassem Fawaz, and Nicolas Papernot. 2022. On the Limitations of Stochastic Pre-processing Defenses. arXiv preprint arXiv:2206.09491 (2022)."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3531146.3533128"},{"key":"e_1_3_2_1_18_1","volume-title":"Crafting adversarial examples for speech paralinguistics applications. arXiv preprint arXiv:1711.03280","author":"Gong Yuan","year":"2017","unstructured":"Yuan Gong and Christian Poellabauer. 2017. Crafting adversarial examples for speech paralinguistics applications. arXiv preprint arXiv:1711.03280 (2017)."},{"key":"e_1_3_2_1_19_1","volume-title":"Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1412","author":"Goodfellow Ian","year":"2015","unstructured":"Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1412.6572"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3251842"},{"volume-title":"International Conference on Learning Representations.","author":"Guo Chuan","key":"e_1_3_2_1_21_1","unstructured":"Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens van der Maaten. 2018. Countering Adversarial Images using Input Transformations. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3173582"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW53098.2021.00258"},{"key":"e_1_3_2_1_24_1","volume-title":"Gaussian error linear units (gelus). arXiv preprint arXiv:1606.08415","author":"Hendrycks Dan","year":"2016","unstructured":"Dan Hendrycks and Kevin Gimpel. 2016. Gaussian error linear units (gelus). arXiv preprint arXiv:1606.08415 (2016)."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485368"},{"key":"e_1_3_2_1_26_1","volume-title":"Breaking Fair Binary Classification with Optimal Flipping Attacks. arXiv preprint arXiv:2204.05472","author":"Jo Changhun","year":"2022","unstructured":"Changhun Jo, Jy-yong Sohn, and Kangwook Lee. 2022. Breaking Fair Binary Classification with Optimal Flipping Attacks. arXiv preprint arXiv:2204.05472 (2022)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.5555\/3586589.3586749"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/LRA.2023.3240930"},{"key":"e_1_3_2_1_29_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW.2017.94"},{"key":"e_1_3_2_1_31_1","first-page":"38761","article-title":"Explicit tradeoffs between adversarial and natural distributional robustness","volume":"35","author":"Moayeri Mazda","year":"2022","unstructured":"Mazda Moayeri, Kiarash Banihashem, and Soheil Feizi. 2022. Explicit tradeoffs between adversarial and natural distributional robustness. Advances in Neural Information Processing Systems , Vol. 35 (2022), 38761--38774.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442188.3445910"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00479"},{"key":"e_1_3_2_1_34_1","volume-title":"Algorithmic fairness. arXiv preprint arXiv:2001.09784","author":"Pessach Dana","year":"2020","unstructured":"Dana Pessach and Erez Shmueli. 2020. Algorithmic fairness. arXiv preprint arXiv:2001.09784 (2020)."},{"key":"e_1_3_2_1_35_1","first-page":"20052","article-title":"Fast minimum-norm adversarial attacks through adaptive norm constraints","volume":"34","author":"Pintor Maura","year":"2021","unstructured":"Maura Pintor, Fabio Roli, Wieland Brendel, and Battista Biggio. 2021. Fast minimum-norm adversarial attacks through adaptive norm constraints. Advances in Neural Information Processing Systems , Vol. 34 (2021), 20052--20062.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_36_1","volume-title":"Does robustness improve fairness? approaching fairness with word substitution robustness methods for text classification. arXiv preprint arXiv:2106.10826","author":"Pruksachatkun Yada","year":"2021","unstructured":"Yada Pruksachatkun, Satyapriya Krishna, Jwala Dhamala, Rahul Gupta, and Kai-Wei Chang. 2021. Does robustness improve fairness? approaching fairness with word substitution robustness methods for text classification. arXiv preprint arXiv:2106.10826 (2021)."},{"key":"e_1_3_2_1_37_1","first-page":"29935","article-title":"Data augmentation can improve robustness","volume":"34","author":"Rebuffi Sylvestre-Alvise","year":"2021","unstructured":"Sylvestre-Alvise Rebuffi, Sven Gowal, Dan Andrei Calian, Florian Stimberg, Olivia Wiles, and Timothy A Mann. 2021. Data augmentation can improve robustness. Advances in Neural Information Processing Systems , Vol. 34 (2021), 29935--29948.","journal-title":"Advances in Neural Information Processing Systems"},{"volume-title":"Human-Robot Interaction (HRI) Workshop on Inclusive HRI II: Equity and Diversity in Design, Application, Methods, and Community (DEI HRI).","author":"Luke","key":"e_1_3_2_1_38_1","unstructured":"Luke E. Richards and Cynthia Matuszek. 2023. Machine Learning Security as a Source of Unfairness in Human-Robot Interaction. In Human-Robot Interaction (HRI) Workshop on Inclusive HRI II: Equity and Diversity in Design, Application, Methods, and Community (DEI HRI)."},{"key":"e_1_3_2_1_39_1","first-page":"815","article-title":"Sample selection for fair and robust training","volume":"34","author":"Roh Yuji","year":"2021","unstructured":"Yuji Roh, Kangwook Lee, Steven Whang, and Changho Suh. 2021. Sample selection for fair and robust training. Advances in Neural Information Processing Systems , Vol. 34 (2021), 815--827.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_40_1","volume-title":"Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 162--177","author":"Solans David","year":"2020","unstructured":"David Solans, Battista Biggio, and Carlos Castillo. 2020. Poisoning attacks on algorithmic fairness. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 162--177."},{"key":"e_1_3_2_1_41_1","volume-title":"Perceptual-based deep-learning denoiser as a defense against adversarial attacks on ASR systems. arXiv preprint arXiv:2107.05222","author":"Sreeram Anirudh","year":"2021","unstructured":"Anirudh Sreeram, Nicholas Mehlman, Raghuveer Peri, Dillon Knox, and Shrikanth Narayanan. 2021. Perceptual-based deep-learning denoiser as a defense against adversarial attacks on ASR systems. arXiv preprint arXiv:2107.05222 (2021)."},{"key":"e_1_3_2_1_42_1","volume-title":"Towards Fair and Robust Classification. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 356--376","author":"Sun Haipei","year":"2022","unstructured":"Haipei Sun, Kun Wu, Ting Wang, and Wendy Hui Wang. 2022. Towards Fair and Robust Classification. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 356--376."},{"key":"e_1_3_2_1_43_1","volume-title":"Removing Batch Normalization Boosts Adversarial Training. In International Conference on Machine Learning. PMLR, 23433--23445","author":"Wang Haotao","year":"2022","unstructured":"Haotao Wang, Aston Zhang, Shuai Zheng, Xingjian Shi, Mu Li, and Zhangyang Wang. 2022b. Removing Batch Normalization Boosts Adversarial Training. In International Conference on Machine Learning. PMLR, 23433--23445."},{"key":"e_1_3_2_1_44_1","volume-title":"Imbalanced adversarial training with reweighting. arXiv preprint arXiv:2107.13639","author":"Wang Wentao","year":"2021","unstructured":"Wentao Wang, Han Xu, Xiaorui Liu, Yaxin Li, Bhavani Thuraisingham, and Jiliang Tang. 2021. Imbalanced adversarial training with reweighting. arXiv preprint arXiv:2107.13639 (2021)."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01013"},{"key":"e_1_3_2_1_46_1","volume-title":"International Conference on Machine Learning. PMLR, 11492--11501","author":"Xu Han","year":"2021","unstructured":"Han Xu, Xiaorui Liu, Yaxin Li, Anil Jain, and Jiliang Tang. 2021. To be robust or to be fair: Towards fairness in adversarial training. In International Conference on Machine Learning. PMLR, 11492--11501."},{"key":"e_1_3_2_1_47_1","volume-title":"AAAI Conference on Artificial Intelligence.","author":"Yurochkin Mikhail","year":"2023","unstructured":"Mikhail Yurochkin, Yuekai Sun, and Pin-Yu Chen. 2023. AI Fairness through Robustness. In AAAI Conference on Artificial Intelligence."},{"key":"e_1_3_2_1_48_1","volume-title":"Adversarial attacks and defenses for speech recognition systems. arXiv preprint arXiv:2103.17122","author":"Joshi Sonal","year":"2021","unstructured":"Piotr. Zelasko, Sonal Joshi, Yiwen Shao, Jesus Villalba, Jan Trmal, Najim Dehak, and Sanjeev Khudanpur. 2021. Adversarial attacks and defenses for speech recognition systems. arXiv preprint arXiv:2103.17122 (2021)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278721.3278779"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"crossref","unstructured":"Yuekai Zhang Ziyan Jiang Jes\u00fas Villalba and Najim Dehak. 2020. Black-Box Attacks on Spoofing Countermeasures Using Transferability of Adversarial Examples.io","DOI":"10.21437\/Interspeech.2020-2834"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Copenhagen Denmark","acronym":"CCS '23"},"container-title":["Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623911","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605764.3623911","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605764.3623911","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:37:31Z","timestamp":1755913051000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623911"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":50,"alternative-id":["10.1145\/3605764.3623911","10.1145\/3605764"],"URL":"https:\/\/doi.org\/10.1145\/3605764.3623911","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}